def add_permissions_to_role(role_id, resource, operations):
        """
        Add permissions to a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to grant permissions to
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being granted
        :raise MissingResource: if the given role does not exist
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        current_ops = role['permissions'].setdefault(resource, [])
        for o in operations:
            if o in current_ops:
                continue
            current_ops.append(o)

        users = factory.user_query_manager().find_users_belonging_to_role(role_id)
        for user in users:
            factory.permission_manager().grant(resource, user['login'], operations)

        Role.get_collection().save(role, safe=True)

    def add_user_to_role(role_id, login):
        """
        Add a user to a role. This has the side-effect of granting all the
        permissions granted to the role to the user.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           login of user
        :type  login:           str
        :raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise MissingResource(login)

        if role_id in user['roles']:
            return

        user['roles'].append(role_id)
        User.get_collection().save(user, safe=True)

        for resource, operations in role['permissions'].items():
            factory.permission_manager().grant(resource, login, operations)

    def remove_user_from_role(role_id, login):
        """
        Remove a user from a role. This has the side-effect of revoking all the
        permissions granted to the role from the user, unless the permissions are
        also granted by another role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           name of user
        :type  login:           str
        :raise MissingResource: if the given role or user does not exist
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = model.User.objects.get_or_404(login=login)

        if role_id == SUPER_USER_ROLE and user_controller.is_last_super_user(login):
            raise PulpDataException(
                _('%(role)s cannot be empty, and %(login)s is the last member') %
                {'role': SUPER_USER_ROLE, 'login': login})

        if role_id not in user.roles:
            return

        user.roles.remove(role_id)
        user.save()

        for item in role['permissions']:
            other_roles = factory.role_query_manager().get_other_roles(role, user.roles)
            user_ops = _operations_not_granted_by_roles(item['resource'],
                                                        item['permission'],
                                                        other_roles)
            factory.permission_manager().revoke(item['resource'], login, user_ops)

    def add_user_to_role(role_id, login):
        """
        Add a user to a role. This has the side-effect of granting all the
        permissions granted to the role to the user.

        :param role_id:         role identifier
        :type  role_id:         str
        :param login:           login of user
        :type  login:           str
        :raise MissingResource: if the given role does not exist
        :raise InvalidValue: if some params are invalid
        """
        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise MissingResource(role_id)

        user = User.get_collection().find_one({'login': login})
        if user is None:
            raise InvalidValue(['login'])

        if role_id in user['roles']:
            return

        user['roles'].append(role_id)
        User.get_collection().save(user, safe=True)

        for item in role['permissions']:
            factory.permission_manager().grant(item['resource'], login,
                                               item.get('permission', []))

def operation_to_name(operation):
    """
    Convert an operation value to an operation name
    Returns None if the operation value is invalid
    @type operation: int
    @param operation: operation value
    @rtype: str or None
    @return: operation name
    """
    if operation < factory.permission_manager().CREATE or operation > factory.permission_manager().EXECUTE:
        return None
    return factory.permission_manager().operation_names[operation]

def name_to_operation(name):
    """
    Convert a operation name to an operation value
    Returns None if the name does not correspond to an operation
    @type name: str
    @param name: operation name
    @rtype: int or None
    @return: operation value
    """
    name = name.upper()
    if name not in factory.permission_manager().operation_names:
        raise InvalidValue('operations')
    return factory.permission_manager().operation_names.index(name)

    def get(self, request):
        """
        List all roles.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest

        :return: Response containing a list of roles
        :rtype: django.http.HttpResponse
        """
        role_query_manager = factory.role_query_manager()
        user_query_manager = factory.user_query_manager()
        permissions_manager = factory.permission_manager()
        roles = role_query_manager.find_all()
        for role in roles:
            role['users'] = [u['login'] for u in
                             user_query_manager.find_users_belonging_to_role(role['id'])]

            resource_permission = {}
            # isolate schema change
            if role['permissions']:
                for item in role['permissions']:
                    resource = item['resource']
                    operations = item.get('permission', [])
                    resource_permission[resource] = [permissions_manager.operation_value_to_name(o)
                                                     for o in operations]

            role['permissions'] = resource_permission

            link = {'_href': reverse('role_resource',
                    kwargs={'role_id': role['id']})}
            role.update(link)
        return generate_json_response_with_pulp_encoder(roles)

    def test_syntactic_sugar_methods(self):
        """
        Tests the syntactic sugar methods for retrieving specific managers.
        """
        # Setup
        factory.initialize()

        # Test
        self.assertTrue(isinstance(factory.authentication_manager(), AuthenticationManager))
        self.assertTrue(isinstance(factory.cert_generation_manager(), CertGenerationManager))
        self.assertTrue(isinstance(factory.certificate_manager(), CertificateManager))
        self.assertTrue(isinstance(factory.password_manager(), PasswordManager))
        self.assertTrue(isinstance(factory.permission_manager(), PermissionManager))
        self.assertTrue(isinstance(factory.permission_query_manager(), PermissionQueryManager))
        self.assertTrue(isinstance(factory.role_manager(), RoleManager))
        self.assertTrue(isinstance(factory.role_query_manager(), RoleQueryManager))
        self.assertTrue(isinstance(factory.user_manager(), UserManager))
        self.assertTrue(isinstance(factory.user_query_manager(), UserQueryManager))
        self.assertTrue(isinstance(factory.repo_manager(), RepoManager))
        self.assertTrue(isinstance(factory.repo_unit_association_manager(),
                                   RepoUnitAssociationManager))
        self.assertTrue(isinstance(factory.repo_publish_manager(), RepoPublishManager))
        self.assertTrue(isinstance(factory.repo_query_manager(), RepoQueryManager))
        self.assertTrue(isinstance(factory.repo_sync_manager(), RepoSyncManager))
        self.assertTrue(isinstance(factory.content_manager(), ContentManager))
        self.assertTrue(isinstance(factory.content_query_manager(), ContentQueryManager))
        self.assertTrue(isinstance(factory.content_upload_manager(), ContentUploadManager))
        self.assertTrue(isinstance(factory.consumer_manager(), ConsumerManager))
        self.assertTrue(isinstance(factory.topic_publish_manager(), TopicPublishManager))

    def GET(self):

        role_query_manager = managers.role_query_manager()
        user_query_manager = managers.user_query_manager()
        permissions_manager = managers.permission_manager()
        roles = role_query_manager.find_all()
        for role in roles:
            role['users'] = [u['login'] for u in
                             user_query_manager.find_users_belonging_to_role(role['id'])]

            resource_permission = {}
            # isolate schema change
            if role['permissions']:
                for item in role['permissions']:
                    resource = item['resource']
                    operations = item.get('permission', [])
                    resource_permission[resource] = [permissions_manager.operation_value_to_name(o)
                                                     for o in operations]

            role['permissions'] = resource_permission

        for role in roles:
            role.update(serialization.link.child_link_obj(role['id']))

        return self.ok(roles)

    def POST(self):

        # Pull all the user data
        user_data = self.params()
        login = user_data.get('login', None)
        password = user_data.get('password', None)
        name = user_data.get('name', None)

        # Creation
        manager = managers.user_manager()
        resources = {dispatch_constants.RESOURCE_USER_TYPE: {login: dispatch_constants.RESOURCE_CREATE_OPERATION}}
        args = [login]
        kwargs = {'password': password,
                  'name': name}
        weight = pulp_config.config.getint('tasks', 'create_weight')
        tags = [resource_tag(dispatch_constants.RESOURCE_USER_TYPE, login),
                action_tag('create')]
        call_request = CallRequest(manager.create_user,
                                   args,
                                   kwargs,
                                   resources=resources,
                                   weight=weight,
                                   tags=tags,
                                   kwarg_blacklist=['password'])
        user = execution.execute_sync(call_request)
        user_link = serialization.link.child_link_obj(login)
        user.update(user_link)

        # Grant permissions
        permission_manager = managers.permission_manager()
        permission_manager.grant_automatic_permissions_for_resource(user_link['_href'])

        return self.created(login, user)

    def POST(self):

        # Pull all the user data
        user_data = self.params()
        login = user_data.get('login', None)
        password = user_data.get('password', None)
        name = user_data.get('name', None)

        # Creation
        manager = managers.user_manager()
        args = [login]
        kwargs = {'password': password,
                  'name': name}

        user = manager.create_user(*args, **kwargs)

        # Add the link to the user
        user_link = serialization.link.child_link_obj(login)
        user.update(user_link)

        # Grant permissions
        user_link = serialization.link.child_link_obj(login)
        permission_manager = managers.permission_manager()
        permission_manager.grant_automatic_permissions_for_resource(user_link['_href'])

        return self.created(login, user)

    def POST(self):

        # Params
        params = self.params()
        login = params.get('login', None)
        resource = params.get('resource', None)
        operation_names = params.get('operations', None)
        
        _check_invalid_params({'login':login,
                               'resource':resource,
                               'operation_names':operation_names})
            
        operations = _get_operations(operation_names)
        
        # Grant permission synchronously
        permission_manager = managers.permission_manager()
        tags = [resource_tag(dispatch_constants.RESOURCE_PERMISSION_TYPE, resource),
                resource_tag(dispatch_constants.RESOURCE_USER_TYPE, login),
                action_tag('grant_permission_to_user')]

        call_request = CallRequest(permission_manager.grant,
                                   [resource, login, operations],
                                   tags=tags)
        call_request.reads_resource(dispatch_constants.RESOURCE_USER_TYPE, login)
        call_request.updates_resource(dispatch_constants.RESOURCE_PERMISSION_TYPE, resource)
        
        return self.ok(execution.execute_sync(call_request))

    def get(self, request):
        """
        List all roles.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest

        :return: Response containing a list of roles
        :rtype: django.http.HttpResponse
        """
        role_query_manager = factory.role_query_manager()
        permissions_manager = factory.permission_manager()
        roles = role_query_manager.find_all()
        for role in roles:
            users = [u.login for u in user_controller.find_users_belonging_to_role(role["id"])]
            role["users"] = users

            resource_permission = {}
            # isolate schema change
            if role["permissions"]:
                for item in role["permissions"]:
                    resource = item["resource"]
                    operations = item.get("permission", [])
                    resource_permission[resource] = [permissions_manager.operation_value_to_name(o) for o in operations]

            role["permissions"] = resource_permission

            link = {"_href": reverse("role_resource", kwargs={"role_id": role["id"]})}
            role.update(link)
        return generate_json_response_with_pulp_encoder(roles)

    def post(self, request):
        """
        Revoke permissions from a role.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest

        :return: An empty response
        :rtype: django.http.HttpResponse
        """

        params = request.body_as_json
        role_id = params.get('role_id', None)
        resource = params.get('resource', None)
        operation_names = params.get('operations', None)

        _validate_params({'role_id': role_id,
                          'resource': resource,
                          'operation_names': operation_names})

        role_manager = factory.role_manager()
        permission_manager = factory.permission_manager()
        operations = permission_manager.operation_names_to_values(operation_names)
        remove_perm = role_manager.remove_permissions_from_role(role_id, resource, operations)
        return generate_json_response(remove_perm)

    def get(self, request):
        """
        Retrieve permissions for all resources or for a particular resource.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest

        :return: Response containing a list of permissions for resource/s
        :rtype: django.http.HttpResponse
        """
        query_params = request.GET
        resource = query_params.get('resource', None)

        permissions = []
        if resource is None:
            permissions = factory.permission_query_manager().find_all()
        else:
            permission = factory.permission_query_manager().find_by_resource(resource)
            if permission is not None:
                permissions = [permission]

        for permission in permissions:
            # Isolate the database schema change to behind the api.  This should be transparent
            users = {}
            for item in permission['users']:
                users[item['username']] = item['permissions']
            permission['users'] = users
            permission_manager = factory.permission_manager()
            for user, ops in users.items():
                users[user] = [permission_manager.operation_value_to_name(o) for o in ops]

        return generate_json_response_with_pulp_encoder(permissions)

    def post(self, request):
        """
        Grant permissions to a role.

        :param request: WSGI request object
        :type request: django.core.handlers.wsgi.WSGIRequest

        :return: An empty response
        :rtype: django.http.HttpResponse
        """
        params = request.body_as_json
        role_id = params.get('role_id', None)
        resource = params.get('resource', None)
        operation_names = params.get('operations', None)

        _check_invalid_params({'role_id': role_id,
                               'resource': resource,
                               'operation_names': operation_names})

        # Grant permission synchronously
        role_manager = factory.role_manager()
        permission_manager = factory.permission_manager()
        operations = permission_manager.operation_names_to_values(operation_names)
        add_perm = role_manager.add_permissions_to_role(role_id, resource, operations)
        return generate_json_response(add_perm)

    def delete_user(login):
        """
        Deletes the given user. Deletion of last superuser is not permitted.

        @param login: identifies the user being deleted
        @type  login: str

        @raise MissingResource: if the given user does not exist
        @raise InvalidValue: if login value is invalid
        """

        # Raise exception if login is invalid
        if login is None or invalid_type(login, basestring):
            raise InvalidValue(['login'])

        # Check whether user exists
        found = User.get_collection().find_one({'login': login})
        if found is None:
            raise MissingResource(login)

        # Make sure user is not the last super user
        if factory.user_query_manager().is_last_super_user(login):
            raise PulpDataException(_("The last superuser [%s] cannot be deleted" % login))

        # Revoke all permissions from the user
        permission_manager = factory.permission_manager()
        permission_manager.revoke_all_permissions_from_user(login)

        User.get_collection().remove({'login': login})

    def remove_permissions_from_role(role_id, resource, operations):
        """
        Remove permissions from a role.

        :param role_id:         role identifier
        :type  role_id:         str
        :param resource:        resource path to revoke permissions from
        :type  resource:        str
        :param operations:      list or tuple
        :type  operations:      list of allowed operations being revoked
        :raise InvalidValue: if some params are invalid
        :raise PulpDataException: if role is a superuser role
        """
        if role_id == SUPER_USER_ROLE:
            raise PulpDataException(_('super-users role cannot be changed'))

        role = Role.get_collection().find_one({'id': role_id})
        if role is None:
            raise InvalidValue(['role_id'])

        resource_permission = {}
        current_ops = []
        for item in role['permissions']:
            if item['resource'] == resource:
                resource_permission = item
                current_ops = resource_permission['permission']

        if not current_ops:
            return
        for o in operations:
            if o not in current_ops:
                continue
            current_ops.remove(o)

        users = factory.user_query_manager().find_users_belonging_to_role(role_id)
        for user in users:
            other_roles = factory.role_query_manager().get_other_roles(role, user['roles'])
            user_ops = _operations_not_granted_by_roles(resource,
                                                        operations,
                                                        other_roles)
            factory.permission_manager().revoke(resource, user['login'], user_ops)

        # in no more allowed operations, remove the resource
        if not current_ops:
            role['permissions'].remove(resource_permission)

        Role.get_collection().save(role, safe=True)

    def create_user(login, password=None, name=None, roles=None):
        """
        Creates a new Pulp user and adds it to specified to roles.

        @param login: login name / unique identifier for the user
        @type  login: str

        @param password: password for login credentials
        @type  password: str

        @param name: user's full name
        @type  name: str

        @param roles: list of roles user will belong to
        @type  roles: list

        @raise DuplicateResource: if there is already a user with the requested login
        @raise InvalidValue: if any of the fields are unacceptable
        """

        existing_user = User.get_collection().find_one({'login': login})
        if existing_user is not None:
            raise DuplicateResource(login)

        invalid_values = []

        if login is None or _USER_LOGIN_REGEX.match(login) is None:
            invalid_values.append('login')
        if invalid_type(name, basestring):
            invalid_values.append('name')
        if invalid_type(roles, list):
            invalid_values.append('roles')

        if invalid_values:
            raise InvalidValue(invalid_values)

        # Use the login for name of the user if one was not specified
        name = name or login
        roles = roles or None

        # Encode plain-text password
        hashed_password = None
        if password:
            hashed_password = factory.password_manager().hash_password(password)

        # Creation
        create_me = User(login=login, password=hashed_password, name=name, roles=roles)
        User.get_collection().save(create_me)

        # Grant permissions
        permission_manager = factory.permission_manager()
        permission_manager.grant_automatic_permissions_for_user(create_me['login'])

        # Retrieve the user to return the SON object
        created = User.get_collection().find_one({'login': login})
        created.pop('password')

        return created

 def test_operation_value_to_name(self):
     pm = manager_factory.permission_manager()
     self.assertEqual(pm.operation_value_to_name(authorization.CREATE), "CREATE")
     self.assertEqual(pm.operation_value_to_name(authorization.READ), "READ")
     self.assertEqual(pm.operation_value_to_name(authorization.UPDATE), "UPDATE")
     self.assertEqual(pm.operation_value_to_name(authorization.DELETE), "DELETE")
     self.assertEqual(pm.operation_value_to_name(authorization.EXECUTE), "EXECUTE")
     self.assertEqual(pm.operation_value_to_name("RANDOM"), None)
     self.assertEqual(pm.operation_value_to_name(99), None)
     self.assertEqual(pm.operation_value_to_name(-2), None)