privileges 'x' for deploy, script, project

2014-07-14 10:54:00 +04:00 · 2014-07-14 10:54:00 +04:00 · 4b603f680b
commit 4b603f680b
parent 8beaa22bbf
4 changed files with 10 additions and 7 deletions
--- a/devops-service/db/mongo/models/user.rb
+++ b/devops-service/db/mongo/models/user.rb
@ -9,7 +9,8 @@ class User < MongoModel
  ROOT_USER_NAME = 'root'
  ROOT_PASSWORD = ''

-  PRIVILEGES = ["r", "w", "rw", ""]
+  PRIVILEGES = ["r", "w", "x"]
+  PRIVILEGES_REGEX = /x?y?z?/

  attr_accessor :id, :password, :privileges, :email
  types :id => {:type => String, :empty => false},
@ -24,7 +25,7 @@ class User < MongoModel
  end

  def all_privileges
-    privileges_with_value("rw")
+    privileges_with_value("rwx")
  end

  def default_privileges
@ -32,7 +33,9 @@ class User < MongoModel
  end

  def grant cmd, priv=''
-    raise InvalidCommand.new "Invalid privileges '#{priv}'. Available values are '#{PRIVILEGES.join("', '")}'" unless PRIVILEGES.include?(priv)
+    if !priv.empty? and PRIVILEGES_REGEX.match(priv).empty?
+      raise InvalidCommand.new "Invalid privileges '#{priv}'. Available values are '#{PRIVILEGES.join("', '")}'"
+    end
    raise InvalidCommand.new "Can't grant privileges to root" if self.id == ROOT_USER_NAME

    case cmd
--- a/devops-service/routes/v2.0/deploy.rb
+++ b/devops-service/routes/v2.0/deploy.rb
@ -34,7 +34,7 @@ module Version2_0
    # * *Returns* : text stream
    post "/deploy" do
      check_headers :content_type
-      check_privileges("server", "w")
+      check_privileges("server", "x")
      r = create_object_from_json_body
      names = check_array(r["names"], "Parameter 'names' should be a not empty array of strings")
      tags = check_array(r["tags"], "Parameter 'tags' should be an array of strings", String, true) || []
--- a/devops-service/routes/v2.0/project.rb
+++ b/devops-service/routes/v2.0/project.rb
@ -366,7 +366,7 @@ module Version2_0
    # * *Returns* : text stream
    post "/project/:id/deploy" do
      check_headers :content_type
-      check_privileges("project", "w")
+      check_privileges("project", "x")
      obj = create_object_from_json_body
      check_string(obj["deploy_env"], "Parameter 'deploy_env' should be a not empty string", true)
      check_array(obj["servers"], "Parameter 'servers' should be a not empty array of strings", String, true)
--- a/devops-service/routes/v2.0/script.rb
+++ b/devops-service/routes/v2.0/script.rb
@ -57,7 +57,7 @@ module Version2_0
    #
    # * *Returns* : text stream
    post "/script/command/:node_name" do
-      check_privileges("script", "w")
+      check_privileges("script", "x")
      user = request.env['REMOTE_USER']
      s = BaseRoutes.mongo.server_by_chef_node_name params[:node_name]
      BaseRoutes.mongo.check_project_auth s.project, s.deploy_env, user
@ -96,7 +96,7 @@ module Version2_0
    # * *Returns* : text stream
    post "/script/run/:script_name" do
      check_headers :content_type
-      check_privileges("script", "w")
+      check_privileges("script", "x")
      file_name = params[:script_name]
      @file = File.join(DevopsService.config[:scripts_dir], check_filename(file_name, "Parameter 'script_name' must be a not empty string", false))
      halt(404, "File '#{file_name}' does not exist") unless File.exists?(@file)