This commit is contained in:
kevgliss 2016-06-23 13:29:59 -07:00
parent 5193342b3a
commit 19b928d663
2 changed files with 9 additions and 20 deletions

View File

@ -27,21 +27,9 @@ class SensitiveDomainPermission(Permission):
super(SensitiveDomainPermission, self).__init__(RoleNeed('admin')) super(SensitiveDomainPermission, self).__init__(RoleNeed('admin'))
class ViewKeyPermission(Permission):
def __init__(self, certificate_id, owner):
c_need = CertificateCreatorNeed(certificate_id)
super(ViewKeyPermission, self).__init__(c_need, RoleNeed(owner), RoleNeed('admin'))
class UpdateCertificatePermission(Permission):
def __init__(self, certificate_id, owner):
c_need = CertificateCreatorNeed(certificate_id)
super(UpdateCertificatePermission, self).__init__(c_need, RoleNeed(owner), RoleNeed('admin'))
class CertificatePermission(Permission): class CertificatePermission(Permission):
def __init__(self, certificate_id, roles): def __init__(self, certificate_id, owner, roles):
needs = [RoleNeed('admin'), CertificateCreatorNeed(certificate_id)] needs = [RoleNeed('admin'), CertificateCreatorNeed(certificate_id), RoleNeed(owner)]
for r in roles: for r in roles:
needs.append(CertificateOwnerNeed(str(r))) needs.append(CertificateOwnerNeed(str(r)))

View File

@ -15,7 +15,7 @@ from lemur.common.schema import validate_schema
from lemur.common.utils import paginated_parser from lemur.common.utils import paginated_parser
from lemur.auth.service import AuthenticatedResource from lemur.auth.service import AuthenticatedResource
from lemur.auth.permissions import ViewKeyPermission, AuthorityPermission, CertificatePermission from lemur.auth.permissions import AuthorityPermission, CertificatePermission
from lemur.certificates import service from lemur.certificates import service
from lemur.certificates.schemas import certificate_input_schema, certificate_output_schema, \ from lemur.certificates.schemas import certificate_input_schema, certificate_output_schema, \
@ -399,9 +399,8 @@ class CertificatePrivateKey(AuthenticatedResource):
if not cert: if not cert:
return dict(message="Cannot find specified certificate"), 404 return dict(message="Cannot find specified certificate"), 404
role = role_service.get_by_name(cert.owner) owner_role = role_service.get_by_name(cert.owner)
permission = CertificatePermission(cert.id, owner_role, [x.name for x in cert.roles])
permission = ViewKeyPermission(certificate_id, getattr(role, 'name', None))
if permission.can(): if permission.can():
response = make_response(jsonify(key=cert.private_key), 200) response = make_response(jsonify(key=cert.private_key), 200)
@ -581,7 +580,8 @@ class Certificates(AuthenticatedResource):
""" """
cert = service.get(certificate_id) cert = service.get(certificate_id)
permission = CertificatePermission(cert.id, [x.name for x in cert.roles]) owner_role = role_service.get_by_name(cert.owner)
permission = CertificatePermission(cert.id, owner_role, [x.name for x in cert.roles])
if permission.can(): if permission.can():
return service.update( return service.update(
@ -864,7 +864,8 @@ class CertificateExport(AuthenticatedResource):
""" """
cert = service.get(certificate_id) cert = service.get(certificate_id)
permission = CertificatePermission(cert.id, [x.name for x in cert.roles]) owner_role = role_service.get_by_name(cert.owner)
permission = CertificatePermission(cert.id, owner_role, [x.name for x in cert.roles])
options = data['plugin']['plugin_options'] options = data['plugin']['plugin_options']
plugin = data['plugin']['plugin_object'] plugin = data['plugin']['plugin_object']