Mailinglist Archive: yast-commit (883 mails)

< Previous Next >
[yast-commit] <rest-service> master : Refactor, cleanup, stabilize, test PermissionsController
  • From: Klaus Kämpf <kkaempf@xxxxxxx>
  • Date: Thu, 9 Jul 2009 15:02:54 +0200
  • Message-id: <E1MOtHB-0007z6-27@xxxxxxxxxxxxxxxx>
ref: refs/heads/master
commit 73fd44fdad6afc1c0a90daf56ca65a59eb90c4c4
Author: Klaus Kämpf <kkaempf@xxxxxxx>
Date: Thu Jul 9 15:02:54 2009 +0200

Refactor, cleanup, stabilize, test PermissionsController
---
.../app/controllers/permissions_controller.rb | 160 ++++++++++++--------
webservice/app/models/permission.rb | 9 +-
.../test/functional/permissions_controller_test.rb | 21 ++-
3 files changed, 118 insertions(+), 72 deletions(-)

diff --git a/webservice/app/controllers/permissions_controller.rb
b/webservice/app/controllers/permissions_controller.rb
index d22cb8c..a1f8cc5 100644
--- a/webservice/app/controllers/permissions_controller.rb
+++ b/webservice/app/controllers/permissions_controller.rb
@@ -1,59 +1,110 @@
#
-#
+# Configure PolicyKit permissions for a user
#

+if __FILE__ == $0
+ require File.dirname(__FILE__) + '/../../test/test_helper'
+ puts "RAILS_ENV #{RAILS_ENV}"
+ puts "USER #{ENV['USER']}"
+ c = PermissionsController.new
+ c.test
+end
+
class PermissionsController < ApplicationController

before_filter :login_required

require "scr"

- private
-
- def get_permission_list(user_id, filter = nil)
+ def initialize
@permissions = []
- ret = Scr.instance.execute(["polkit-action"])
- return false unless ret && ret[:exit] == 0
+ end
+
+ private
+
+ #
+ # iterate over org.opensuse.yast permissions
+ # user_id: if set, iterate over granted perms
+ # else iterate over all
+ # filter: optional filter string, i.e. "scr"
+ #
+ def each_suse_permissions( user_id, filter = nil )
+ # filter org.opensuse.yast
+ suse_string = /org\.opensuse\.yast\..*/

- suse_string = "org.opensuse.yast."
- lines = ret[:stdout].split("\n") rescue []
+ # get users or all actions
+ ret = if user_id
+ Scr.instance.execute(["polkit-auth", "--user", user_id,
"--explicit"])
+ else
+ Scr.instance.execute(["polkit-action"])
+ end rescue nil
+ raise RuntimeError unless ret && ret[:exit] == 0

- # a hash for mapping string 'permission name' => boolean 'granted'
- perms = Hash.new
-
- lines.each do |s|
- if (s.include?( suse_string )) &&
- (filter.blank? || s.include?( filter ))
- # set 'not granted' default
- perms[s] = false
- end
+ ret[:stdout].scan(suse_string) do |p|
+ next unless filter.blank? or p.include?(filter)
+ yield p
end

- ret = Scr.instance.execute(["polkit-auth", "--user", user_id,
"--explicit"])
- return false unless ret && ret[:exit] == 0
+ end
+
+ #
+ # get all Array of Permissions user_id has
+ #
+
+ def permissions_list(user_id, filter = nil)
+
+ # a hash for mapping string 'permission name' => boolean 'granted'
+ perms = Hash.new

- lines = ret[:stdout].split("\n") rescue []
- lines.each do |s|
- # ignore the rights which do not have the prefix, do not have any
.policy file
- # or do not match the filter
- if (s.include?( suse_string )) && perms.has_key?(s) && (filter.blank? ||
s.include?( filter ))
- # update the value to 'granted' state
- perms[s] = true
- end
- end
+ # get all known permissions into 'perms' hash
+ each_suse_permissions( nil, filter ) do |p|
+ perms[p] = false
+ end rescue return false
+
+ # now set those 'true' which are granted
+ each_suse_permissions( user_id, filter ) do |p|
+ perms[p] = true
+ end rescue return false

# convert the hash to a list of Permission objects
@permissions = []
- perms.each do |name,value|
- permission = Permission.new
- permission.name = name
- permission.grant = value
+ perms.each do |name,grant|
+ permission = Permission.new name, grant
@permissions << permission
end
+ true
end

-
+ #
+ # check if logged in user requests his own stuff
+ #
+ def user_self( params )
+ !params[:user_id].blank? && (params[:user_id] ==
self.current_account.login)
+ end
+
+ #
+ # check params and fill @permissions
+ #
+ def retrieve_permissions( params )
+ # user can always see his rights
+ unless permission_check( "org.opensuse.yast.permissions.read") ||
user_self(params)
+ render ErrorResult.error(403, 1, "no permission") and return
+ end
+ if params[:user_id].blank?
+ render ErrorResult.error(404, 2, "No user specified") and return
+ end
+ unless permissions_list(params[:user_id], params[:filter])
+ render ErrorResult.error(404, 2, "cannot get permission list") and return
+ end
+ true
+ end
+
public
+ # test for private functions
+ def test
+ permissions_list(ENV['USER']) if RAILS_ENV == "test"
+ end
+

#--------------------------------------------------------------------------------
#
# actions
@@ -65,42 +116,26 @@ class PermissionsController < ApplicationController
# GET /permissions.json?user_id=<user_id>&filter=<filter>

def index
- # user can always see his rights
- unless (permission_check( "org.opensuse.yast.permissions.read") ||
(!params[:user_id].blank? && self.current_account.login == params[:user_id]))
- render ErrorResult.error(403, 1, "no permission") and return
- end
- if params[:user_id].blank?
- render ErrorResult.error(404, 2, "user_id is not defined") and return
- end
- unless get_permission_list(params[:user_id], params[:filter])
- render ErrorResult.error(404, 2, "cannot get permission list") and return
- end
+ retrieve_permissions params
end

# GET /users/<uid>/permissions/<id>?user_id=<user_id>

def show
- unless (permission_check( "org.opensuse.yast.permissions.read") ||
(!params[:user_id].blank? && self.current_account.login == params[:user_id]))
- render ErrorResult.error(403, 1, "no permission") and return
- end
- if params[:user_id].blank?
- render ErrorResult.error(404, 2, "user_id is not defined") and return
- end
- if params[:id].blank?
- render ErrorResult.error(404, 2, "right is not defined") and return
- end
right = params[:id]
- @permission = Permission.new
- unless get_permission_list(params[:user_id])
- render ErrorResult.error(404, 1, "cannot get permission list") and return
+ if right.blank?
+ render ErrorResult.error(404, 2, "right is not defined") and return
end
- for i in 0..@xxxxxxxxxxxxxxxxxx
- if @permissions[i].name == right
- permission = @permissions[i]
- break
- end
+
+ retrieve_permissions(params) or return
+
+ permission = nil
+ @permissions.each do |p|
+ next unless p.name == right
+ permission = p
+ break
end
- if !permission || permission.name.blank?
+ if permission.nil? || permission.name.blank?
render ErrorResult.error(404, 1, "Permission: #{right} not found.") and
return
end

@@ -127,7 +162,8 @@ class PermissionsController < ApplicationController
render ErrorResult.error(404, 1, "no permissions found") and return
end

- ret = Scr.instance.execute(["polkit-auth", "--user",
params[:permissions][:id], params[:permissions][:grant] ? "--grant" :
"--revoke", params[:permissions][:name]])
+ ret = Scr.instance.execute(["polkit-auth", "--user", params[:id],
params[:permissions][:grant] ? "--grant" : "--revoke",
params[:permissions][:name]])
+
if ret[:exit] != 0
render ErrorResult.error(404, 1, ret[:stderr]) and return
end
diff --git a/webservice/app/models/permission.rb
b/webservice/app/models/permission.rb
index 38de65a..a264e78 100644
--- a/webservice/app/models/permission.rb
+++ b/webservice/app/models/permission.rb
@@ -4,12 +4,11 @@

class Permission

- attr_accessor :name,
- :grant
+ attr_reader :name, :grant

- def initialize( permission_name = "", gr = false)
- @grant = gr
- @name = permission_name
+ def initialize( name = "", grant = false)
+ @grant = grant
+ @name = name
end

def to_xml( options = {} )
diff --git a/webservice/test/functional/permissions_controller_test.rb
b/webservice/test/functional/permissions_controller_test.rb
index 0b1aca0..02594bc 100644
--- a/webservice/test/functional/permissions_controller_test.rb
+++ b/webservice/test/functional/permissions_controller_test.rb
@@ -22,7 +22,7 @@ class PermissionsControllerTest < ActionController::TestCase
@request.session[:account_id] = 1 # defined in fixtures


Scr.any_instance.stubs(:execute).with(["polkit-action"]).returns({:stderr=>"",
:exit=>0,
:stdout=>"org.opensuse.yast.system.users.read\norg.opensuse.yast.system.users.write\norg.opensuse.yast.system.users.new\norg.opensuse.yast.system.users.delete\n"})
- Scr.any_instance.stubs(:execute).with(["polkit-auth", "--user",
"test_user", "--explicit"]).returns(:stderr=>"", :exit=>0,
:stdout=>"org.opensuse.yast.system.users.read\norg.opensuse.yast.system.users.write\norg.opensuse.yast.system.users.new\n")
+ Scr.any_instance.stubs(:execute).with(["polkit-auth", "--user",
"test_user", "--explicit"]).returns(:stderr=>"", :exit=>0,
:stdout=>"org.opensuse.yast.system.users.read\norg.opensuse.yast.system.users.write\norg.opensuse.yast.system.users.new\norg.opensuse.yast.permissions.write\n")
Scr.any_instance.stubs(:execute).with(['polkit-auth', '--user',
'test_user', '--grant',
'org.opensuse.yast.patch.install']).returns({:stderr=>"", :exit=>0,
:stdout=>""})
end

@@ -81,10 +81,21 @@ class PermissionsControllerTest < ActionController::TestCase
assert_response :success
end

+ test "permissions access no session" do
+ save = ENV['RAILS_ENV']
+ ENV['RAILS_ENV'] = "production" # do a real permission_check
+ uid = @request.session[:account_id]
+ @request.session[:account_id] = 0
+ get :show
+ @request.session[:account_id] = uid
+ ENV['RAILS_ENV'] = save
+ assert_response 401
+ end
+
test "permissions access show production" do
save = ENV['RAILS_ENV']
- ENV['RAILS_ENV'] = "production"
- get :show, :id => "org.opensuse.yast.system.users.read"
+ ENV['RAILS_ENV'] = "production" # do a real permission_check
+ get :show, :id => "org.opensuse.yast.system.read"
ENV['RAILS_ENV'] = save
assert_response 403
end
@@ -94,7 +105,7 @@ class PermissionsControllerTest < ActionController::TestCase
ENV['RAILS_ENV'] = "production"
get :show, :user_id => "nobody"
ENV['RAILS_ENV'] = save
- assert_response 403
+ assert_response 404
end

test "permissions access show without user" do
@@ -126,7 +137,7 @@ class PermissionsControllerTest < ActionController::TestCase
end

test "setting permissions without user" do
- put :update, :permissions => {"name"=>"org.opensuse.yast.patch.install",
"id"=>"test_user", "grant"=>true}
+ put :update, :permissions => {"name"=>"org.opensuse.yast.patch.install",
"grant"=>true}
assert_response 404
end

--
To unsubscribe, e-mail: yast-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages