Add a simple permission audit script

2025-01-28 03:56:43 +02:00 · 2016-08-29 20:18:00 +02:00 · 2016-08-29 20:18:00 +02:00 · c1f9b61dac
commit c1f9b61dac
parent f8dcef22ef
3 changed files with 46 additions and 0 deletions
--- a/admin/audit.py
+++ b/admin/audit.py
@ -0,0 +1,43 @@
+from freeposte import app
+
+import sys
+import tabulate
+
+
+# Known endpoints without permissions
+known_missing_permissions = [
+    "index",
+    "static", "bootstrap.static",
+    "admin.static", "admin.login"
+]
+
+
+# Compute the permission table
+missing_permissions = []
+permissions = {}
+for endpoint, function in app.view_functions.items():
+    audit = function.__dict__.get("_audit_permissions")
+    if audit:
+        handler, args = audit
+        if args:
+            model = args[0].__name__
+            key = args[1]
+        else:
+            model = key = None
+        permissions[endpoint] = [endpoint, handler.__name__, model, key]
+    elif endpoint not in known_missing_permissions:
+        missing_permissions.append(endpoint)
+
+
+# Fail if any endpoint is missing a permission check
+if missing_permissions:
+    print("The following endpoints are missing permission checks:")
+    print(missing_permissions.join(","))
+    sys.exit(1)
+
+
+# Display the permissions table
+print(tabulate.tabulate([
+    [route, *permissions[route.endpoint]]
+    for route in app.url_map.iter_rules() if route.endpoint in permissions
+]))
--- a/admin/freeposte/admin/access.py
+++ b/admin/freeposte/admin/access.py
@ -25,6 +25,7 @@ def permissions_wrapper(handler):
                @functools.wraps(function)
                def wrapper(*args, **kwargs):
                    return callback(function, args, kwargs, dargs, dkwargs)
+                wrapper._audit_permissions = handler, dargs
                return flask_login.login_required(wrapper)
            return inner
    else:
@ -32,6 +33,7 @@ def permissions_wrapper(handler):
            @functools.wraps(function)
            def wrapper(*args, **kwargs):
                return callback(function, args, kwargs, (), {})
+            wrapper._audit_permissions = handler, []
            return flask_login.login_required(wrapper)
    return decorator

--- a/admin/requirements.txt
+++ b/admin/requirements.txt
@ -10,3 +10,4 @@ PyOpenSSL
 passlib
 gunicorn
 docker-py
+tabulate