Merge pull request #2798 from castrapel/domains_enhancements

Enhance domains query and sensitive domain checking code
2019-05-30 10:31:24 -07:00 · 2019-05-30 10:31:24 -07:00 · 7eb9c80fb2
parent 7e31498a4b 8b821d0023
commit 7eb9c80fb2
4 changed files with 28 additions and 5 deletions
--- a/lemur/auth/permissions.py
+++ b/lemur/auth/permissions.py
@ -9,6 +9,7 @@
 from functools import partial
 from collections import namedtuple

+from flask import current_app
 from flask_principal import Permission, RoleNeed

 # Permissions
@ -21,7 +22,14 @@ CertificateOwnerNeed = partial(CertificateOwner, "role")

 class SensitiveDomainPermission(Permission):
    def __init__(self):
-        super(SensitiveDomainPermission, self).__init__(RoleNeed("admin"))
+        needs = [RoleNeed("admin")]
+        sensitive_domain_roles = current_app.config.get("SENSITIVE_DOMAIN_ROLES", [])
+
+        if sensitive_domain_roles:
+            for role in sensitive_domain_roles:
+                needs.append(RoleNeed(role))
+
+        super(SensitiveDomainPermission, self).__init__(*needs)


 class CertificatePermission(Permission):
--- a/lemur/common/celery.py
+++ b/lemur/common/celery.py
@ -16,13 +16,13 @@ from celery.exceptions import SoftTimeLimitExceeded
 from flask import current_app

 from lemur.authorities.service import get as get_authority
+from lemur.destinations import service as destinations_service
 from lemur.extensions import metrics, sentry
 from lemur.factory import create_app
 from lemur.notifications.messaging import send_pending_failure_notification
 from lemur.pending_certificates import service as pending_certificate_service
 from lemur.plugins.base import plugins
 from lemur.sources.cli import clean, sync, validate_sources
-from lemur.destinations import service as destinations_service
 from lemur.sources.service import add_aws_destination_to_sources

 if current_app:
--- a/lemur/common/validators.py
+++ b/lemur/common/validators.py
@ -40,7 +40,7 @@ def sensitive_domain(domain):
    # Avoid circular import.
    from lemur.domains import service as domain_service

-    if any(d.sensitive for d in domain_service.get_by_name(domain)):
+    if domain_service.is_domain_sensitive(domain):
        raise ValidationError(
            "Domain {0} has been marked as sensitive. "
            "Contact an administrator to issue the certificate.".format(domain)
--- a/lemur/domains/service.py
+++ b/lemur/domains/service.py
@ -6,10 +6,11 @@

 .. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
 """
-from lemur.domains.models import Domain
-from lemur.certificates.models import Certificate
+from sqlalchemy import and_

 from lemur import database
+from lemur.certificates.models import Certificate
+from lemur.domains.models import Domain


 def get(domain_id):
@ -42,6 +43,20 @@ def get_by_name(name):
    return database.get_all(Domain, name, field="name").all()


+def is_domain_sensitive(name):
+    """
+    Return True if domain is marked sensitive
+
+    :param name:
+    :return:
+    """
+    query = database.session_query(Domain)
+
+    query = query.filter(and_(Domain.sensitive, Domain.name == name))
+
+    return database.find_all(query, Domain, {}).all()
+
+
 def create(name, sensitive):
    """
    Create a new domain