From 75ac6cd045efda6fe63a14de4287aa639bcf620b Mon Sep 17 00:00:00 2001 From: Tiago Garcia Date: Tue, 17 Dec 2024 16:27:49 +0000 Subject: [PATCH] fix perms checking Signed-off-by: Tiago Garcia --- delivery2/client/bin/rep_acl_doc | 0 delivery2/client/bin/rep_add_permission | 0 delivery2/client/bin/rep_add_role | 0 delivery2/client/bin/rep_assume_role | 26 +++++++++---------- delivery2/client/bin/rep_drop_role | 0 .../client/bin/rep_list_permission_roles | 0 .../client/bin/rep_list_role_permissions | 0 delivery2/client/bin/rep_list_role_subjects | 0 delivery2/client/bin/rep_list_roles | 0 delivery2/client/bin/rep_list_subject_roles | 0 delivery2/client/bin/rep_reactivate_role | 0 delivery2/client/bin/rep_remove_permission | 0 delivery2/client/bin/rep_suspend_role | 0 delivery2/client/tests/test_client.py | 7 +++++ delivery2/server/routes/role.py | 8 ++++-- delivery2/server/services/sessions.py | 5 ++-- delivery2/server/utils/perms.py | 4 +-- 17 files changed, 31 insertions(+), 19 deletions(-) mode change 100644 => 100755 delivery2/client/bin/rep_acl_doc mode change 100644 => 100755 delivery2/client/bin/rep_add_permission mode change 100644 => 100755 delivery2/client/bin/rep_add_role mode change 100644 => 100755 delivery2/client/bin/rep_assume_role mode change 100644 => 100755 delivery2/client/bin/rep_drop_role mode change 100644 => 100755 delivery2/client/bin/rep_list_permission_roles mode change 100644 => 100755 delivery2/client/bin/rep_list_role_permissions mode change 100644 => 100755 delivery2/client/bin/rep_list_role_subjects mode change 100644 => 100755 delivery2/client/bin/rep_list_roles mode change 100644 => 100755 delivery2/client/bin/rep_list_subject_roles mode change 100644 => 100755 delivery2/client/bin/rep_reactivate_role mode change 100644 => 100755 delivery2/client/bin/rep_remove_permission mode change 100644 => 100755 delivery2/client/bin/rep_suspend_role diff --git a/delivery2/client/bin/rep_acl_doc b/delivery2/client/bin/rep_acl_doc old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_add_permission b/delivery2/client/bin/rep_add_permission old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_add_role b/delivery2/client/bin/rep_add_role old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_assume_role b/delivery2/client/bin/rep_assume_role old mode 100644 new mode 100755 index 8b547c2..902279d --- a/delivery2/client/bin/rep_assume_role +++ b/delivery2/client/bin/rep_assume_role @@ -43,19 +43,19 @@ def assumeRole(args): with open(BASE_DIR + args.session, 'r') as f: args.session = json.load(f) - # Get roles in session - try: - req = requests.get(f'http://{state['REP_ADDRESS']}/role/session/list', headers={'Authorization': args.session['token']}) - req.raise_for_status() - except requests.exceptions.RequestException as errex: - logger.error("Failed to obtain response from server.") - sys.exit(-1) - - # Validate role name - roles = req.json() - if args.role not in roles.items(): - logger.error("Role does not exist.") - sys.exit(1) + # # Get roles in session + # try: + # req = requests.get(f'http://{state['REP_ADDRESS']}/role/session/list', headers={'Authorization': args.session['token']}) + # req.raise_for_status() + # except requests.exceptions.RequestException as errex: + # logger.error("Failed to obtain response from server.") + # sys.exit(-1) + # + # # Validate role name + # roles = req.json() + # if args.role not in roles.items(): + # logger.error("Role does not exist.") + # sys.exit(1) # TODO: diff --git a/delivery2/client/bin/rep_drop_role b/delivery2/client/bin/rep_drop_role old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_list_permission_roles b/delivery2/client/bin/rep_list_permission_roles old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_list_role_permissions b/delivery2/client/bin/rep_list_role_permissions old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_list_role_subjects b/delivery2/client/bin/rep_list_role_subjects old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_list_roles b/delivery2/client/bin/rep_list_roles old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_list_subject_roles b/delivery2/client/bin/rep_list_subject_roles old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_reactivate_role b/delivery2/client/bin/rep_reactivate_role old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_remove_permission b/delivery2/client/bin/rep_remove_permission old mode 100644 new mode 100755 diff --git a/delivery2/client/bin/rep_suspend_role b/delivery2/client/bin/rep_suspend_role old mode 100644 new mode 100755 diff --git a/delivery2/client/tests/test_client.py b/delivery2/client/tests/test_client.py index 8f1c3ff..48d1dd6 100644 --- a/delivery2/client/tests/test_client.py +++ b/delivery2/client/tests/test_client.py @@ -45,6 +45,13 @@ def test_rep_create_session(): assert process.returncode == 0 +def test_rep_assume_role(): + # Test the rep_assume_role command + process = subprocess.Popen(f"{DELIVERY_PATH}/client/bin/rep_assume_role session.json manager", shell=True) + process.wait() + assert process.returncode == 0 + + def test_rep_list_subjects(): #Test the rep_list_subjects command process = subprocess.Popen(f"{DELIVERY_PATH}/client/bin/rep_list_subjects session.json", shell=True) diff --git a/delivery2/server/routes/role.py b/delivery2/server/routes/role.py index 3b927cd..801dfcf 100644 --- a/delivery2/server/routes/role.py +++ b/delivery2/server/routes/role.py @@ -261,7 +261,9 @@ def role_session_assume(role): if not session: return jsonify({"error": "Not authenticated"}), 401 - if not RoleService.get_role(session.org_id, role): + org = OrganizationService.get_organization(session.org_id) + + if not RoleService.get_role(org, role): return jsonify({"error": "Role not found"}), 404 session = SessionService.change_role(session, role, "add") @@ -281,7 +283,9 @@ def role_session_drop(role): if not session: return jsonify({"error": "Not authenticated"}), 401 - if not RoleService.get_role(session.org_id, role): + org = OrganizationService.get_organization(session.org_id) + + if not RoleService.get_role(org, role): return jsonify({"error": "Role not found"}), 404 session = SessionService.change_role(session, role, "drop") diff --git a/delivery2/server/services/sessions.py b/delivery2/server/services/sessions.py index f5438dd..58bbe7b 100644 --- a/delivery2/server/services/sessions.py +++ b/delivery2/server/services/sessions.py @@ -47,6 +47,7 @@ class SessionService: session.verified = True db.commit() db.refresh(session) + return session @staticmethod def get_session(token: str) -> Session | None: @@ -102,7 +103,7 @@ class SessionService: return jsonify({"error": f"Role {role} does not exist in organization {org.name}"}), 404 if operation == "add": - if role not in user.roles[org.id]: + if role not in user.roles[str(org.id)]: return jsonify({"error": f"User {user.username} does not have role {role}"}), 400 if role in session.roles: @@ -110,7 +111,7 @@ class SessionService: session.roles.append(role) elif operation == "drop": - if role not in user.roles[org.id]: + if role not in user.roles[str(org.id)]: return jsonify({"error": f"User {user.username} does not have role {role}"}), 400 if role not in session.roles: diff --git a/delivery2/server/utils/perms.py b/delivery2/server/utils/perms.py index 5a31ba0..ba2293e 100644 --- a/delivery2/server/utils/perms.py +++ b/delivery2/server/utils/perms.py @@ -44,8 +44,8 @@ class Perm(Enum): return perms.value if isinstance(perms, Perm) else 0 @staticmethod - def check_perm(perm, bit_array: int): - return perm.value & bit_array == perm.value + def check_perm(perms_array: int, perm_to_check: int): + return perms_array & perm_to_check == perm_to_check class PermOperation(Enum): ADD = 0