mgr/dashboard: auth: return user permissions on login

Signed-off-by: Ricardo Dias <rdias@suse.com>

qa/tasks/mgr/dashboard/test_auth.py

@@ -18,13 +18,32 @@ class AuthTest(DashboardTestCase):
         self.create_user('admin2', 'admin2', ['administrator'])
         self._post("/api/auth", {'username': 'admin2', 'password': 'admin2'})
         self.assertStatus(201)
-        self.assertJsonBody({"username": "admin2"})
+        # self.assertJsonBody({"username": "admin2"})
+        data = self.jsonBody()
+        self.assertIn('username', data)
+        self.assertEqual(data['username'], "admin2")
+        self.assertIn('permissions', data)
+        for scope, perms in data['permissions'].items():
+            self.assertIsNotNone(scope)
+            self.assertIn('read', perms)
+            self.assertIn('update', perms)
+            self.assertIn('create', perms)
+            self.assertIn('delete', perms)
         self.delete_user('admin2')
 
     def test_login_valid(self):
         self._post("/api/auth", {'username': 'admin', 'password': 'admin'})
         self.assertStatus(201)
-        self.assertJsonBody({"username": "admin"})
+        data = self.jsonBody()
+        self.assertIn('username', data)
+        self.assertEqual(data['username'], "admin")
+        self.assertIn('permissions', data)
+        for scope, perms in data['permissions'].items():
+            self.assertIsNotNone(scope)
+            self.assertIn('read', perms)
+            self.assertIn('update', perms)
+            self.assertIn('create', perms)
+            self.assertIn('delete', perms)
 
     def test_login_stay_signed_in(self):
         self._post("/api/auth", {

src/pybind/mgr/dashboard/controllers/auth.py

@@ -27,13 +27,17 @@ class Auth(RESTController):
 
     def create(self, username, password, stay_signed_in=False):
         now = time.time()
-        if AuthManager.authenticate(username, password):
+        user_perms = AuthManager.authenticate(username, password)
+        if user_perms is not None:
             cherrypy.session.regenerate()
             cherrypy.session[Session.USERNAME] = username
             cherrypy.session[Session.TS] = now
             cherrypy.session[Session.EXPIRE_AT_BROWSER_CLOSE] = not stay_signed_in
             logger.debug('Login successful')
-            return {'username': username}
+            return {
+                'username': username,
+                'permissions': user_perms
+            }
 
         logger.debug('Login failed')
         raise DashboardException(msg='Invalid credentials',

src/pybind/mgr/dashboard/services/access_control.py

@@ -177,6 +177,18 @@ class User(object):
                 return True
         return False
 
+    def permissions_dict(self):
+        perms = {}
+        for role in self.roles:
+            for scope, perms_list in role.scopes_permissions.items():
+                if scope in perms:
+                    perms_tmp = set(perms[scope]).union(set(perms_list))
+                    perms[scope] = list(perms_tmp)
+                else:
+                    perms[scope] = perms_list
+
+        return perms
+
     def to_dict(self):
         return {
             'username': self.username,
@@ -654,10 +666,11 @@ class LocalAuthenticator(object):
         try:
             user = ACCESS_CTRL_DB.get_user(username)
             pass_hash = password_hash(password, user.password)
-            return pass_hash == user.password
+            if pass_hash == user.password:
+                return user.permissions_dict()
         except UserDoesNotExist:
             logger.debug("User '%s' does not exist", username)
-            return False
+        return None
 
     def authorize(self, username, scope, permissions):
         user = ACCESS_CTRL_DB.get_user(username)