Commit ea88d79e authored by Pablo Panero's avatar Pablo Panero
Browse files

Add superuser account. Modify permission to avoid 'grant all' permission when a token is used

parent 0fbc2e69
......@@ -17,7 +17,7 @@ build_dev_version:
stage: build
except:
- tags
environment: dev
environment: master
tags:
- docker-image-build
script: 'echo "Building Docker Master image..."'
......
......@@ -261,6 +261,13 @@ If afterwards we query (get,put,delete) for the specific item we will obtain a 4
}
```
### Debugging using a superuser
When creating the instance a user account was granted super user rights. This account is set via the ``ADMIN_USER``
environmental variable, its value will be compared against the user's email returned by the OAuth server.
This user will have the rights to read, update, create and delete any document within the instance indexes.
## ACLs and permissions
Permissions are implemented in a CRUD fashion.
......@@ -387,16 +394,17 @@ gunicorn -b :5000 --certfile=ssl.crt --keyfile=ssl.key cern_search_rest.wsgi
CERN Search specific parameters:
- CERN_SEARCH_REMOTE_APP_RESOURCE: It is the ``Homepage`` value in the OAuth application registration. Note that it
- REMOTE_APP_RESOURCE: It is the ``Homepage`` value in the OAuth application registration. Note that it
should not include nor the protocol (``https://``) nor the ending slash (``\``). Basically, this would be the name of
your server, which if it is deployed in OpenShift would be like ``you-project-name.web.cern.ch``.
- CERN_SEARCH_DEFAULT_INDEX: The default index where to insert data if not index / schema is specified in the request.
- CERN_SEARCH_DEFAULT_DOC_TYPE: The value of the default document type. It must be part of the default index,
- DEFAULT_INDEX: The default index where to insert data if not index / schema is specified in the request.
- DEFAULT_DOC_TYPE: The value of the default document type. It must be part of the default index,
defined in the above variable.
- CERN_SEARCH_INSTANCE: The name of the instance. A folder with this name must exist in
- SEARCH_INSTANCE: The name of the instance. A folder with this name must exist in
``cern_search_rest/modules/cernsearch/jsonschemas/``, therefore, upon index creation an alias will be set for all the
indexes (mappings existing in this folder). This indexes will be the ones over whom searches will be performed.
- ADMIN_USER: Superuser's email account. If it is a non-CERN account, it should go without a domain
(``@cern.ch``).
The rest of the configuration comes from parameters that are configurable through the Invenio Framework or Flask.
The full list of the overwritten ones can be found in ``cern_search_rest/config.py``, nonetheless, if needed
others can be overwritten (check documentation of the corresponding project in the
......
......@@ -105,9 +105,11 @@ def has_update_permission(user, record):
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
update_access_groups = record['_access']['update']
if check_elasticsearch(record) and (
(user_provides and not set(user_provides).isdisjoint(set(update_access_groups))) \
or has_owner_permission(user)):
if check_elasticsearch(record) and user_provides and has_owner_permission(user) and \
(
not set(user_provides).isdisjoint(set(update_access_groups))
or is_admin(user)
):
return True
return False
......@@ -119,9 +121,11 @@ def has_read_record_permission(user, record):
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
read_access_groups = record['_access']['read']
if check_elasticsearch(record) and (
(user_provides and not set(user_provides).isdisjoint(set(read_access_groups)))
or has_owner_permission(user)):
if check_elasticsearch(record) and user_provides and has_owner_permission(user) and \
(
not set(user_provides).isdisjoint(set(read_access_groups))
or is_admin(user)
):
return True
return False
......@@ -133,8 +137,11 @@ def has_delete_permission(user, record):
user_provides = get_user_provides()
# set.isdisjoint() is faster than set.intersection()
delete_access_groups = record['_access']['delete']
if (user_provides and not set(user_provides).isdisjoint(set(delete_access_groups))) \
or has_owner_permission(user):
if check_elasticsearch(record) and user_provides and has_owner_permission(user) and \
(
not set(user_provides).isdisjoint(set(delete_access_groups))
or is_admin(user)
):
return True
return False
......@@ -191,6 +198,14 @@ def allow(user, record):
return True
def is_admin(user):
"""Check if the user is administrator"""
admin_user = current_app.config['ADMIN_USER']
if user.email == admin_user or user.email.replace('@cern.ch', '') == admin_user:
return True
return False
def is_public(data, action):
"""Check if the record is fully public.
In practice this means that the record doesn't have the ``access`` key or
......
......@@ -60,8 +60,6 @@ install_requires = [
'redis>=2.10.0',
'npm>=0.1.1',
'uWSGI>=2.0.16',
'urllib3[secure]>=1.22',
'SQLAlchemy-Continuum==1.3.4',
]
packages = find_packages()
......
......@@ -338,6 +338,7 @@ objects:
CERN_SEARCH_DEFAULT_INDEX: ${DEFAULT_INDEX}
CERN_SEARCH_DEFAULT_DOC_TYPE: ${DEFAULT_DOC_TYPE}
CERN_SEARCH_INSTANCE: ${SEARCH_INSTANCE}
INVENIO_ADMIN_USER: ${ADMIN_USER}
parameters:
......@@ -353,6 +354,8 @@ parameters:
value: 'test-doc_v0.0.1'
- name: SEARCH_INSTANCE
value: 'cernsearch-test'
- name: ADMIN_USER:
value: 'cernsearch@cern.ch'
- name: ALLOWED_HOSTS
description: "Invenio App allowed hosts. Without protocol (e.g. http) nor salsh ('/') at the end"
value: "['test-cern-search.web.cern.ch']"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment