628 lines
28 KiB
Python
628 lines
28 KiB
Python
'''
|
|
VERIDIC - Towards a centralized access control system
|
|
|
|
Copyright (C) 2011 Mikael Ates
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as
|
|
published by the Free Software Foundation, either version 3 of the
|
|
License, or (at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
'''
|
|
|
|
|
|
from django.core.management.base import BaseCommand, CommandError
|
|
from django.db import transaction
|
|
|
|
from acs.abac.models import *
|
|
from acs.abac.core import check_predicates, \
|
|
arrange_missing_predicates, get_source_form_name, \
|
|
get_def_from_name_and_ns, add_assertion_to_profile, \
|
|
make_new_rule_from_missing_predicates, \
|
|
get_attribute_definition_by_name, load_profile_by_dic, \
|
|
check_predicate_role
|
|
|
|
from acs.abac.logic import evaluation, return_sorted_variables_to_truth
|
|
|
|
from acs.xacml.constants import *
|
|
|
|
from acs.models import Role, UserAlias, AcsObject, Action, AcsAbacPermission
|
|
|
|
from acs.core import create_policy, remove_policy, \
|
|
add_role, mod_role, add_object, add_action, add_permission, \
|
|
add_view, add_activity, mod_view, mod_activity, \
|
|
is_authorized_by_names_with_abac
|
|
|
|
|
|
class Command(BaseCommand):
|
|
'''
|
|
Script to make tests on ABAC
|
|
'''
|
|
|
|
can_import_django_settings = True
|
|
output_transaction = True
|
|
requires_model_validation = True
|
|
option_list = BaseCommand.option_list
|
|
help = \
|
|
'No help.'
|
|
|
|
@transaction.commit_manually
|
|
def handle(self, *args, **options):
|
|
|
|
print '-------- ABAC Tests --------'
|
|
|
|
'''
|
|
(age of (IdP1 or IdP2) >= 18 and (nationality of IdP1 == 'FRA'
|
|
or nationality of IdP1 == 'ITA'))
|
|
or
|
|
(age of (IdP1 or IdP2) >= 21 and (nationality of IdP1 == 'GBR'
|
|
or nationality of IdP1 == 'ESP'))
|
|
and unique_ID of (IdP1 or IdP2)
|
|
and type_cert of IdP1 == 'eID'
|
|
and type_cert of IdP2 == 'driver_licence'
|
|
and type_cert of IdP3 == 'assurance_assessment'
|
|
and surname of IdP1 == surname of IdP2
|
|
and firstname of IdP1 == firstname of IdP2
|
|
and surname of IdP1 == surname of IdP3
|
|
and firstname of IdP1 == firstname of IdP3
|
|
'''
|
|
|
|
try:
|
|
|
|
s1, c = Source.objects.get_or_create(name="IdP1")
|
|
s1.save()
|
|
print 'Source created: %s' % s1
|
|
s2, c = Source.objects.get_or_create(name="IdP2")
|
|
s2.save()
|
|
print 'Source created: %s' % s2
|
|
s3, c = Source.objects.get_or_create(name="IdP3")
|
|
s3.save()
|
|
print 'Source created: %s' % s3
|
|
|
|
rule = AbacRule()
|
|
rule.save()
|
|
|
|
def_sn = get_attribute_definition_by_name('surname')
|
|
def_fn = get_attribute_definition_by_name('firstname')
|
|
def_typecert = get_attribute_definition_by_name('certificate_type')
|
|
def_age = get_attribute_definition_by_name('age')
|
|
def_unikid = get_attribute_definition_by_name('unique_ID')
|
|
def_nat = get_attribute_definition_by_name('nationality')
|
|
if not (def_sn and def_fn and def_age and def_typecert and def_nat and def_unikid):
|
|
print 'Missing definition'
|
|
raise
|
|
|
|
adef_sn1 = AssertionDefinition(attribute_definition=def_sn)
|
|
adef_sn1.save()
|
|
att_s = AttachedSource(assertion=adef_sn1, source=s1)
|
|
att_s.save()
|
|
adef_sn2 = AssertionDefinition(attribute_definition=def_sn)
|
|
adef_sn2.save()
|
|
att_s = AttachedSource(assertion=adef_sn2, source=s2)
|
|
att_s.save()
|
|
adef_sn3 = AssertionDefinition(attribute_definition=def_sn)
|
|
adef_sn3.save()
|
|
att_s = AttachedSource(assertion=adef_sn3, source=s3)
|
|
att_s.save()
|
|
adef_fn1 = AssertionDefinition(attribute_definition=def_fn)
|
|
adef_fn1.save()
|
|
att_s = AttachedSource(assertion=adef_fn1, source=s1)
|
|
att_s.save()
|
|
adef_fn2 = AssertionDefinition(attribute_definition=def_fn)
|
|
adef_fn2.save()
|
|
att_s = AttachedSource(assertion=adef_fn2, source=s2)
|
|
att_s.save()
|
|
adef_fn3 = AssertionDefinition(attribute_definition=def_fn)
|
|
adef_fn3.save()
|
|
att_s = AttachedSource(assertion=adef_fn3, source=s3)
|
|
att_s.save()
|
|
adef_typecert1 = AssertionDefinition(attribute_definition=def_typecert)
|
|
adef_typecert1.save()
|
|
att_s = AttachedSource(assertion=adef_typecert1, source=s1)
|
|
att_s.save()
|
|
adef_typecert2 = AssertionDefinition(attribute_definition=def_typecert)
|
|
adef_typecert2.save()
|
|
att_s = AttachedSource(assertion=adef_typecert2, source=s2)
|
|
att_s.save()
|
|
adef_typecert3 = AssertionDefinition(attribute_definition=def_typecert)
|
|
adef_typecert3.save()
|
|
att_s = AttachedSource(assertion=adef_typecert3, source=s3)
|
|
att_s.save()
|
|
adef_age1 = AssertionDefinition(attribute_definition=def_age)
|
|
adef_age1.save()
|
|
att_s = AttachedSource(assertion=adef_age1, source=s1)
|
|
att_s.save()
|
|
att_s = AttachedSource(assertion=adef_age1, source=s2)
|
|
att_s.save()
|
|
adef_unikid1 = AssertionDefinition(attribute_definition=def_unikid)
|
|
adef_unikid1.save()
|
|
att_s = AttachedSource(assertion=adef_unikid1, source=s1)
|
|
att_s.save()
|
|
att_s = AttachedSource(assertion=adef_unikid1, source=s2)
|
|
att_s.save()
|
|
adef_nationality1 = AssertionDefinition(attribute_definition=def_nat)
|
|
adef_nationality1.save()
|
|
att_s = AttachedSource(assertion=adef_nationality1, source=s1)
|
|
att_s.save()
|
|
|
|
#Define numeric value 18
|
|
val18 = AttributeData(definition=def_age)
|
|
val18.save()
|
|
IntegerM(data=val18, value=18).save()
|
|
val18_d = AssertionData(attribute_data=val18)
|
|
val18_d.save()
|
|
#Define numeric value 21
|
|
val21 = AttributeData(definition=def_age)
|
|
val21.save()
|
|
IntegerM(data=val21, value=21).save()
|
|
val21_d = AssertionData(attribute_data=val21)
|
|
val21_d.save()
|
|
#Define String for nationalities
|
|
french = AttributeData(definition=def_nat)
|
|
french.save()
|
|
StringM(data=french, value='FRA').save()
|
|
french_d = AssertionData(attribute_data=french)
|
|
french_d.save()
|
|
italian = AttributeData(definition=def_nat)
|
|
italian.save()
|
|
StringM(data=italian, value='ITA').save()
|
|
italian_d = AssertionData(attribute_data=italian)
|
|
italian_d.save()
|
|
english = AttributeData(definition=def_nat)
|
|
english.save()
|
|
StringM(data=english, value='GBR').save()
|
|
english_d = AssertionData(attribute_data=english)
|
|
english_d.save()
|
|
spanish = AttributeData(definition=def_nat)
|
|
spanish.save()
|
|
StringM(data=spanish, value='ESP').save()
|
|
spanish_d = AssertionData(attribute_data=spanish)
|
|
spanish_d.save()
|
|
#Define String for certificate types
|
|
eID = AttributeData(definition=def_typecert)
|
|
eID.save()
|
|
StringM(data=eID, value='eID').save()
|
|
eID_d = AssertionData(attribute_data=eID)
|
|
eID_d.save()
|
|
drvlicence = AttributeData(definition=def_typecert)
|
|
drvlicence.save()
|
|
StringM(data=drvlicence, value='driver_licence').save()
|
|
drvlicence_d = AssertionData(attribute_data=drvlicence)
|
|
drvlicence_d.save()
|
|
assass = AttributeData(definition=def_typecert)
|
|
assass.save()
|
|
StringM(data=assass, value='assurance_assessment').save()
|
|
assass_d = AssertionData(attribute_data=assass)
|
|
assass_d.save()
|
|
|
|
#predicates for age
|
|
p1 = PredicateComparison(operand1=adef_age1, operand2=val18_d,
|
|
comparison_type=ACS_XACML_COMPARISON_INTEGER_GRT_OE,
|
|
operand1_single_value=True, operand2_single_value=True,
|
|
rule=rule)
|
|
p1.save()
|
|
print "Predicate age 1 %s, id: %s" % (p1, p1.id)
|
|
p2 = PredicateComparison(operand1=adef_age1, operand2=val21_d,
|
|
comparison_type=ACS_XACML_COMPARISON_INTEGER_GRT_OE,
|
|
operand1_single_value=True, operand2_single_value=True,
|
|
rule=rule)
|
|
p2.save()
|
|
print "Predicate age 2 %s, id: %s" % (p2, p2.id)
|
|
#predicates for nationality:
|
|
p3 = PredicateComparison(operand1=adef_nationality1, operand2=french_d,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE,
|
|
multivalues='EQUAL_OP1_SUBSET_OP2', rule=rule)
|
|
p3.save()
|
|
print "Predicate nationality 3 %s, id: %s" % (p3, p3.id)
|
|
p4 = PredicateComparison(operand1=adef_nationality1, operand2=italian_d,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE,
|
|
multivalues='EQUAL_OP1_SUBSET_OP2', rule=rule)
|
|
p4.save()
|
|
print "Predicate nationality 4 %s, id: %s" % (p4, p4.id)
|
|
p5 = PredicateComparison(operand1=adef_nationality1, operand2=english_d,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE,
|
|
multivalues='EQUAL_OP1_SUBSET_OP2', rule=rule)
|
|
p5.save()
|
|
print "Predicate nationality 5 %s, id: %s" % (p5, p5.id)
|
|
p6 = PredicateComparison(operand1=adef_nationality1, operand2=spanish_d,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE,
|
|
multivalues='EQUAL_OP1_SUBSET_OP2', rule=rule)
|
|
p6.save()
|
|
print "Predicate nationality 6 %s, id: %s" % (p6, p6.id)
|
|
#Predicates only required
|
|
p7 = PredicateRequired(definition=adef_unikid1,
|
|
single_value=True, rule=rule)
|
|
p7.save()
|
|
print "Predicate required unique ID: %s, id: %s" % (p7, p7.id)
|
|
#Predicates for certificate types
|
|
p8 = PredicateComparison(operand1=adef_typecert1, operand2=eID_d,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE,
|
|
operand1_single_value=True, operand2_single_value=True,
|
|
rule=rule)
|
|
p8.save()
|
|
print "Predicate certificate type 8 %s, id: %s" % (p8, p8.id)
|
|
p9 = PredicateComparison(operand1=adef_typecert2, operand2=drvlicence_d,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE,
|
|
operand1_single_value=True, operand2_single_value=True,
|
|
rule=rule)
|
|
p9.save()
|
|
print "Predicate certificate type 9 %s, id: %s" % (p9, p9.id)
|
|
p10 = PredicateComparison(operand1=adef_typecert3, operand2=assass_d,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE,
|
|
operand1_single_value=True, operand2_single_value=True,
|
|
rule=rule)
|
|
p10.save()
|
|
print "Predicate certificate type 10 %s, id: %s" % (p10, p10.id)
|
|
#Predicates for same identity checking
|
|
p11 = PredicateComparison(operand1=adef_sn1, operand2=adef_sn2,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE, rule=rule,
|
|
multivalues='EQUAL_EXACT_MATCH')
|
|
p11.save()
|
|
print "Predicate check identity 11 %s, id: %s" % (p11, p11.id)
|
|
p12 = PredicateComparison(operand1=adef_fn1, operand2=adef_fn2,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE, rule=rule,
|
|
multivalues='EQUAL_OP1_SUBSET_OP2')
|
|
p12.save()
|
|
print "Predicate check identity 12 %s, id: %s" % (p12, p12.id)
|
|
p13 = PredicateComparison(operand1=adef_sn1, operand2=adef_sn3,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE, rule=rule,
|
|
multivalues='EQUAL_EXACT_MATCH')
|
|
p13.save()
|
|
print "Predicate check identity 13 %s, id: %s" % (p13, p13.id)
|
|
p14 = PredicateComparison(operand1=adef_fn1, operand2=adef_fn3,
|
|
comparison_type=ACS_XACML_COMPARISON_EQUALITY_STRING_IGN_CASE, rule=rule,
|
|
multivalues='EQUAL_OP1_SUBSET_OP2')
|
|
p14.save()
|
|
print "Predicate check identity 14 %s, id: %s" % (p14, p14.id)
|
|
|
|
#Bags of values to test multivalued attributes
|
|
bag1 = AttributeData(definition=def_age)
|
|
bag1.save()
|
|
IntegerM(data=bag1, value=3).save()
|
|
IntegerM(data=bag1, value=5).save()
|
|
bag1_d = AssertionData(attribute_data=bag1)
|
|
bag1_d.save()
|
|
bag2 = AttributeData(definition=def_age)
|
|
bag2.save()
|
|
IntegerM(data=bag2, value=4).save()
|
|
IntegerM(data=bag2, value=5).save()
|
|
IntegerM(data=bag2, value=6).save()
|
|
bag2_d = AssertionData(attribute_data=bag2)
|
|
bag2_d.save()
|
|
p15 = PredicateComparison(operand1=bag1_d, operand2=bag2_d,
|
|
comparison_type=ACS_XACML_COMPARISON_INTEGER_GRT, rule=rule,
|
|
multivalues='DIFF_ONE_OP1_WITH_BOTTOM_LIMIT_OP2')
|
|
p15.save()
|
|
print "Predicate test comp 15 %s, id: %s" % (p15, p15.id)
|
|
|
|
print '--> Create a user'
|
|
rdm_str = ''.join(random.choice(string.ascii_uppercase + \
|
|
string.digits) for x in range(8))
|
|
username = 'user_' + rdm_str
|
|
user, created = User.objects.get_or_create(username=username)
|
|
if not user:
|
|
raise CommandError('Error creating user %s' % user)
|
|
user.set_password(username)
|
|
user.save()
|
|
print "User %s created" % user
|
|
print '<--\n'
|
|
|
|
requester = User.objects.get(username='root')
|
|
|
|
print '--> Create one policy'
|
|
name = 'policy_' + rdm_str
|
|
namespace = 'namespace_' + rdm_str
|
|
policy, created = create_policy(name, requester,
|
|
namespace=namespace)
|
|
if not policy:
|
|
raise CommandError('Error creating policy %s' % policy)
|
|
print "Policy %s created" % policy
|
|
print '<--\n'
|
|
|
|
print '--> Set user in policy'
|
|
alias, created = UserAlias.objects.get_or_create(user=user,
|
|
alias=user.username, namespace=policy.namespace)
|
|
if not alias:
|
|
raise CommandError('Error creating alias %s' % alias)
|
|
print "Alias %s created" % alias
|
|
print '<--\n'
|
|
|
|
print '--> Create two roles'
|
|
role_name_1 = 'role_1_' + rdm_str
|
|
role_1 = add_role(requester, role_name_1, policy)
|
|
if not role_1:
|
|
raise CommandError('Unable to handle a role due to %s' \
|
|
% str(role_1))
|
|
print "Role %s created" % role_1
|
|
role_name_2 = 'role_2_' + rdm_str
|
|
role_2 = add_role(requester, role_name_2, policy)
|
|
if not role_2:
|
|
raise CommandError('Unable to handle a role due to %s' \
|
|
% str(role_2))
|
|
print "Role %s created" % role_2
|
|
print '<--\n'
|
|
|
|
print '--> Add role2 to role_1'
|
|
r = mod_role(requester, role_1, policy,
|
|
roles_added=[role_2])
|
|
if r < 0:
|
|
raise CommandError(\
|
|
'Unable to handle a role due to %s' % str(r))
|
|
print "Role %s added to %s" % (role_2, role_1)
|
|
print '<--\n'
|
|
|
|
print '--> Add user to the role_1'
|
|
r = mod_role(requester, role_1, policy,
|
|
users_added=[alias])
|
|
if r < 0:
|
|
raise CommandError(\
|
|
'Unable to handle a role due to %s' % str(r))
|
|
print "User %s added to %s" % (alias, role_1)
|
|
print '<--\n'
|
|
|
|
print '--> Create one predicateRole'
|
|
p16 = PredicateRole(role=role_2, rule=rule)
|
|
p16.save()
|
|
print "Predicate role 16 %s, id: %s" % (p16, p16.id)
|
|
|
|
str_rule = "(((%s&(%s|%s))|(%s&(%s|%s)))&(%s&%s&%s&%s&%s&%s&%s&%s&%s)|%s)" % (p1.id, p3.id, p4.id, p2.id, p5.id, p6.id, p7.id, p8.id, p9.id, p10.id, p11.id, p12.id, p13.id, p14.id, p15.id, p16.id)
|
|
rule.expression=str_rule
|
|
rule.save()
|
|
|
|
object_1_name = 'object_1_' + rdm_str
|
|
object_1 = add_object(requester, object_1_name, policy)
|
|
if not object_1:
|
|
raise CommandError('Unable to handle an object due to \
|
|
%s' % str(object_1))
|
|
object_2_name = 'object_2_' + rdm_str
|
|
object_2 = add_object(requester, object_2_name, policy)
|
|
if not object_2:
|
|
raise CommandError('Unable to handle an object due to \
|
|
%s' % str(object_1))
|
|
|
|
action_1_name = 'action_1_' + rdm_str
|
|
action_1 = add_action(requester, action_1_name, policy)
|
|
if not action_1:
|
|
raise CommandError('Unable to handle an action due to \
|
|
%s' % str(action_1))
|
|
action_2_name = 'action_2_' + rdm_str
|
|
action_2 = add_action(requester, action_2_name, policy)
|
|
if not action_2:
|
|
raise CommandError('Unable to handle an action due to \
|
|
%s' % str(action_1))
|
|
|
|
view_1_name = 'view_1_' + rdm_str
|
|
view_1 = add_view(requester, view_1_name, policy)
|
|
if not view_1:
|
|
raise CommandError('Unable to handle an view due to \
|
|
%s' % str(view_1))
|
|
view_2_name = 'view_2_' + rdm_str
|
|
view_2 = add_view(requester, view_2_name, policy)
|
|
if not view_2:
|
|
raise CommandError('Unable to handle an view due to \
|
|
%s' % str(view_2))
|
|
|
|
activity_1_name = 'activity_1_' + rdm_str
|
|
activity_1 = add_activity(requester, activity_1_name, policy)
|
|
if not activity_1:
|
|
raise CommandError('Unable to handle an activity due to \
|
|
%s' % str(activity_1))
|
|
activity_2_name = 'activity_2_' + rdm_str
|
|
activity_2 = add_activity(requester, activity_2_name, policy)
|
|
if not activity_1:
|
|
raise CommandError('Unable to handle an activity due to \
|
|
%s' % str(activity_2))
|
|
|
|
print '--> Add object 2 to view 2'
|
|
r = mod_view(requester, view_2, policy,
|
|
objects_added=[object_2])
|
|
if r < 0:
|
|
raise CommandError(\
|
|
'Unable to handle a view due to %s' % str(r))
|
|
print "Object %s added to %s" % (object_2, view_2)
|
|
print '<--\n'
|
|
print '--> Add object 1 and view 2 to view 1'
|
|
r = mod_view(requester, view_1, policy,
|
|
objects_added=[object_1], views_added=[view_2])
|
|
if r < 0:
|
|
raise CommandError(\
|
|
'Unable to handle a view due to %s' % str(r))
|
|
print "Object %s and view %s added to %s" % (object_1, view_2, view_1)
|
|
print '<--\n'
|
|
|
|
print '--> Add action 2 to activity 2'
|
|
r = mod_activity(requester, activity_2, policy,
|
|
actions_added=[action_2])
|
|
if r < 0:
|
|
raise CommandError(\
|
|
'Unable to handle an activity due to %s' % str(r))
|
|
print "Action %s added to %s" % (action_2, activity_2)
|
|
print '<--\n'
|
|
print '--> Add action 1 and activity 2 to view 1'
|
|
r = mod_activity(requester, activity_1, policy,
|
|
actions_added=[action_1], activities_added=[activity_2])
|
|
if r < 0:
|
|
raise CommandError(\
|
|
'Unable to handle an activity due to %s' % str(r))
|
|
print "Action %s and activity %s added to %s" % (action_1, activity_2, activity_1)
|
|
print '<--\n'
|
|
|
|
'''
|
|
Add permission to policy
|
|
'''
|
|
AcsAbacPermission(who=None, what=view_2, how=activity_2, rule=rule).save()
|
|
|
|
'''
|
|
Request policy
|
|
'''
|
|
|
|
attributes = {}
|
|
data = []
|
|
attr = {}
|
|
attr['name'] = 'certificate_type'
|
|
attr['namespace'] = 'ACS-ABAC'
|
|
attr['values'] = ('eID',)
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('17', )
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('Ates',)
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('Mikael', 'Ersin',)
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'Nationality'
|
|
attr['namespace'] = 'ISO7501-1'
|
|
attr['values'] = ('FRA',)
|
|
data.append(attr)
|
|
attributes['IdP1'] = data
|
|
|
|
data = []
|
|
attr = {}
|
|
attr['name'] = 'certificate_type'
|
|
attr['namespace'] = 'ACS-ABAC'
|
|
attr['values'] = ('driver_licence',)
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('Ates',)
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('Mikael', 'Ersin',)
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('31q3sdf1q3sdf213q2d1f5qs',)
|
|
data.append(attr)
|
|
# attr = {}
|
|
# attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier'
|
|
# attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
# attr['values'] = ('41q3sdf1q3sdf213q2d1f5qs',)
|
|
# data['attributes'].append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('17', )
|
|
data.append(attr)
|
|
attributes['IdP2'] = data
|
|
|
|
data = []
|
|
attr = {}
|
|
attr['name'] = 'certificate_type'
|
|
attr['namespace'] = 'ACS-ABAC'
|
|
attr['values'] = ('assurance_assessment',)
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('Ates',)
|
|
data.append(attr)
|
|
attr = {}
|
|
attr['name'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname'
|
|
attr['namespace'] = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims'
|
|
attr['values'] = ('Mikael', 'Ersin', 'Bob')
|
|
data.append(attr)
|
|
attributes['IdP3'] = data
|
|
|
|
decision, msg, error = \
|
|
is_authorized_by_names_with_abac(requestor_name=user.username,
|
|
who_name=user.username,
|
|
what_name=object_1_name,
|
|
how_name=action_1_name,
|
|
namespace_name=namespace,
|
|
attributes=attributes,
|
|
no_rule_returned=True)
|
|
if error < 0:
|
|
raise CommandError('is_authorized_by_names_with_abac returned %s' % str(error))
|
|
if decision:
|
|
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++"
|
|
print "Access granted by permission %s" % msg
|
|
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++"
|
|
else:
|
|
print "------------------------------------------------------"
|
|
print "Access denied, new rule to satisfy %s" % msg
|
|
print "------------------------------------------------------"
|
|
|
|
decision, msg, error = \
|
|
is_authorized_by_names_with_abac(requestor_name=user.username,
|
|
who_name=user.username,
|
|
what_name=view_1_name, view=True,
|
|
how_name=activity_1_name, activity = True,
|
|
namespace_name=namespace,
|
|
attributes=attributes,
|
|
no_rule_returned=True)
|
|
if error < 0:
|
|
raise CommandError('is_authorized_by_names_with_abac returned %s' % str(error))
|
|
if decision:
|
|
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++"
|
|
print "Access granted by permission %s" % msg
|
|
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++"
|
|
else:
|
|
print "------------------------------------------------------"
|
|
print "Access denied, new rule to satisfy %s" % msg
|
|
print "------------------------------------------------------"
|
|
|
|
decision, msg, error = \
|
|
is_authorized_by_names_with_abac(requestor_name=user.username,
|
|
who_name=user.username,
|
|
what_name=object_2_name,
|
|
how_name=action_2_name,
|
|
namespace_name=namespace,
|
|
attributes=attributes,
|
|
no_rule_returned=True)
|
|
if error < 0:
|
|
raise CommandError('is_authorized_by_names_with_abac returned %s' % str(error))
|
|
if decision:
|
|
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++"
|
|
print "Access granted by permission %s" % msg
|
|
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++"
|
|
else:
|
|
print "------------------------------------------------------"
|
|
print "Access denied, new rule to satisfy %s" % msg
|
|
print "------------------------------------------------------"
|
|
|
|
decision, msg, error = \
|
|
is_authorized_by_names_with_abac(requestor_name=user.username,
|
|
who_name=user.username,
|
|
what_name=view_2_name, view=True,
|
|
how_name=activity_2_name, activity=True,
|
|
namespace_name=namespace,
|
|
attributes=attributes)
|
|
if error < 0:
|
|
raise CommandError('is_authorized_by_names_with_abac returned %s' % str(error))
|
|
if decision:
|
|
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++"
|
|
print "Access granted by permission %s" % msg
|
|
print "++++++++++++++++++++++++++++++++++++++++++++++++++++++"
|
|
else:
|
|
print "------------------------------------------------------"
|
|
print "Access denied, new rule to satisfy %s" % msg
|
|
print "------------------------------------------------------"
|
|
|
|
raise Exception('Happy end')
|
|
|
|
except Exception, err:
|
|
print "Exception: %s" %str(err)
|
|
transaction.rollback()
|
|
|
|
print '\n-------- DONE --------'
|