Enhance domains query and sensitive domain checking code; Allow creation of opt-out roles via config
This commit is contained in:
parent
8bc23f6deb
commit
8b821d0023
|
@ -9,6 +9,7 @@
|
|||
from functools import partial
|
||||
from collections import namedtuple
|
||||
|
||||
from flask import current_app
|
||||
from flask_principal import Permission, RoleNeed
|
||||
|
||||
# Permissions
|
||||
|
@ -21,7 +22,14 @@ CertificateOwnerNeed = partial(CertificateOwner, "role")
|
|||
|
||||
class SensitiveDomainPermission(Permission):
|
||||
def __init__(self):
|
||||
super(SensitiveDomainPermission, self).__init__(RoleNeed("admin"))
|
||||
needs = [RoleNeed("admin")]
|
||||
sensitive_domain_roles = current_app.config.get("SENSITIVE_DOMAIN_ROLES", [])
|
||||
|
||||
if sensitive_domain_roles:
|
||||
for role in sensitive_domain_roles:
|
||||
needs.append(RoleNeed(role))
|
||||
|
||||
super(SensitiveDomainPermission, self).__init__(*needs)
|
||||
|
||||
|
||||
class CertificatePermission(Permission):
|
||||
|
|
|
@ -16,13 +16,13 @@ from celery.exceptions import SoftTimeLimitExceeded
|
|||
from flask import current_app
|
||||
|
||||
from lemur.authorities.service import get as get_authority
|
||||
from lemur.destinations import service as destinations_service
|
||||
from lemur.extensions import metrics, sentry
|
||||
from lemur.factory import create_app
|
||||
from lemur.notifications.messaging import send_pending_failure_notification
|
||||
from lemur.pending_certificates import service as pending_certificate_service
|
||||
from lemur.plugins.base import plugins
|
||||
from lemur.sources.cli import clean, sync, validate_sources
|
||||
from lemur.destinations import service as destinations_service
|
||||
from lemur.sources.service import add_aws_destination_to_sources
|
||||
|
||||
if current_app:
|
||||
|
|
|
@ -40,7 +40,7 @@ def sensitive_domain(domain):
|
|||
# Avoid circular import.
|
||||
from lemur.domains import service as domain_service
|
||||
|
||||
if any(d.sensitive for d in domain_service.get_by_name(domain)):
|
||||
if domain_service.is_domain_sensitive(domain):
|
||||
raise ValidationError(
|
||||
"Domain {0} has been marked as sensitive. "
|
||||
"Contact an administrator to issue the certificate.".format(domain)
|
||||
|
|
|
@ -6,10 +6,11 @@
|
|||
|
||||
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
|
||||
"""
|
||||
from lemur.domains.models import Domain
|
||||
from lemur.certificates.models import Certificate
|
||||
from sqlalchemy import and_
|
||||
|
||||
from lemur import database
|
||||
from lemur.certificates.models import Certificate
|
||||
from lemur.domains.models import Domain
|
||||
|
||||
|
||||
def get(domain_id):
|
||||
|
@ -42,6 +43,20 @@ def get_by_name(name):
|
|||
return database.get_all(Domain, name, field="name").all()
|
||||
|
||||
|
||||
def is_domain_sensitive(name):
|
||||
"""
|
||||
Return True if domain is marked sensitive
|
||||
|
||||
:param name:
|
||||
:return:
|
||||
"""
|
||||
query = database.session_query(Domain)
|
||||
|
||||
query = query.filter(and_(Domain.sensitive, Domain.name == name))
|
||||
|
||||
return database.find_all(query, Domain, {}).all()
|
||||
|
||||
|
||||
def create(name, sensitive):
|
||||
"""
|
||||
Create a new domain
|
||||
|
|
Loading…
Reference in New Issue