From 8940247164b22d0f08cb73b1b6aace108ff68b85 Mon Sep 17 00:00:00 2001
From: erderial <71669104+erderial@users.noreply.github.com>
Date: Tue, 21 Feb 2023 15:13:17 +0200
Subject: [PATCH 1/4] updated with custom yaml file for auth

Added 2 new function to check if the custom yaml file exists - /etc/confluent/authorize.yaml - and one to update the _allowbyrole and _deniedbyrole vars accordingly.
---
 confluent_server/confluent/auth.py | 42 ++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index 2b4eaa80..a8838927 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -115,6 +115,47 @@ class PromptsNeeded(Exception):
     def __init__(self, prompts):
         self.prompts = prompts
 
+ #add function to change _allowedbyrole and _deniedbyrole vars.
+ def add_roles(dictionary):
+    #function to parse the roles and the files. If there are modifications to be done to the roles, items will be added to dictionaries.
+    #If there are no moodifications done to one of the roles, it continues to the next
+    #Opening YAML file and reading the custom roles
+    with open("/etc/confluent/authorization.yaml","r") as stream:
+        loaded_file = yaml.safe_load(stream)
+        for outside_key,outside_value in loaded_file.items():
+            for inside_key,inside_value in outside_value.items():
+                try:
+                    #Trying to append the new list of permissions to existing lists (i.e. Operator : {"retrieve" : ['*' , 'new_added_file_permission']}) 
+                    dictionary[outside_key][inside_key] = (list(set(dictionary[outside_key][inside_key]+inside_value)))
+                except KeyError:
+                    #If there is no previous action, we create a new one (i.e. Operator : { "new_action" : ['new_added_file_permission'] })
+                    try:
+                        dictionary[outside_key][inside_key] = inside_value
+                    except KeyError:
+                        #If there is a new role to be added, we add it along with the rest of the info (i.e. NewRole : {"new_action" : ['new_added_file_permission]})
+                        dictionary[outside_key] = outside_value
+                
+    
+def check_for_yaml():
+    #impot yaml and op.path to check if the file exists and to safe_load the yaml file.
+    try:
+        import yaml
+    except:
+        return "Yaml not installed"
+    try:
+        from os.path import exists
+    except:
+        return "could not import os.path"
+    #checking if the file exists
+    if exists("/etc/confluent/authorization.yaml"):
+        add_roles(_allowedbyrole)
+        add_roles(_deniedbyrole)
+        return "Custom auth. file detected in /etc/confluent, updated roles accordingly"
+    else:
+        return "No custom auth. file. Continuing as normal"
+    
+
+        
 def _get_usertenant(name, tenant=False):
     """_get_usertenant
 
@@ -165,6 +206,7 @@ def authorize(name, element, tenant=False, operation='create',
     # skipuserobj is a leftover from the now abandoned plan to use pam session
     # to do authorization and authentication.  Now confluent always does authorization
     # even if pam does authentication.
+    check_for_yaml()
     if operation not in ('create', 'start', 'update', 'retrieve', 'delete', None):
         return False
     user, tenant = _get_usertenant(name, tenant)

From b800aa032ebaabb7d3574392f6ee09ff65bcd624 Mon Sep 17 00:00:00 2001
From: erderial <71669104+erderial@users.noreply.github.com>
Date: Mon, 27 Feb 2023 17:10:17 +0200
Subject: [PATCH 2/4] updated auth.py with some changes

updated auth.py with some changes. Need to add the check_for_yaml() function to main.py as well
---
 confluent_server/confluent/auth.py | 28 ++++++----------------------
 1 file changed, 6 insertions(+), 22 deletions(-)

diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index a8838927..c9b6dde4 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -41,6 +41,7 @@ try:
 except ImportError:
     pass
 import time
+import yaml
 
 _pamservice = 'confluent'
 _passcache = {}
@@ -122,30 +123,14 @@ class PromptsNeeded(Exception):
     #Opening YAML file and reading the custom roles
     with open("/etc/confluent/authorization.yaml","r") as stream:
         loaded_file = yaml.safe_load(stream)
-        for outside_key,outside_value in loaded_file.items():
-            for inside_key,inside_value in outside_value.items():
-                try:
-                    #Trying to append the new list of permissions to existing lists (i.e. Operator : {"retrieve" : ['*' , 'new_added_file_permission']}) 
-                    dictionary[outside_key][inside_key] = (list(set(dictionary[outside_key][inside_key]+inside_value)))
-                except KeyError:
-                    #If there is no previous action, we create a new one (i.e. Operator : { "new_action" : ['new_added_file_permission'] })
-                    try:
-                        dictionary[outside_key][inside_key] = inside_value
-                    except KeyError:
-                        #If there is a new role to be added, we add it along with the rest of the info (i.e. NewRole : {"new_action" : ['new_added_file_permission]})
-                        dictionary[outside_key] = outside_value
+        try:
+            dictionary.update(loaded_file)
+        except FileNotFoundError:
+            return "File does not exist"
+        return
                 
     
 def check_for_yaml():
-    #impot yaml and op.path to check if the file exists and to safe_load the yaml file.
-    try:
-        import yaml
-    except:
-        return "Yaml not installed"
-    try:
-        from os.path import exists
-    except:
-        return "could not import os.path"
     #checking if the file exists
     if exists("/etc/confluent/authorization.yaml"):
         add_roles(_allowedbyrole)
@@ -206,7 +191,6 @@ def authorize(name, element, tenant=False, operation='create',
     # skipuserobj is a leftover from the now abandoned plan to use pam session
     # to do authorization and authentication.  Now confluent always does authorization
     # even if pam does authentication.
-    check_for_yaml()
     if operation not in ('create', 'start', 'update', 'retrieve', 'delete', None):
         return False
     user, tenant = _get_usertenant(name, tenant)

From 56dea2422a6350441987c6b3ed94c6e61c7d6b50 Mon Sep 17 00:00:00 2001
From: erderial <71669104+erderial@users.noreply.github.com>
Date: Tue, 7 Mar 2023 21:08:01 +0200
Subject: [PATCH 3/4] Update auth.py

---
 confluent_server/confluent/auth.py | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index c9b6dde4..915c31e6 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -117,24 +117,37 @@ class PromptsNeeded(Exception):
         self.prompts = prompts
 
  #add function to change _allowedbyrole and _deniedbyrole vars.
- def add_roles(dictionary):
+ def add_roles(_allowed,_denied):
     #function to parse the roles and the files. If there are modifications to be done to the roles, items will be added to dictionaries.
     #If there are no moodifications done to one of the roles, it continues to the next
     #Opening YAML file and reading the custom roles
     with open("/etc/confluent/authorization.yaml","r") as stream:
         loaded_file = yaml.safe_load(stream)
         try:
-            dictionary.update(loaded_file)
-        except FileNotFoundError:
-            return "File does not exist"
+            allowed_loaded = loaded_file["_allowedbyrole"]
+        except:
+            pass
+        try:
+            denied_loaded = loaded_file["_deniedbyrole"]
+        except:
+            pass
+ 
+        try:
+            _allowed.update(allowed_loaded)
+        except NameError:
+            pass
+        try: 
+            _denied.update(denied_loaded)
+        except NameError:
+            pass
         return
                 
     
 def check_for_yaml():
     #checking if the file exists
     if exists("/etc/confluent/authorization.yaml"):
-        add_roles(_allowedbyrole)
-        add_roles(_deniedbyrole)
+        add_roles(_allowedbyrole,_deniedbyrole)
+
         return "Custom auth. file detected in /etc/confluent, updated roles accordingly"
     else:
         return "No custom auth. file. Continuing as normal"

From 85f9dc12fb82f6d7c73568b9c4d023745c9b0dea Mon Sep 17 00:00:00 2001
From: erderial <71669104+erderial@users.noreply.github.com>
Date: Thu, 9 Mar 2023 22:38:37 +0200
Subject: [PATCH 4/4] Update auth.py

---
 confluent_server/confluent/auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index 915c31e6..55b3836c 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -124,11 +124,11 @@ class PromptsNeeded(Exception):
     with open("/etc/confluent/authorization.yaml","r") as stream:
         loaded_file = yaml.safe_load(stream)
         try:
-            allowed_loaded = loaded_file["_allowedbyrole"]
+            allowed_loaded = loaded_file["allowedbyrole"]
         except:
             pass
         try:
-            denied_loaded = loaded_file["_deniedbyrole"]
+            denied_loaded = loaded_file["deniedbyrole"]
         except:
             pass