[VNC config] User role should be case insensitive

Don't care the case sensivity of user role. Change-Id: I077e45ca722761077699850d4b31143f60fb9b52 Closes-Bug: #1590790
Juniper · Apr 10, 2017 · 15a833b · 15a833b
1 parent fafae7b
commit 15a833b
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 8 deletions.
diff --git a/src/config/api-server/vnc_cfg_api_server.py b/src/config/api-server/vnc_cfg_api_server.py
@@ -37,6 +37,7 @@
 # import GreenletProfiler
 
 from cfgm_common import vnc_cgitb
+from cfgm_common import has_role
 
 logger = logging.getLogger(__name__)
 
@@ -1681,7 +1682,7 @@ def is_admin_request(self):
         for field in ('HTTP_X_API_ROLE', 'HTTP_X_ROLE'):
             if field in env:
                 roles = env[field].split(',')
-                return self.cloud_admin_role in [x.lower() for x in roles]
+                return has_role(self.cloud_admin_role, roles)
         return False
 
     def get_auth_headers_from_token(self, request, token):
@@ -1790,8 +1791,8 @@ def obj_perms_http_get(self):
                 elif 'token' in token_info:
                     roles_list = [roles['name'] for roles in \
                         token_info['token']['roles']]
-                result['is_cloud_admin_role'] = self.cloud_admin_role in roles_list
-                result['is_global_read_only_role'] = self.global_read_only_role in roles_list
+                result['is_cloud_admin_role'] = has_role(self.cloud_admin_role, roles_list)
+                result['is_global_read_only_role'] = has_role(self.global_read_only_role, roles_list)
                 if obj_uuid:
                     result['permissions'] = self._permissions.obj_perms(get_request(), obj_uuid)
             else:

diff --git a/src/config/api-server/vnc_perms.py b/src/config/api-server/vnc_perms.py
@@ -3,6 +3,7 @@
 #
 import sys
 import cfgm_common
+from cfgm_common import has_role
 from cfgm_common import jsonutils as json
 import string
 import uuid
@@ -55,10 +56,10 @@ def validate_perms(self, request, uuid, mode=PERMS_R, id_perms=None):
         err_msg = (403, 'Permission Denied')
 
         user, roles = self.get_user_roles(request)
-        is_admin = self.cloud_admin_role in roles
+        is_admin = has_role(self.cloud_admin_role, roles)
         if is_admin:
             return (True, 'RWX')
-        if self.global_read_only_role in roles and mode == PERMS_R:
+        if has_role(self.global_read_only_role, roles) and mode == PERMS_R:
             return (True, 'R')
 
         owner = id_perms['permissions']['owner']
@@ -99,10 +100,10 @@ def validate_perms_rbac(self, request, obj_uuid, mode=PERMS_R, obj_owner_for_del
             return (True, '')
 
         user, roles = self.get_user_roles(request)
-        is_admin = self.cloud_admin_role in roles
+        is_admin = has_role(self.cloud_admin_role, roles)
         if is_admin:
             return (True, 'RWX')
-        if self.global_read_only_role in roles and mode == PERMS_R:
+        if has_role(self.global_read_only_role, roles) and mode == PERMS_R:
             return (True, 'R')
 
         env = request.headers.environ

diff --git a/src/config/common/__init__.py b/src/config/common/__init__.py
@@ -2,8 +2,8 @@
 # Copyright (c) 2013 Juniper Networks, Inc. All rights reserved.
 #
 
-import sys
 import re
+import sys
 
 IP_FABRIC_VN_FQ_NAME = ['default-domain', 'default-project', 'ip-fabric']
 IP_FABRIC_RI_FQ_NAME = IP_FABRIC_VN_FQ_NAME + ['__default__']
@@ -70,3 +70,12 @@ def wrapper(*args, **kwargs):
                          HEX_ELEM + '{4}', HEX_ELEM + '{4}',
                          HEX_ELEM + '{12}'])
 
+def has_role(role, roles):
+    """ Check if the a role is contained in a role list
+
+    Looks if a role is contained to a list independently to the case
+    sensitivity.
+    """
+    if role is None or roles is None:
+        return False
+    return role.lower() in [r.lower() for r in roles]