diff --git a/src/config/api-server/vnc_cfg_api_server.py b/src/config/api-server/vnc_cfg_api_server.py index e8b719e95ae..3254e78f939 100644 --- a/src/config/api-server/vnc_cfg_api_server.py +++ b/src/config/api-server/vnc_cfg_api_server.py @@ -37,6 +37,7 @@ # import GreenletProfiler from cfgm_common import vnc_cgitb +from cfgm_common import has_role logger = logging.getLogger(__name__) @@ -1681,7 +1682,7 @@ def is_admin_request(self): for field in ('HTTP_X_API_ROLE', 'HTTP_X_ROLE'): if field in env: roles = env[field].split(',') - return self.cloud_admin_role in [x.lower() for x in roles] + return has_role(self.cloud_admin_role, roles) return False def get_auth_headers_from_token(self, request, token): @@ -1790,8 +1791,8 @@ def obj_perms_http_get(self): elif 'token' in token_info: roles_list = [roles['name'] for roles in \ token_info['token']['roles']] - result['is_cloud_admin_role'] = self.cloud_admin_role in roles_list - result['is_global_read_only_role'] = self.global_read_only_role in roles_list + result['is_cloud_admin_role'] = has_role(self.cloud_admin_role, roles_list) + result['is_global_read_only_role'] = has_role(self.global_read_only_role, roles_list) if obj_uuid: result['permissions'] = self._permissions.obj_perms(get_request(), obj_uuid) else: diff --git a/src/config/api-server/vnc_perms.py b/src/config/api-server/vnc_perms.py index 2ddd9c532e7..779dc58356a 100644 --- a/src/config/api-server/vnc_perms.py +++ b/src/config/api-server/vnc_perms.py @@ -3,6 +3,7 @@ # import sys import cfgm_common +from cfgm_common import has_role from cfgm_common import jsonutils as json import string import uuid @@ -55,10 +56,10 @@ def validate_perms(self, request, uuid, mode=PERMS_R, id_perms=None): err_msg = (403, 'Permission Denied') user, roles = self.get_user_roles(request) - is_admin = self.cloud_admin_role in roles + is_admin = has_role(self.cloud_admin_role, roles) if is_admin: return (True, 'RWX') - if self.global_read_only_role in roles and mode == PERMS_R: + if has_role(self.global_read_only_role, roles) and mode == PERMS_R: return (True, 'R') owner = id_perms['permissions']['owner'] @@ -99,10 +100,10 @@ def validate_perms_rbac(self, request, obj_uuid, mode=PERMS_R, obj_owner_for_del return (True, '') user, roles = self.get_user_roles(request) - is_admin = self.cloud_admin_role in roles + is_admin = has_role(self.cloud_admin_role, roles) if is_admin: return (True, 'RWX') - if self.global_read_only_role in roles and mode == PERMS_R: + if has_role(self.global_read_only_role, roles) and mode == PERMS_R: return (True, 'R') env = request.headers.environ diff --git a/src/config/common/__init__.py b/src/config/common/__init__.py index b644903e562..ceb0489551b 100644 --- a/src/config/common/__init__.py +++ b/src/config/common/__init__.py @@ -2,8 +2,8 @@ # Copyright (c) 2013 Juniper Networks, Inc. All rights reserved. # -import sys import re +import sys IP_FABRIC_VN_FQ_NAME = ['default-domain', 'default-project', 'ip-fabric'] IP_FABRIC_RI_FQ_NAME = IP_FABRIC_VN_FQ_NAME + ['__default__'] @@ -70,3 +70,12 @@ def wrapper(*args, **kwargs): HEX_ELEM + '{4}', HEX_ELEM + '{4}', HEX_ELEM + '{12}']) +def has_role(role, roles): + """ Check if the a role is contained in a role list + + Looks if a role is contained to a list independently to the case + sensitivity. + """ + if role is None or roles is None: + return False + return role.lower() in [r.lower() for r in roles]