| 40 |
40 |
|
| 41 |
41 |
from base import NotAllowedError, BaseBackend
|
| 42 |
42 |
from lib.permissions import Permissions, READ, WRITE
|
|
43 |
from lib.policy import Policy
|
| 43 |
44 |
from lib.hashfiler import Mapper, Blocker
|
| 44 |
45 |
|
| 45 |
46 |
|
| ... | ... | |
| 106 |
107 |
foreign key (version_id) references versions(version_id)
|
| 107 |
108 |
on delete cascade)'''
|
| 108 |
109 |
self.con.execute(sql)
|
| 109 |
|
sql = '''create table if not exists policy (
|
| 110 |
|
name text, key text, value text, primary key (name, key))'''
|
| 111 |
|
self.con.execute(sql)
|
| 112 |
|
|
|
110 |
|
| 113 |
111 |
self.con.commit()
|
| 114 |
112 |
|
| 115 |
113 |
params = {'blocksize': self.block_size,
|
| ... | ... | |
| 124 |
122 |
params = {'connection': self.con,
|
| 125 |
123 |
'cursor': self.con.cursor()}
|
| 126 |
124 |
self.permissions = Permissions(**params)
|
|
125 |
self.policy = Policy(**params)
|
| 127 |
126 |
|
| 128 |
127 |
@backend_method
|
| 129 |
128 |
def list_accounts(self, user, marker=None, limit=10000):
|
| ... | ... | |
| 195 |
194 |
raise NotAllowedError
|
| 196 |
195 |
return {}
|
| 197 |
196 |
self._create_account(user, account)
|
| 198 |
|
return self._get_groups(account)
|
|
197 |
return self.permissions.group_dict(account)
|
| 199 |
198 |
|
| 200 |
199 |
@backend_method
|
| 201 |
200 |
def update_account_groups(self, user, account, groups, replace=False):
|
| ... | ... | |
| 206 |
205 |
raise NotAllowedError
|
| 207 |
206 |
self._create_account(user, account)
|
| 208 |
207 |
self._check_groups(groups)
|
| 209 |
|
self._put_groups(account, groups, replace)
|
|
208 |
if replace:
|
|
209 |
self.permissions.group_destroy(account)
|
|
210 |
for k, v in groups.iteritems():
|
|
211 |
if not replace: # If not already deleted.
|
|
212 |
self.permissions.group_delete(account, k)
|
|
213 |
if v:
|
|
214 |
self.permissions.group_addmany(account, k, v)
|
| 210 |
215 |
|
| 211 |
216 |
@backend_method
|
| 212 |
217 |
def put_account(self, user, account):
|
| ... | ... | |
| 235 |
240 |
raise IndexError('Account is not empty')
|
| 236 |
241 |
sql = 'delete from versions where name = ?'
|
| 237 |
242 |
self.con.execute(sql, (account,))
|
| 238 |
|
self._del_groups(account)
|
|
243 |
self.permissions.group_destroy(account)
|
| 239 |
244 |
|
| 240 |
245 |
@backend_method
|
| 241 |
246 |
def list_containers(self, user, account, marker=None, limit=10000, shared=False, until=None):
|
| ... | ... | |
| 250 |
255 |
return allowed[start:start + limit]
|
| 251 |
256 |
else:
|
| 252 |
257 |
if shared:
|
| 253 |
|
allowed = [x.split('/', 2)[1] for x in self._shared_paths(account)]
|
|
258 |
allowed = [x.split('/', 2)[1] for x in self.permissions.access_list_shared(account)]
|
| 254 |
259 |
start, limit = self._list_limits(allowed, marker, limit)
|
| 255 |
260 |
return allowed[start:start + limit]
|
| 256 |
261 |
return [x[0] for x in self._list_objects(account, '', '/', marker, limit, False, [], until)]
|
| ... | ... | |
| 318 |
323 |
for k, v in self.default_policy.iteritems():
|
| 319 |
324 |
if k not in policy:
|
| 320 |
325 |
policy[k] = v
|
| 321 |
|
for k, v in policy.iteritems():
|
| 322 |
|
sql = 'insert or replace into policy (name, key, value) values (?, ?, ?)'
|
| 323 |
|
self.con.execute(sql, (path, k, v))
|
|
326 |
self.policy.policy_set(path, policy)
|
| 324 |
327 |
|
| 325 |
328 |
@backend_method
|
| 326 |
329 |
def put_container(self, user, account, container, policy=None):
|
| ... | ... | |
| 342 |
345 |
for k, v in self.default_policy.iteritems():
|
| 343 |
346 |
if k not in policy:
|
| 344 |
347 |
policy[k] = v
|
| 345 |
|
for k, v in policy.iteritems():
|
| 346 |
|
sql = 'insert or replace into policy (name, key, value) values (?, ?, ?)'
|
| 347 |
|
self.con.execute(sql, (path, k, v))
|
|
348 |
self.policy.policy_set(path, policy)
|
| 348 |
349 |
|
| 349 |
350 |
@backend_method
|
| 350 |
351 |
def delete_container(self, user, account, container, until=None):
|
| ... | ... | |
| 369 |
370 |
raise IndexError('Container is not empty')
|
| 370 |
371 |
sql = 'delete from versions where name = ? or name like ?' # May contain hidden items.
|
| 371 |
372 |
self.con.execute(sql, (path, path + '/%',))
|
| 372 |
|
sql = 'delete from policy where name = ?'
|
| 373 |
|
self.con.execute(sql, (path,))
|
|
373 |
self.policy.policy_unset(path)
|
| 374 |
374 |
self._copy_version(user, account, account, True, False) # New account version (for timestamp update).
|
| 375 |
375 |
|
| 376 |
376 |
@backend_method
|
| ... | ... | |
| 382 |
382 |
if user != account:
|
| 383 |
383 |
if until:
|
| 384 |
384 |
raise NotAllowedError
|
| 385 |
|
allowed = self._allowed_paths(user, '/'.join((account, container)))
|
|
385 |
allowed = self.permissions.access_list_paths(user, '/'.join((account, container)))
|
| 386 |
386 |
if not allowed:
|
| 387 |
387 |
raise NotAllowedError
|
| 388 |
388 |
else:
|
| 389 |
389 |
if shared:
|
| 390 |
|
allowed = self._shared_paths('/'.join((account, container)))
|
|
390 |
allowed = self.permissions.access_list_shared('/'.join((account, container)))
|
| 391 |
391 |
path, version_id, mtime = self._get_containerinfo(account, container, until)
|
| 392 |
392 |
return self._list_objects(path, prefix, delimiter, marker, limit, virtual, keys, until, allowed)
|
| 393 |
393 |
|
| ... | ... | |
| 400 |
400 |
if user != account:
|
| 401 |
401 |
if until:
|
| 402 |
402 |
raise NotAllowedError
|
| 403 |
|
allowed = self._allowed_paths(user, '/'.join((account, container)))
|
|
403 |
allowed = self.permissions.access_list_paths(user, '/'.join((account, container)))
|
| 404 |
404 |
if not allowed:
|
| 405 |
405 |
raise NotAllowedError
|
| 406 |
406 |
path, version_id, mtime = self._get_containerinfo(account, container, until)
|
| ... | ... | |
| 450 |
450 |
logger.debug("get_object_permissions: %s %s %s", account, container, name)
|
| 451 |
451 |
self._can_read(user, account, container, name)
|
| 452 |
452 |
path = self._get_objectinfo(account, container, name)[0]
|
| 453 |
|
return self._get_permissions(path)
|
|
453 |
return self.permissions.access_inherit(path)
|
| 454 |
454 |
|
| 455 |
455 |
@backend_method
|
| 456 |
456 |
def update_object_permissions(self, user, account, container, name, permissions):
|
| ... | ... | |
| 461 |
461 |
raise NotAllowedError
|
| 462 |
462 |
path = self._get_objectinfo(account, container, name)[0]
|
| 463 |
463 |
self._check_permissions(path, permissions)
|
| 464 |
|
self._put_permissions(path, permissions)
|
|
464 |
self.permissions.access_set(path, permissions)
|
| 465 |
465 |
|
| 466 |
466 |
@backend_method
|
| 467 |
467 |
def get_object_public(self, user, account, container, name):
|
| ... | ... | |
| 470 |
470 |
logger.debug("get_object_public: %s %s %s", account, container, name)
|
| 471 |
471 |
self._can_read(user, account, container, name)
|
| 472 |
472 |
path = self._get_objectinfo(account, container, name)[0]
|
| 473 |
|
if self._get_public(path):
|
|
473 |
if self.permissions.public_check(path):
|
| 474 |
474 |
return '/public/' + path
|
| 475 |
475 |
return None
|
| 476 |
476 |
|
| ... | ... | |
| 481 |
481 |
logger.debug("update_object_public: %s %s %s %s", account, container, name, public)
|
| 482 |
482 |
self._can_write(user, account, container, name)
|
| 483 |
483 |
path = self._get_objectinfo(account, container, name)[0]
|
| 484 |
|
self._put_public(path, public)
|
|
484 |
if not public:
|
|
485 |
self.permissions.public_unset(path)
|
|
486 |
else:
|
|
487 |
self.permissions.public_set(path)
|
| 485 |
488 |
|
| 486 |
489 |
@backend_method
|
| 487 |
490 |
def get_object_hashmap(self, user, account, container, name, version=None):
|
| ... | ... | |
| 518 |
521 |
sql = 'insert or replace into metadata (version_id, key, value) values (?, ?, ?)'
|
| 519 |
522 |
self.con.execute(sql, (dest_version_id, k, v))
|
| 520 |
523 |
if permissions is not None:
|
| 521 |
|
self._put_permissions(path, permissions)
|
|
524 |
self.permissions.access_set(path, permissions)
|
| 522 |
525 |
|
| 523 |
526 |
@backend_method
|
| 524 |
527 |
def copy_object(self, user, account, src_container, src_name, dest_container, dest_name, dest_meta={}, replace_meta=False, permissions=None, src_version=None):
|
| ... | ... | |
| 543 |
546 |
sql = 'insert or replace into metadata (version_id, key, value) values (?, ?, ?)'
|
| 544 |
547 |
self.con.execute(sql, (dest_version_id, k, v))
|
| 545 |
548 |
if permissions is not None:
|
| 546 |
|
self._put_permissions(dest_path, permissions)
|
|
549 |
self.permissions.access_set(dest_path, permissions)
|
| 547 |
550 |
|
| 548 |
551 |
@backend_method
|
| 549 |
552 |
def move_object(self, user, account, src_container, src_name, dest_container, dest_name, dest_meta={}, replace_meta=False, permissions=None):
|
| ... | ... | |
| 572 |
575 |
except NameError:
|
| 573 |
576 |
pass
|
| 574 |
577 |
else:
|
| 575 |
|
self._del_sharing(path)
|
|
578 |
self.permissions.access_clear(path)
|
| 576 |
579 |
return
|
| 577 |
580 |
|
| 578 |
581 |
path = self._get_objectinfo(account, container, name)[0]
|
| 579 |
582 |
self._put_version(path, user, 0, 1)
|
| 580 |
|
self._del_sharing(path)
|
|
583 |
self.permissions.access_clear(path)
|
| 581 |
584 |
|
| 582 |
585 |
@backend_method
|
| 583 |
586 |
def list_versions(self, user, account, container, name):
|
| ... | ... | |
| 761 |
764 |
raise ValueError
|
| 762 |
765 |
|
| 763 |
766 |
def _get_policy(self, path):
|
| 764 |
|
sql = 'select key, value from policy where name = ?'
|
| 765 |
|
c = self.con.execute(sql, (path,))
|
| 766 |
|
return dict(c.fetchall())
|
|
767 |
return self.policy.policy_get(path)
|
| 767 |
768 |
|
| 768 |
769 |
def _list_limits(self, listing, marker, limit):
|
| 769 |
770 |
start = 0
|
| ... | ... | |
| 829 |
830 |
# Access control functions.
|
| 830 |
831 |
|
| 831 |
832 |
def _check_groups(self, groups):
|
| 832 |
|
# Example follows.
|
| 833 |
|
# for k, v in groups.iteritems():
|
| 834 |
|
# if True in [False or ',' in x for x in v]:
|
| 835 |
|
# raise ValueError('Bad characters in groups')
|
|
833 |
# raise ValueError('Bad characters in groups')
|
| 836 |
834 |
pass
|
| 837 |
835 |
|
| 838 |
|
def _get_groups(self, account):
|
| 839 |
|
return self.permissions.group_dict(account)
|
| 840 |
|
|
| 841 |
|
def _put_groups(self, account, groups, replace=False):
|
| 842 |
|
if replace:
|
| 843 |
|
self.permissions.group_destroy(account)
|
| 844 |
|
for k, v in groups.iteritems():
|
| 845 |
|
if not replace: # If not already deleted.
|
| 846 |
|
self.permissions.group_delete(account, k)
|
| 847 |
|
if v:
|
| 848 |
|
self.permissions.group_addmany(account, k, v)
|
| 849 |
|
|
| 850 |
|
def _del_groups(self, account):
|
| 851 |
|
self.permissions.group_destroy(account)
|
| 852 |
|
|
| 853 |
836 |
def _check_permissions(self, path, permissions):
|
|
837 |
# raise ValueError('Bad characters in permissions')
|
|
838 |
|
| 854 |
839 |
# Check for existing permissions.
|
| 855 |
840 |
paths = self.permissions.access_list(path)
|
| 856 |
841 |
if paths:
|
| 857 |
842 |
ae = AttributeError()
|
| 858 |
843 |
ae.data = paths
|
| 859 |
844 |
raise ae
|
| 860 |
|
|
| 861 |
|
# Examples follow.
|
| 862 |
|
# if True in [False or ',' in x for x in r]:
|
| 863 |
|
# raise ValueError('Bad characters in read permissions')
|
| 864 |
|
# if True in [False or ',' in x for x in w]:
|
| 865 |
|
# raise ValueError('Bad characters in write permissions')
|
| 866 |
|
pass
|
| 867 |
|
|
| 868 |
|
def _get_permissions(self, path):
|
| 869 |
|
self.permissions.access_inherit(path)
|
| 870 |
|
|
| 871 |
|
def _put_permissions(self, path, permissions):
|
| 872 |
|
self.permissions.access_revoke_all(path)
|
| 873 |
|
r = permissions.get('read', [])
|
| 874 |
|
if r:
|
| 875 |
|
self.permissions.access_grant(path, READ, r)
|
| 876 |
|
w = permissions.get('write', [])
|
| 877 |
|
if w:
|
| 878 |
|
self.permissions.access_grant(path, WRITE, w)
|
| 879 |
|
|
| 880 |
|
def _get_public(self, path):
|
| 881 |
|
return self.permissions.public_check(path)
|
| 882 |
|
|
| 883 |
|
def _put_public(self, path, public):
|
| 884 |
|
if not public:
|
| 885 |
|
self.permissions.public_unset(path)
|
| 886 |
|
else:
|
| 887 |
|
self.permissions.public_set(path)
|
| 888 |
|
|
| 889 |
|
def _del_sharing(self, path):
|
| 890 |
|
self.permissions.access_revoke_all(path)
|
| 891 |
|
self.permissions.public_unset(path)
|
| 892 |
845 |
|
| 893 |
846 |
def _can_read(self, user, account, container, name):
|
| 894 |
847 |
if user == account:
|
| ... | ... | |
| 904 |
857 |
if not self.permissions.access_check(path, WRITE, user):
|
| 905 |
858 |
raise NotAllowedError
|
| 906 |
859 |
|
| 907 |
|
def _allowed_paths(self, user, prefix=None):
|
| 908 |
|
if prefix:
|
| 909 |
|
prefix += '/'
|
| 910 |
|
return self.permissions.access_list_paths(user, prefix)
|
| 911 |
|
|
| 912 |
860 |
def _allowed_accounts(self, user):
|
| 913 |
861 |
allow = set()
|
| 914 |
|
for path in self._allowed_paths(user):
|
|
862 |
for path in self.permissions.access_list_paths(user):
|
| 915 |
863 |
allow.add(path.split('/', 1)[0])
|
| 916 |
864 |
return sorted(allow)
|
| 917 |
865 |
|
| 918 |
866 |
def _allowed_containers(self, user, account):
|
| 919 |
867 |
allow = set()
|
| 920 |
|
for path in self._allowed_paths(user, account):
|
|
868 |
for path in self.permissions.access_list_paths(user, account):
|
| 921 |
869 |
allow.add(path.split('/', 2)[1])
|
| 922 |
870 |
return sorted(allow)
|
| 923 |
|
|
| 924 |
|
def _shared_paths(self, prefix):
|
| 925 |
|
prefix += '/'
|
| 926 |
|
return self.permissions.access_list_shared(prefix)
|