From 8b821d002363a8ecd212bcc940e91797e5c12b3f Mon Sep 17 00:00:00 2001 From: Curtis Castrapel Date: Thu, 30 May 2019 10:21:44 -0700 Subject: [PATCH] Enhance domains query and sensitive domain checking code; Allow creation of opt-out roles via config --- lemur/auth/permissions.py | 10 +++++++++- lemur/common/celery.py | 2 +- lemur/common/validators.py | 2 +- lemur/domains/service.py | 19 +++++++++++++++++-- 4 files changed, 28 insertions(+), 5 deletions(-) diff --git a/lemur/auth/permissions.py b/lemur/auth/permissions.py index c3c57356..a5964880 100644 --- a/lemur/auth/permissions.py +++ b/lemur/auth/permissions.py @@ -9,6 +9,7 @@ from functools import partial from collections import namedtuple +from flask import current_app from flask_principal import Permission, RoleNeed # Permissions @@ -21,7 +22,14 @@ CertificateOwnerNeed = partial(CertificateOwner, "role") class SensitiveDomainPermission(Permission): def __init__(self): - super(SensitiveDomainPermission, self).__init__(RoleNeed("admin")) + needs = [RoleNeed("admin")] + sensitive_domain_roles = current_app.config.get("SENSITIVE_DOMAIN_ROLES", []) + + if sensitive_domain_roles: + for role in sensitive_domain_roles: + needs.append(RoleNeed(role)) + + super(SensitiveDomainPermission, self).__init__(*needs) class CertificatePermission(Permission): diff --git a/lemur/common/celery.py b/lemur/common/celery.py index 7eb1bb0d..2e87dbc3 100644 --- a/lemur/common/celery.py +++ b/lemur/common/celery.py @@ -16,13 +16,13 @@ from celery.exceptions import SoftTimeLimitExceeded from flask import current_app from lemur.authorities.service import get as get_authority +from lemur.destinations import service as destinations_service from lemur.extensions import metrics, sentry from lemur.factory import create_app from lemur.notifications.messaging import send_pending_failure_notification from lemur.pending_certificates import service as pending_certificate_service from lemur.plugins.base import plugins from lemur.sources.cli import clean, sync, validate_sources -from lemur.destinations import service as destinations_service from lemur.sources.service import add_aws_destination_to_sources if current_app: diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 3e6ebcf9..2412e2d3 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -40,7 +40,7 @@ def sensitive_domain(domain): # Avoid circular import. from lemur.domains import service as domain_service - if any(d.sensitive for d in domain_service.get_by_name(domain)): + if domain_service.is_domain_sensitive(domain): raise ValidationError( "Domain {0} has been marked as sensitive. " "Contact an administrator to issue the certificate.".format(domain) diff --git a/lemur/domains/service.py b/lemur/domains/service.py index 8a581bfd..1944d9db 100644 --- a/lemur/domains/service.py +++ b/lemur/domains/service.py @@ -6,10 +6,11 @@ .. moduleauthor:: Kevin Glisson """ -from lemur.domains.models import Domain -from lemur.certificates.models import Certificate +from sqlalchemy import and_ from lemur import database +from lemur.certificates.models import Certificate +from lemur.domains.models import Domain def get(domain_id): @@ -42,6 +43,20 @@ def get_by_name(name): return database.get_all(Domain, name, field="name").all() +def is_domain_sensitive(name): + """ + Return True if domain is marked sensitive + + :param name: + :return: + """ + query = database.session_query(Domain) + + query = query.filter(and_(Domain.sensitive, Domain.name == name)) + + return database.find_all(query, Domain, {}).all() + + def create(name, sensitive): """ Create a new domain