# vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright 2010 United States Government as represented by the # Administrator of the National Aeronautics and Space Administration. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. """Role-based access control decorators to use fpr wrapping other methods with.""" from nova import exception def allow(*roles): """Allow the given roles access the wrapped function.""" def wrap(func): # pylint: disable-msg=C0111 def wrapped_func(self, context, *args, **kwargs): # pylint: disable-msg=C0111 if context.user.is_superuser(): return func(self, context, *args, **kwargs) for role in roles: if __matches_role(context, role): return func(self, context, *args, **kwargs) raise exception.NotAuthorized() return wrapped_func return wrap def deny(*roles): """Deny the given roles access the wrapped function.""" def wrap(func): # pylint: disable-msg=C0111 def wrapped_func(self, context, *args, **kwargs): # pylint: disable-msg=C0111 if context.user.is_superuser(): return func(self, context, *args, **kwargs) for role in roles: if __matches_role(context, role): raise exception.NotAuthorized() return func(self, context, *args, **kwargs) return wrapped_func return wrap def __matches_role(context, role): """Check if a role is allowed.""" if role == 'all': return True if role == 'none': return False return context.project.has_role(context.user.id, role)