Fixes #35
This commit is contained in:
parent
39c022dbf3
commit
6b2da2fe6b
|
@ -16,25 +16,19 @@ operator_permission = Permission(RoleNeed('operator'))
|
||||||
admin_permission = Permission(RoleNeed('admin'))
|
admin_permission = Permission(RoleNeed('admin'))
|
||||||
|
|
||||||
CertificateCreator = namedtuple('certificate', ['method', 'value'])
|
CertificateCreator = namedtuple('certificate', ['method', 'value'])
|
||||||
CertificateCreatorNeed = partial(CertificateCreator, 'certificateView')
|
CertificateCreatorNeed = partial(CertificateCreator, 'key')
|
||||||
|
|
||||||
CertificateOwner = namedtuple('certificate', ['method', 'value'])
|
|
||||||
CertificateOwnerNeed = partial(CertificateOwner, 'certificateView')
|
|
||||||
|
|
||||||
|
|
||||||
class ViewKeyPermission(Permission):
|
class ViewKeyPermission(Permission):
|
||||||
def __init__(self, certificate_id, owner_id):
|
def __init__(self, certificate_id, owner):
|
||||||
c_need = CertificateCreatorNeed(str(certificate_id))
|
c_need = CertificateCreatorNeed(str(certificate_id))
|
||||||
o_need = CertificateOwnerNeed(str(owner_id))
|
super(ViewKeyPermission, self).__init__(c_need, RoleNeed(owner), RoleNeed('admin'))
|
||||||
|
|
||||||
super(ViewKeyPermission, self).__init__(o_need, c_need, RoleNeed('admin'))
|
|
||||||
|
|
||||||
|
|
||||||
class UpdateCertificatePermission(Permission):
|
class UpdateCertificatePermission(Permission):
|
||||||
def __init__(self, role_id, certificate_id):
|
def __init__(self, certificate_id, owner):
|
||||||
c_need = CertificateCreatorNeed(str(certificate_id))
|
c_need = CertificateCreatorNeed(str(certificate_id))
|
||||||
o_need = CertificateOwnerNeed(str(role_id))
|
super(UpdateCertificatePermission, self).__init__(c_need, RoleNeed(owner), RoleNeed('admin'))
|
||||||
super(UpdateCertificatePermission, self).__init__(o_need, c_need, RoleNeed('admin'))
|
|
||||||
|
|
||||||
|
|
||||||
RoleUser = namedtuple('role', ['method', 'value'])
|
RoleUser = namedtuple('role', ['method', 'value'])
|
||||||
|
|
|
@ -29,7 +29,7 @@ from cryptography.hazmat.primitives import serialization
|
||||||
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
|
from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
|
||||||
|
|
||||||
from lemur.users import service as user_service
|
from lemur.users import service as user_service
|
||||||
from lemur.auth.permissions import CertificateOwnerNeed, CertificateCreatorNeed, \
|
from lemur.auth.permissions import CertificateCreatorNeed, \
|
||||||
AuthorityCreatorNeed, ViewRoleCredentialsNeed
|
AuthorityCreatorNeed, ViewRoleCredentialsNeed
|
||||||
|
|
||||||
|
|
||||||
|
@ -165,7 +165,6 @@ def on_identity_loaded(sender, identity):
|
||||||
# identity with the roles that the user provides
|
# identity with the roles that the user provides
|
||||||
if hasattr(user, 'roles'):
|
if hasattr(user, 'roles'):
|
||||||
for role in user.roles:
|
for role in user.roles:
|
||||||
identity.provides.add(CertificateOwnerNeed(role.id))
|
|
||||||
identity.provides.add(ViewRoleCredentialsNeed(role.id))
|
identity.provides.add(ViewRoleCredentialsNeed(role.id))
|
||||||
identity.provides.add(RoleNeed(role.name))
|
identity.provides.add(RoleNeed(role.name))
|
||||||
|
|
||||||
|
|
|
@ -446,13 +446,14 @@ class CertificatePrivateKey(AuthenticatedResource):
|
||||||
|
|
||||||
role = role_service.get_by_name(cert.owner)
|
role = role_service.get_by_name(cert.owner)
|
||||||
|
|
||||||
permission = ViewKeyPermission(certificate_id, hasattr(role, 'id'))
|
if role:
|
||||||
|
permission = ViewKeyPermission(certificate_id, role.name)
|
||||||
|
|
||||||
if permission.can():
|
if permission.can():
|
||||||
response = make_response(jsonify(key=cert.private_key), 200)
|
response = make_response(jsonify(key=cert.private_key), 200)
|
||||||
response.headers['cache-control'] = 'private, max-age=0, no-cache, no-store'
|
response.headers['cache-control'] = 'private, max-age=0, no-cache, no-store'
|
||||||
response.headers['pragma'] = 'no-cache'
|
response.headers['pragma'] = 'no-cache'
|
||||||
return response
|
return response
|
||||||
|
|
||||||
return dict(message='You are not authorized to view this key'), 403
|
return dict(message='You are not authorized to view this key'), 403
|
||||||
|
|
||||||
|
@ -572,7 +573,7 @@ class Certificates(AuthenticatedResource):
|
||||||
|
|
||||||
cert = service.get(certificate_id)
|
cert = service.get(certificate_id)
|
||||||
role = role_service.get_by_name(cert.owner)
|
role = role_service.get_by_name(cert.owner)
|
||||||
permission = UpdateCertificatePermission(certificate_id, hasattr(role, 'id'))
|
permission = UpdateCertificatePermission(certificate_id, role.name)
|
||||||
|
|
||||||
if permission.can():
|
if permission.can():
|
||||||
return service.update(
|
return service.update(
|
||||||
|
|
|
@ -107,7 +107,6 @@ angular.module('lemur')
|
||||||
title: certificate.name,
|
title: certificate.name,
|
||||||
body: 'Successfully created!'
|
body: 'Successfully created!'
|
||||||
});
|
});
|
||||||
$location.path('/certificates');
|
|
||||||
},
|
},
|
||||||
function (response) {
|
function (response) {
|
||||||
toaster.pop({
|
toaster.pop({
|
||||||
|
@ -120,14 +119,21 @@ angular.module('lemur')
|
||||||
};
|
};
|
||||||
|
|
||||||
CertificateService.update = function (certificate) {
|
CertificateService.update = function (certificate) {
|
||||||
return LemurRestangular.copy(certificate).put().then(function () {
|
return LemurRestangular.copy(certificate).put().then(
|
||||||
toaster.pop({
|
function () {
|
||||||
type: 'success',
|
toaster.pop({
|
||||||
title: certificate.name,
|
type: 'success',
|
||||||
body: 'Successfully updated!'
|
title: certificate.name,
|
||||||
|
body: 'Successfully updated!'
|
||||||
|
});
|
||||||
|
},
|
||||||
|
function (response) {
|
||||||
|
toaster.pop({
|
||||||
|
type: 'error',
|
||||||
|
title: certificate.name,
|
||||||
|
body: 'Failed to update ' + response.data.message
|
||||||
|
});
|
||||||
});
|
});
|
||||||
$location.path('certificates');
|
|
||||||
});
|
|
||||||
};
|
};
|
||||||
|
|
||||||
CertificateService.upload = function (certificate) {
|
CertificateService.upload = function (certificate) {
|
||||||
|
@ -138,7 +144,6 @@ angular.module('lemur')
|
||||||
title: certificate.name,
|
title: certificate.name,
|
||||||
body: 'Successfully uploaded!'
|
body: 'Successfully uploaded!'
|
||||||
});
|
});
|
||||||
$location.path('/certificates');
|
|
||||||
},
|
},
|
||||||
function (response) {
|
function (response) {
|
||||||
toaster.pop({
|
toaster.pop({
|
||||||
|
|
Loading…
Reference in New Issue