← Back to branch summary

~0x44/nova/bug838466 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

# vim: tabstop=4 shiftwidth=4 softtabstop=4

# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

"""Role-based access control decorators to use fpr wrapping other
methods with."""

from nova import exception


def allow(*roles):
    """Allow the given roles access the wrapped function."""

    def wrap(func): # pylint: disable-msg=C0111

        def wrapped_func(self, context, *args,
                         **kwargs): # pylint: disable-msg=C0111
            if context.user.is_superuser():
                return func(self, context, *args, **kwargs)
            for role in roles:
                if __matches_role(context, role):
                    return func(self, context, *args, **kwargs)
            raise exception.NotAuthorized()

        return wrapped_func

    return wrap


def deny(*roles):
    """Deny the given roles access the wrapped function."""

    def wrap(func): # pylint: disable-msg=C0111

        def wrapped_func(self, context, *args,
                         **kwargs): # pylint: disable-msg=C0111
            if context.user.is_superuser():
                return func(self, context, *args, **kwargs)
            for role in roles:
                if __matches_role(context, role):
                    raise exception.NotAuthorized()
            return func(self, context, *args, **kwargs)

        return wrapped_func

    return wrap


def __matches_role(context, role):
    """Check if a role is allowed."""
    if role == 'all':
        return True
    if role == 'none':
        return False
    return context.project.has_role(context.user.id, role)