diff --git a/qa/tasks/mgr/dashboard/test_auth.py b/qa/tasks/mgr/dashboard/test_auth.py index c0d89ad7f71..04344050207 100644 --- a/qa/tasks/mgr/dashboard/test_auth.py +++ b/qa/tasks/mgr/dashboard/test_auth.py @@ -18,13 +18,32 @@ class AuthTest(DashboardTestCase): self.create_user('admin2', 'admin2', ['administrator']) self._post("/api/auth", {'username': 'admin2', 'password': 'admin2'}) self.assertStatus(201) - self.assertJsonBody({"username": "admin2"}) + # self.assertJsonBody({"username": "admin2"}) + data = self.jsonBody() + self.assertIn('username', data) + self.assertEqual(data['username'], "admin2") + self.assertIn('permissions', data) + for scope, perms in data['permissions'].items(): + self.assertIsNotNone(scope) + self.assertIn('read', perms) + self.assertIn('update', perms) + self.assertIn('create', perms) + self.assertIn('delete', perms) self.delete_user('admin2') def test_login_valid(self): self._post("/api/auth", {'username': 'admin', 'password': 'admin'}) self.assertStatus(201) - self.assertJsonBody({"username": "admin"}) + data = self.jsonBody() + self.assertIn('username', data) + self.assertEqual(data['username'], "admin") + self.assertIn('permissions', data) + for scope, perms in data['permissions'].items(): + self.assertIsNotNone(scope) + self.assertIn('read', perms) + self.assertIn('update', perms) + self.assertIn('create', perms) + self.assertIn('delete', perms) def test_login_stay_signed_in(self): self._post("/api/auth", { diff --git a/src/pybind/mgr/dashboard/controllers/auth.py b/src/pybind/mgr/dashboard/controllers/auth.py index 033e5ea27c9..22a16754225 100644 --- a/src/pybind/mgr/dashboard/controllers/auth.py +++ b/src/pybind/mgr/dashboard/controllers/auth.py @@ -27,13 +27,17 @@ class Auth(RESTController): def create(self, username, password, stay_signed_in=False): now = time.time() - if AuthManager.authenticate(username, password): + user_perms = AuthManager.authenticate(username, password) + if user_perms is not None: cherrypy.session.regenerate() cherrypy.session[Session.USERNAME] = username cherrypy.session[Session.TS] = now cherrypy.session[Session.EXPIRE_AT_BROWSER_CLOSE] = not stay_signed_in logger.debug('Login successful') - return {'username': username} + return { + 'username': username, + 'permissions': user_perms + } logger.debug('Login failed') raise DashboardException(msg='Invalid credentials', diff --git a/src/pybind/mgr/dashboard/services/access_control.py b/src/pybind/mgr/dashboard/services/access_control.py index a8784b0e000..f980d6e932a 100644 --- a/src/pybind/mgr/dashboard/services/access_control.py +++ b/src/pybind/mgr/dashboard/services/access_control.py @@ -177,6 +177,18 @@ class User(object): return True return False + def permissions_dict(self): + perms = {} + for role in self.roles: + for scope, perms_list in role.scopes_permissions.items(): + if scope in perms: + perms_tmp = set(perms[scope]).union(set(perms_list)) + perms[scope] = list(perms_tmp) + else: + perms[scope] = perms_list + + return perms + def to_dict(self): return { 'username': self.username, @@ -654,10 +666,11 @@ class LocalAuthenticator(object): try: user = ACCESS_CTRL_DB.get_user(username) pass_hash = password_hash(password, user.password) - return pass_hash == user.password + if pass_hash == user.password: + return user.permissions_dict() except UserDoesNotExist: logger.debug("User '%s' does not exist", username) - return False + return None def authorize(self, username, scope, permissions): user = ACCESS_CTRL_DB.get_user(username)