Advancing thought permissions delegation

server/src/uds/core/util/ot.py

@@ -0,0 +1,71 @@
+# -*- coding: utf-8 -*-
+
+#
+# Copyright (c) 2014 Virtual Cable S.L.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+#    * Redistributions of source code must retain the above copyright notice,
+#      this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above copyright notice,
+#      this list of conditions and the following disclaimer in the documentation
+#      and/or other materials provided with the distribution.
+#    * Neither the name of Virtual Cable S.L. nor the names of its contributors
+#      may be used to endorse or promote products derived from this software
+#      without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+'''
+@author: Adolfo Gómez, dkmaster at dkmon dot com
+'''
+from __future__ import unicode_literals
+
+__updated__ = '2015-03-01'
+
+from uds.models import Provider, Service, OSManager, Transport, Network, ServicePool, UserService, Authenticator, User, Group, StatsCounters, StatsEvents
+import logging
+
+logger = logging.getLogger(__name__)
+
+# Constants for each type
+PROVIDER_TYPE = 1
+SERVICE_TYPE = 2
+OSMANAGER_TYPE = 3
+TRANSPORT_TYPE = 4
+NETWORK_TYPE = 5
+POOL_TYPE = 6
+USER_SERVICE_TYPE = 7
+AUTHENTICATOR_TYPE = 8
+USER_TYPE = 9
+GROUP_TYPE = 10
+STATS_COUNTER_TYPE = 11
+STATS_EVENTS_TYPE = 12
+
+
+def getObjectType(obj):
+    return {
+        Provider: PROVIDER_TYPE,
+        Service: SERVICE_TYPE,
+        OSManager: OSMANAGER_TYPE,
+        Transport: TRANSPORT_TYPE,
+        Network: NETWORK_TYPE,
+        ServicePool: POOL_TYPE,
+        UserService: USER_SERVICE_TYPE,
+        Authenticator: AUTHENTICATOR_TYPE,
+        User: USER_TYPE,
+        Group: GROUP_TYPE,
+        StatsCounters: STATS_COUNTER_TYPE,
+        StatsEvents: STATS_EVENTS_TYPE
+    }.get(type(obj))

server/src/uds/core/util/permissions.py

@@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+
+#
+# Copyright (c) 2014 Virtual Cable S.L.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+#    * Redistributions of source code must retain the above copyright notice,
+#      this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above copyright notice,
+#      this list of conditions and the following disclaimer in the documentation
+#      and/or other materials provided with the distribution.
+#    * Neither the name of Virtual Cable S.L. nor the names of its contributors
+#      may be used to endorse or promote products derived from this software
+#      without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+'''
+@author: Adolfo Gómez, dkmaster at dkmon dot com
+'''
+from __future__ import unicode_literals
+
+__updated__ = '2015-03-01'
+
+from uds.models.Permissions import PERMISSION_ALL, PERMISSION_READ, PERMISSION_NONE
+from uds.models import Permissions, User, Group
+from uds.core.util import ot
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+def clean(obj):
+    Permissions.cleanPermissions(ot.getObjectType(obj), obj.pk)
+
+
+def addUserPermission(user, obj, permission=PERMISSION_READ):
+    # Some permissions added to some object types needs at least READ_PERMISSION on parent
+    Permissions.addPermission(user=user, object_type=ot.getObjectType(obj), object_id=obj.pk, permission=permission)
+
+
+def addGroupPermission(group, obj, permission=PERMISSION_READ):
+    Permissions.addPermission(group=group, object_type=ot.getObjectType(obj), object_id=obj.pk, permission=permission)
+
+
+def checkPermissions(user, obj, permission=PERMISSION_ALL):
+    return Permissions.getPermissions(user=user, groups=user.groups.all(), object_type=ot.getObjectType(obj), object_id=obj.pk) >= permission

server/src/uds/migrations/0014_permissions.py

@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import models, migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('uds', '0013_statsevents_fld4'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Permissions',
+            fields=[
+                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
+                ('uuid', models.CharField(default=None, max_length=50, unique=True, null=True)),
+                ('created', models.DateTimeField(db_index=True)),
+                ('ends', models.DateTimeField(default=None, null=True, db_index=True, blank=True)),
+                ('object_type', models.SmallIntegerField(default=-1, db_index=True)),
+                ('object_id', models.IntegerField(default=None, null=True, db_index=True, blank=True)),
+                ('permission', models.SmallIntegerField(default=0, db_index=True)),
+                ('group', models.ForeignKey(related_name='permissions', default=None, blank=True, to='uds.Group', null=True)),
+                ('user', models.ForeignKey(related_name='permissions', default=None, blank=True, to='uds.User', null=True)),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=(models.Model,),
+        ),
+    ]

server/src/uds/models/Permissions.py

@@ -0,0 +1,172 @@
+# -*- coding: utf-8 -*-
+
+#
+# Copyright (c) 2012 Virtual Cable S.L.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted provided that the following conditions are met:
+#
+#    * Redistributions of source code must retain the above copyright notice,
+#      this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above copyright notice,
+#      this list of conditions and the following disclaimer in the documentation
+#      and/or other materials provided with the distribution.
+#    * Neither the name of Virtual Cable S.L. nor the names of its contributors
+#      may be used to endorse or promote products derived from this software
+#      without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+'''
+.. moduleauthor:: Adolfo Gómez, dkmaster at dkmon dot com
+'''
+
+from __future__ import unicode_literals
+
+__updated__ = '2015-03-01'
+
+from django.utils.encoding import python_2_unicode_compatible
+from django.utils.translation import ugettext as _
+from django.db import models
+from django.db.models import Q
+
+from uds.models.UUIDModel import UUIDModel
+from uds.models.User import User
+from uds.models.Group import Group
+from uds.models.Util import getSqlDatetime
+
+import logging
+
+logger = logging.getLogger(__name__)
+
+# Allowed permissions
+PERMISSION_NONE = 0
+PERMISSION_READ = 16
+PERMISSION_ALL = 32
+
+
+@python_2_unicode_compatible
+class Permissions(UUIDModel):
+    '''
+    An OS Manager represents a manager for responding requests for agents inside services.
+    '''
+    # pylint: disable=model-missing-unicode
+
+    created = models.DateTimeField(db_index=True)
+    ends = models.DateTimeField(db_index=True, null=True, blank=True, default=None)  # Future "permisions ends at this moment", not assigned right now
+
+    user = models.ForeignKey(User, on_delete=models.CASCADE, related_name='permissions', null=True, blank=True, default=None)
+    group = models.ForeignKey(Group, on_delete=models.CASCADE, related_name='permissions', null=True, blank=True, default=None)
+
+    object_type = models.SmallIntegerField(default=-1, db_index=True)
+    object_id = models.IntegerField(default=None, db_index=True, null=True, blank=True)
+
+    permission = models.SmallIntegerField(default=PERMISSION_NONE, db_index=True)
+
+    @staticmethod
+    def permissionAsString(perm):
+        return {
+            PERMISSION_NONE: _('None'),
+            PERMISSION_READ: _('Read'),
+            PERMISSION_ALL: _('All')
+        }.get(perm, _('None'))
+
+    @staticmethod
+    def addPermission(**kwargs):
+        '''
+        Adds a permission to an object and an user or group
+        '''
+        user = kwargs.get('user', None)
+        group = kwargs.get('group', None)
+
+        if user is not None and group is not None:
+            raise Exception('Use only user or group, but not both')
+
+        if user is None and group is None:
+            raise Exception('Must at least indicate user or group')
+
+        object_type = kwargs.get('object_type', None)
+
+        if object_type is None:
+            raise Exception('At least an object type is required')
+
+        object_id = kwargs.get('object_id', None)
+
+        permission = kwargs.get('permission', PERMISSION_NONE)
+
+        if user is not None:
+            q = Q(user=user)
+        else:
+            q = Q(group=group)
+
+        try:
+            existing = Permissions.objects.filter(q, object_type=object_type, object_id=object_id)[0]
+            existing.permission = permission
+            existing.save()
+            return existing
+        except Exception:  # Does not exists
+            return Permissions.objects.create(created=getSqlDatetime(), ends=None, user=user, group=group,
+                                              object_type=object_type, object_id=object_id, permission=permission)
+
+    @staticmethod
+    def getPermissions(**kwargs):
+        '''
+        Retrieves the permission for a given object
+        It's mandatory to include at least object_type param
+
+        @param object_type: Required
+        @param object_id: Optional
+        @param user: Optional, User (db object)
+        @param groups: Optional List of db groups
+        '''
+        object_type = kwargs.get('object_type', None)
+        if object_type is None:
+            raise Exception('Needs at least the object_type field')
+
+        object_id = kwargs.get('object_id', None)
+
+        user = kwargs.get('user', None)
+        groups = kwargs.get('groups', [])
+
+        if user is None and len(groups) == 0:
+            q = Q()
+        else:
+            q = Q(user=user) | Q(group__in=groups)
+
+        try:
+            perm = Permissions.objects.filter(
+                Q(object_type=object_type),
+                Q(object_id=None) | Q(object_id=object_id),
+                q
+            ).order_by('-permission')[0]
+            logger.debug('Got permission {}'.format(perm))
+            return perm.permission
+        except Exception:  # DoesNotExists
+            return PERMISSION_NONE
+
+    @staticmethod
+    def cleanPermissions(object_type, object_id):
+        Permissions.objects.filter(object_type=object_type, object_id=object_id).delete()
+
+    @staticmethod
+    def cleanUserPermissions(user):
+        Permissions.objects.filter(user=user).delete()
+
+    @staticmethod
+    def cleanGroupPermissions(group):
+        Permissions.objects.filter(group=group).delete()
+
+    def __str__(self):
+        return 'Permission {}, user {} group {} object_type {} object_id {} permission {}'.format(
+            self.uuid, self.user, self.group, self.object_type, self.object_id, Permissions.permissionAsString(self.permission)
+        )