entrouvert
/
veridic
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Enhance RBAC and ABAC support and update UI. 

- The authorisation decision function now support regex object and first
      try to find an IBAC or RBAC permission. If not found try to find an ABAC
      permission.

    - The user inteface for ABAC permission creation propose the predicateRole

    - Single point of entry to add a permission with a page explaining the
      between RBAC and IBAC and inviting user to select a type or permission.

    - Review of navigation elements
This commit is contained in:
Mikaël Ates 2011-09-08 11:19:44 +02:00
parent bdcb85065d
commit 1db7883e7a
10 changed files with 638 additions and 376 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
acs/abac/core.py
View File

@ -24,6 +24,7 @@ import time
from django.db import transaction
from django.core.exceptions import ObjectDoesNotExist, MultipleObjectsReturned
from django.utils.translation import ugettext as _
from acs.models import Namespace, UserAlias
@ -51,6 +52,7 @@ def extract_predicate_ids(expression):
def check_predicate(predicate, profile):
logger.debug("check_predicate: predicate id %s" % predicate.id)
if isinstance(predicate, PredicateRequired):
logger.debug("check_predicate: PredicateRequired %s" % predicate)
return check_predicate_required(predicate, profile)
@ -910,33 +912,42 @@ def load_profile_by_dic(profile, dic):
logger.debug('load_profile_by_dic: attributes: %s' \
% str(dic[source]))
for attr in dic[source]:
logger.debug('load_profile_by_dic: attribute %s of %s with values %s' \
% (attr['name'], attr['namespace'], str([x for x in attr['values']])))
expiration_date = None
if 'expiration_date' in attr:
logger.debug('load_profile_by_dic: expire at %s' \
% attr['expiration_date'])
expiration_date = attr['expiration_date']
d = get_def_from_name_and_ns(attr['name'], attr['namespace'])
if not d:
logger.error('load_profile_by_dic: \
definition not found for %s %s' \
% (attr['name'], attr['namespace']))
if not 'name' in attr or not 'namespace' in attr \
or not 'values' in attr:
logger.debug('load_profile_by_dic: \
missing data in attribute')
else:
logger.debug('load_profile_by_dic: \
definition %s found' % d)
a = add_assertion_to_profile(profile, s, d, attr['values'],
expiration_date=expiration_date)
if not a:
logger.debug('load_profile_by_dic: \
error adding assertion')
attribute %s of %s with values %s' \
% (attr['name'], attr['namespace'],
str([x for x in attr['values']])))
expiration_date = None
if 'expiration_date' in attr:
logger.debug('load_profile_by_dic: expire at %s' \
% attr['expiration_date'])
expiration_date = attr['expiration_date']
d = get_def_from_name_and_ns(attr['name'],
attr['namespace'])
if not d:
logger.error('load_profile_by_dic: \
definition not found for %s %s' \
% (attr['name'], attr['namespace']))
else:
logger.debug('load_profile_by_dic: \
assertion %s added' % a)
definition %s found' % d)
a = add_assertion_to_profile(profile, s, d,
attr['values'], expiration_date=expiration_date)
if not a:
logger.debug('load_profile_by_dic: \
error adding assertion')
else:
logger.debug('load_profile_by_dic: \
assertion %s added' % a)
else:
logger.critical('load_profile_by_dic: \
The source with name %s and attributes %s is unknown of the system'
% (str(source), str(dic[source])))
The source with name %s and attributes %s \
is unknown of the system' \
% (str(source), str(dic[source])))
@transaction.commit_manually
@ -952,6 +963,9 @@ def remove_predicate(predicate):
- AssertionDefinition
- Attached source
Objects to delete for predicate role:
- None
Objects to delete for predicate comparisons:
- AssertionDefinition
- Attached source
@ -961,7 +975,9 @@ def remove_predicate(predicate):
'''
instance = predicate.get_predicate_instance()
if isinstance(instance, PredicateRequired):
if isinstance(instance, PredicateRole):
pass
elif isinstance(instance, PredicateRequired):
logger.debug('remove_predicate: predicate required found')
for s in AttachedSource.objects.filter(assertion=instance.definition):
logger.debug('remove_predicate: remove attached source with id %s' %s.id)

228
acs/abac_views.py
View File

@ -93,14 +93,20 @@ root_url = settings.ROOT_URL
PREDICATE_REQUIRED = \
"urn:entrouvert:acs:constants:predicate-required"
COMPARISON_TYPE_DIC = dict({PREDICATE_REQUIRED: _('Require attribute presence')}.items() \
PREDICATE_ROLE = \
"urn:entrouvert:acs:constants:predicate-role"
PREDICATE_TYPE_EXPL_DIC = \
dict({PREDICATE_REQUIRED: _('Require attribute presence'),
PREDICATE_ROLE: _('Require role')}.items() \
+ XACML_COMPARISON_TYPE_DIC.items())
PREDICATE_TYPES = (PREDICATE_REQUIRED, ) + ACS_XACML_COMPARISON \
PREDICATE_TYPES = (PREDICATE_REQUIRED, PREDICATE_ROLE, ) + ACS_XACML_COMPARISON \
+ XACML_COMPARISON_EQUALITY
PREDICATE_TYPES_TYPE = ((PREDICATE_REQUIRED, _('Require attribute presence')),) \
+ XACML_COMPARISON_DIFF_TYPE + XACML_COMPARISON_EQUALITY_TYPE
PREDICATE_TYPES_TYPE = ((PREDICATE_REQUIRED, _('Require attribute presence')),
(PREDICATE_ROLE, _('Require role')), ) \
+ XACML_COMPARISON_DIFF_TYPE + XACML_COMPARISON_EQUALITY_TYPE
@csrf_exempt
@ -149,6 +155,12 @@ def add_abac_permission(request):
_('Working operand removed'))
return return_add_abac_permission_form(request)
'''
Predicate choice
- creation
- validation
- deletion
'''
if 'predicate_type' in request.POST \
and 'new_predicate' in request.POST:
if 'working_predicate' in request.session:
@ -157,7 +169,7 @@ def add_abac_permission(request):
before defining a new one'))
return return_add_abac_permission_form(request)
else:
if not request.POST['predicate_type'] in COMPARISON_TYPE_DIC:
if not request.POST['predicate_type'] in PREDICATE_TYPE_EXPL_DIC:
messages.add_message(request, messages.ERROR,
_('Unknown predicate type %s') \
% request.POST['predicate_type'])
@ -166,11 +178,57 @@ def add_abac_permission(request):
request.session['working_predicate']['type'] = \
request.POST['predicate_type']
request.session['working_predicate']['type_friendly'] = \
COMPARISON_TYPE_DIC[(request.POST['predicate_type'])]
PREDICATE_TYPE_EXPL_DIC[(request.POST['predicate_type'])]
request.session['working_predicate']['working_operand'] = {}
request.session['working_predicate']['working_operand']['type'] = 'definition'
return return_add_abac_permission_form(request)
if 'close_working_predicate' in request.POST:
if not 'working_predicate' in request.session:
messages.add_message(request, messages.ERROR,
_('No working predicate'))
elif not 'type' in request.session['working_predicate']:
messages.add_message(request, messages.ERROR,
_('Missing predicate type'))
else:
predicates = []
if 'predicates' in request.session:
predicates = request.session['predicates']
request.session.pop('predicates')
predicates.append(request.session['working_predicate'])
request.session.pop('working_predicate')
request.session['predicates'] = predicates
messages.add_message(request, messages.INFO,
_('Predicate recorded'))
return return_add_abac_permission_form(request)
if 'delete_predicate' in request.POST \
and 'predicate_id' in request.POST:
if not 'predicates' in request.session:
messages.add_message(request, messages.ERROR,
_('No predicate to delete'))
elif int(request.POST['predicate_id']) > len(request.session['predicates']):
messages.add_message(request, messages.ERROR,
_('Unknown predicate'))
else:
predicates = request.session['predicates']
predicates.pop(int(request.POST['predicate_id'])-1)
request.session.pop('predicates')
if not predicates:
if 'rule' in request.session:
request.session.pop('rule')
else:
request.session['predicates'] = predicates
messages.add_message(request, messages.INFO,
_('Predicate removed'))
return return_add_abac_permission_form(request)
'''
Predicate choice:
- select definition and require single-valued
- select source
'''
if 'select_attribute_definition' in request.POST \
and 'attribute_definition_id' in request.POST:
if not 'working_predicate' in request.session:
@ -236,46 +294,43 @@ def add_abac_permission(request):
_('Source not found'))
return return_add_abac_permission_form(request)
if 'close_working_predicate' in request.POST:
'''
Predicate role:
- select role
'''
if 'select_role' in request.POST \
and 'role_id' in request.POST:
if not 'working_predicate' in request.session:
messages.add_message(request, messages.ERROR,
_('No working predicate'))
elif not 'type' in request.session['working_predicate']:
messages.add_message(request, messages.ERROR,
_('Missing predicate type'))
elif request.session['working_predicate']['type'] != \
PREDICATE_ROLE:
messages.add_message(request, messages.ERROR,
_('Working predicate is not a required role'))
else:
predicates = []
if 'predicates' in request.session:
predicates = request.session['predicates']
request.session.pop('predicates')
predicates.append(request.session['working_predicate'])
request.session.pop('working_predicate')
request.session['predicates'] = predicates
messages.add_message(request, messages.INFO,
_('Predicate recorded'))
try:
role = Role.objects.get(id=request.POST['role_id'])
working_predicate = request.session['working_predicate']
request.session.pop('working_predicate')
working_predicate['role'] \
= role
request.session['working_predicate'] = working_predicate
except:
messages.add_message(request, messages.ERROR,
_('Role not found'))
return return_add_abac_permission_form(request)
if 'delete_predicate' in request.POST \
and 'predicate_id' in request.POST:
if not 'predicates' in request.session:
messages.add_message(request, messages.ERROR,
_('No predicate to delete'))
elif int(request.POST['predicate_id']) > len(request.session['predicates']):
messages.add_message(request, messages.ERROR,
_('Unknown predicate'))
else:
predicates = request.session['predicates']
predicates.pop(int(request.POST['predicate_id'])-1)
request.session.pop('predicates')
if not predicates:
if 'rule' in request.session:
request.session.pop('rule')
else:
request.session['predicates'] = predicates
messages.add_message(request, messages.INFO,
_('Predicate removed'))
return return_add_abac_permission_form(request)
'''
Predicate comparison:
- indicate single-valued operand
- as a consequence, choice multivalues management option
- define operands
'''
if 'select_multivalue_step_one' in request.POST:
if not 'working_predicate' in request.session:
messages.add_message(request, messages.ERROR,
@ -303,6 +358,8 @@ def add_abac_permission(request):
and working_predicate['type'] \
in XACML_COMPARISON_EQUALITY:
working_predicate['multivalues_step_two'] = 'EQUAL_ONE_VALUE'
working_predicate['multivalues_explanation'] = \
_('One of the two operand might be multivalued, then the comparison will search that at least one value of multi values is equal to the value of the other attribute.')
request.session['working_predicate'] = working_predicate
return return_add_abac_permission_form(request)
@ -373,14 +430,16 @@ def add_abac_permission(request):
_('The first attribute may have multiple values that exactly match the values of the second attribute.')
elif working_predicate['multivalues_step_two'] \
== 'EQUAL_ONE_VALUE':
if 'operandtwo_singlevalued' in working_predicate \
or 'operandtwo_singlevalued' in working_predicate:
working_predicate['multivalues_explanation'] = \
_('One of the two operand might be multivalued, then the comparison will search that at least one value of multi values is equal to the value of the other attribute.')
elif not 'operandtwo_singlevalued' in working_predicate \
and not 'operandtwo_singlevalued' in working_predicate:
working_predicate['multivalues_explanation'] = \
_('The first attribute may have multiple values and at least one must be equal to a value of the second attribute.')
working_predicate['multivalues_explanation'] = \
_('The first attribute may have multiple values and at least one must be equal to a value of the second attribute.')
logger.debug('add_abac_permission: predicate %s' \
% working_predicate['type'])
logger.debug('add_abac_permission: multivalues %s' \
% working_predicate['multivalues_step_two'])
logger.debug('add_abac_permission: explanation %s' \
% working_predicate['multivalues_explanation'])
request.session['working_predicate'] = working_predicate
return return_add_abac_permission_form(request)
@ -596,6 +655,9 @@ def add_abac_permission(request):
return return_add_abac_permission_form(request)
'''
Rule definition
'''
if 'set_rule' in request.POST and \
'rule_string' in request.POST:
if not 'predicates' in request.session:
@ -611,16 +673,14 @@ def add_abac_permission(request):
for predicate in request.session['predicates']:
check = re.sub(str(p_id), '', check)
p_id = p_id + 1
check = re.sub(' ', '', check)
check = re.sub('\)', '', check)
check = re.sub('\(', '', check)
check = re.sub('&', '', check)
check = re.sub('|', '', check)
check = re.sub('-', '', check)
for it in [' ', '\)', '\(', '&', '\|', '-']:
check = re.sub(it, '', check)
if check:
messages.add_message(request, messages.ERROR,
_('The logical expression contains unknown \
predicates or unauthorized characters (%s)' % check))
logger.debug('add_abac_permission: check failure: %s' \
% check)
elif not is_proposition(request.POST['rule_string']):
'''
Check that the logical expression is well-formed
@ -633,6 +693,9 @@ def add_abac_permission(request):
request.session['rule'] = request.POST['rule_string']
return return_add_abac_permission_form(request)
'''
Permission definition
'''
if 'add_permission' in request.POST:
if not 'predicates' in request.session:
messages.add_message(request, messages.ERROR,
@ -661,6 +724,12 @@ def add_abac_permission(request):
messages.add_message(request, messages.ERROR,
_('Fail to find who due to %s') % err)
return return_add_abac_permission_form(request)
if not isinstance(who, UserAlias):
logger.error('add_permission: \
who should only be a user')
messages.add_message(request, messages.ERROR,
_("Who should only be a user or 'Anybody'"))
return return_add_abac_permission_form(request)
try:
what = get_what_from_one_post_field(request, 'what_matches')
how = get_how_from_one_post_field(request, 'how_matches')
@ -745,6 +814,10 @@ def check_data_and_create_permission(request, who, what, how):
if 'singlevalued' in predicate:
single_value = True
pred = PredicateRequired(definition=ad, rule=rule, single_value=single_value)
elif predicate['type'] == PREDICATE_ROLE:
if not 'role' in predicate:
raise Exception('Missing role of predicate %s' %str(p_id))
pred = PredicateRole(role=predicate['role'], rule=rule)
else:
if not 'multivalues_step_two' in predicate \
or not 'multivalues_explanation' in predicate \
@ -836,12 +909,8 @@ def check_data_and_create_permission(request, who, what, how):
check = expression
for key in p_ids1.keys():
check = re.sub(str(key), '', check)
check = re.sub(' ', '', check)
check = re.sub('\)', '', check)
check = re.sub('\(', '', check)
check = re.sub('&', '', check)
check = re.sub('|', '', check)
check = re.sub('-', '', check)
for it in [' ', '\)', '\(', '&', '\|', '-']:
check = re.sub(it, '', check)
if check:
raise Exception('The logical expression contains unknown \
predicates or unauthorized characters (%s)' % check)
@ -971,7 +1040,7 @@ def handle_operand(predicate, p_id, name, d):
v = value
else:
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
IpAddress(data=data, value=v).save()
IpAddressM(data=data, value=v).save()
except:
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
try:
@ -981,7 +1050,6 @@ def handle_operand(predicate, p_id, name, d):
raise Exception('Unable to create assertion of %s of predicate %s' % (name, str(p_id)))
return a
#Previouslu define choices of multival according to the working pred
@check_policy_in_session
@check_authorized_for_abac
@ -989,10 +1057,11 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
tpl_p = {}
policy = get_policy_from_session(request)
tpl_p['multivalues'] = []
if 'working_predicate' in request.session \
and 'type' in request.session['working_predicate']:
and 'type' in request.session['working_predicate'] \
and request.session['working_predicate']['type'] \
in (XACML_COMPARISON_EQUALITY, ACS_XACML_COMPARISON):
if 'multivalues_step_one' in request.session['working_predicate'] \
and request.session['working_predicate']['type'] \
@ -1004,18 +1073,18 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
tpl_p['multivalues'].append(('EQUAL_OP1_SUBSET_OP2', _('The first attribute may have multiple values and each must be equal to a value of the second attribute (subset)')))
tpl_p['multivalues'].append(('EQUAL_EXACT_MATCH', _('The first attribute may have multiple values that exactly match the values of the second attribute')))
if 'multivalues_step_one' in request.session['working_predicate'] \
elif 'multivalues_step_one' in request.session['working_predicate'] \
and request.session['working_predicate']['type'] \
in ACS_XACML_COMPARISON \
and not 'multivalues_step_two' in request.session['working_predicate']:
s = None
if request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_LT:
s = 'less than'
if request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_LT_OE:
elif request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_LT_OE:
s = 'less than or equal to'
if request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_GRT:
elif request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_GRT:
s = 'greater than'
if request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_GRT_OE:
elif request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_GRT_OE:
s = 'greater than or equal to'
tpl_p['multivalues'].append(('DIFF_ALL_OP1_WITH_UPPER_LIMIT_OP2', _('All values of operand one must be %s the highest value of operand two') %s))
tpl_p['multivalues'].append(('DIFF_ALL_OP1_WITH_BOTTOM_LIMIT_OP2', _('All values of operand one must be %s the smallest value of operand two') %s))
@ -1027,6 +1096,16 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
if request.session['working_predicate']['type'] == \
PREDICATE_REQUIRED:
tpl_p['attribute_definitions'] = get_all_attribute_definitions()
elif request.session['working_predicate']['type'] == \
PREDICATE_ROLE:
if is_policy_user_administrator(request.user, policy):
tpl_p['roles'] = Role.objects.filter(namespace=policy.namespace)
else:
tpl_p['roles'] = \
return_list_roles_authorized_for_admin(
set_default_alias(request.user))
tpl_p['roles'] = \
filter_list_in_namespace(tpl_p['roles'], policy.namespace)
else:
tpl_p['attribute_definitions'] = \
AttributeDefinition.objects.filter(attribute_type=ACS_COMP_TYPE[request.session['working_predicate']['type']])
@ -1044,20 +1123,15 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
if 'rule' in request.session:
tpl_p['rule'] = request.session['rule']
tpl_p['who_to_display'] = \
return_list_users_authorized_for_admin(
set_default_alias(request.user)) + \
return_list_roles_authorized_for_admin(
set_default_alias(request.user))
tpl_p['who_to_display'] = \
filter_list_in_namespace(tpl_p['who_to_display'], policy.namespace)
if is_policy_user_administrator(request.user, policy):
for a in UserAlias.objects.filter(namespace=policy.namespace):
if not a in tpl_p['who_to_display']:
tpl_p['who_to_display'].append(a)
for a in Role.objects.filter(namespace=policy.namespace):
if not a in tpl_p['who_to_display']:
tpl_p['who_to_display'].append(a)
tpl_p['who_to_display'] = \
UserAlias.objects.filter(namespace=policy.namespace)
else:
tpl_p['who_to_display'] = \
filter_list_in_namespace(
return_list_users_authorized_for_admin(
set_default_alias(request.user)),
policy.namespace)
tpl_p['what_to_display'] = \
return_list_objects_authorized_for_admin(

5
acs/alias_mgmt_views.py
View File

@ -282,7 +282,7 @@ def list_aliases(request, pk=None):
sources = None
try:
sources = Source.objects.all()
sources = LdapSource.objects.all()
except Exception, err:
logger.error('list_aliases: An error occurred looking for \
sources: %s' % err)
@ -316,8 +316,7 @@ def list_aliases(request, pk=None):
'''
aliases_sources = []
for source in sources:
if not (isinstance(source.get_source_instance(), LdapSource) \
and source.get_source_instance().is_auth_backend):
if not source.get_source_instance().is_auth_backend:
ns = None
try:
ns = Namespace.objects.get(name=source.name)

114
acs/core.py
View File

@ -567,6 +567,7 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
what = None
whats_regexp = None
if view:
try:
what = View.objects.get(name=what_name, namespace=ns)
@ -583,12 +584,14 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
View %s - Error due to %s' % (what_name, err))
return (False, None, -5)
else:
whats_regexp = get_objects_from_regex(what_name, ns)
try:
what = AcsObject.objects.get(name=what_name, namespace=ns)
except ObjectDoesNotExist:
logger.error('is_authorized_by_names_with_abac: \
unable to find the object object')
return (False, None, -2)
if not whats_regexp:
return (False, None, -2)
except MultipleObjectsReturned:
logger.critical('is_authorized_by_names_with_abac: \
Multiple objects with name %s' %what_name)
@ -681,22 +684,50 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
logger.debug("The requester is different from who that means that the requester must \
be authorized on the parameters of its request")
administration = Action.objects.get(name='administration')
p = isAuthorizedRBAC2(set_default_alias(requestor), what, administration)
if not is_policy_object_creator(requestor, policy) and not p:
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
% (requestor, what))
return (False, None, -9)
p = isAuthorizedRBAC2(set_default_alias(requestor), how, administration)
if not is_policy_action_creator(requestor, policy) and not p:
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
% (requestor, how))
return (False, None, -10)
if who:
p = isAuthorizedRBAC2(set_default_alias(requestor), who, administration)
if not is_policy_user_administrator(requestor, policy) and not p:
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
% (requestor, who))
return (False, None, -11)
if what:
p = isAuthorizedRBAC2(set_default_alias(requestor), what, administration)
if not is_policy_object_creator(requestor, policy) and not p:
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
% (requestor, what))
return (False, None, -9)
if whats_regexp:
for o in whats_regexp:
p = isAuthorizedRBAC2(set_default_alias(requestor), o, administration)
if not is_policy_object_creator(requestor, policy) and not p:
logger.warning('is_authorized_by_names_with_abac: %s is not authorized on %s \
This object is removed from permission lookup!' \
% (requestor, o))
whats_regexp.pop(o)
p = isAuthorizedRBAC2(set_default_alias(requestor), how, administration)
if not is_policy_action_creator(requestor, policy) and not p:
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
% (requestor, how))
return (False, None, -10)
'''
RBAC permission checking
'''
if who and what:
p = isAuthorizedRBAC2(who, what, how)
if p:
return (True, p, 0)
if who and whats_regexp:
for o in whats_regexp:
p = isAuthorizedRBAC2(who, o, how)
if p:
return (True, p, 0)
'''
ABAC permission checking
'''
'''
Attribute loading in profile object
@ -755,35 +786,45 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
All the permissions with and view or an activity containing the what
and how
'''
'''
There are no ABAC permissions for administration and then what is only
AcsObject or View
'''
what_list = []
if isinstance(what, AcsObject):
if whats_regexp:
for o in whats_regexp:
views = View.objects.filter(acs_objects__id=o.id)
for view in views:
if view.namespace == ns and not view in what_list:
what_list.append(view)
if what and isinstance(what, AcsObject):
views = View.objects.filter(acs_objects__id=what.id)
for view in views:
if view.namespace == ns:
if view.namespace == ns and not view in what_list:
what_list.append(view)
elif isinstance(what, View):
elif what and isinstance(what, View):
if what.namespace == ns:
what_list.append(what)
elif isinstance(what, UserAlias):
views = View.objects.filter(users__id=what.id)
for view in views:
if view.namespace == ns:
what_list.append(view)
elif isinstance(what, Role):
views = View.objects.filter(roles__id=what.id)
for view in views:
if view.namespace == ns:
what_list.append(view)
elif isinstance(what, Action):
views = View.objects.filter(actions__id=what.id)
for view in views:
if view.namespace == ns:
what_list.append(view)
elif isinstance(what, Activity):
views = View.objects.filter(activities__id=what.id)
for view in views:
if view.namespace == ns:
what_list.append(view)
# elif isinstance(what, UserAlias):
# views = View.objects.filter(users__id=what.id)
# for view in views:
# if view.namespace == ns:
# what_list.append(view)
# elif isinstance(what, Role):
# views = View.objects.filter(roles__id=what.id)
# for view in views:
# if view.namespace == ns:
# what_list.append(view)
# elif isinstance(what, Action):
# views = View.objects.filter(actions__id=what.id)
# for view in views:
# if view.namespace == ns:
# what_list.append(view)
# elif isinstance(what, Activity):
# views = View.objects.filter(activities__id=what.id)
# for view in views:
# if view.namespace == ns:
# what_list.append(view)
'''Limit the number of views to check'''
limit = 0
@ -798,7 +839,10 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
if it not in what_list and it.namespace == ns:
what_list.append(it)
i = i + 1
what_list.append(what)
if what:
what_list.append(what)
for o in whats_regexp:
what_list.append(o)
how_list = []
if isinstance(how, Action):

39
acs/main_views.py
View File

@ -361,15 +361,6 @@ def mod_policy(request):
list_other_services['graph?type_graph=whole_policy'] = \
"Display the whole policy"
if is_policy_abac_administrator(request.user, policy):
if at_least_one_abac_permission_to_set(request.user, policy):
list_abac_services['add_abac_permission'] = \
"Create an ABAC permission"
if at_least_one_abac_permission_to_admin(request.user,
policy):
list_abac_services['list_abac_permissions'] = \
"Modify or delete an ABAC permission"
if at_least_one_role_to_admin(request.user, policy):
list_user_services['list_roles'] = "Modify or delete a role"
@ -392,12 +383,28 @@ def mod_policy(request):
list_action_services['list_activities'] = \
"Modify or delete an activity"
if at_least_one_permission_to_set(request.user, policy):
list_services['add_permission'] = "Add a permission"
if is_policy_user_administrator(request.user, policy):
if at_least_one_permission_to_set(request.user, policy) \
or at_least_one_abac_permission_to_set(request.user,
policy):
list_services['add_permission_any'] = "Add a permission"
if at_least_one_abac_permission_to_admin(request.user,
policy):
list_services['list_abac_permissions'] = \
"List and delete ABAC permissions"
if at_least_one_permission_to_remove(request.user, policy):
list_services['list_permissions'] = \
"List and delete IBAC or RBAC permissions"
else:
if at_least_one_permission_to_set(request.user, policy):
list_services['add_permission'] = \
"Add a permission (only IBAC or RABC)"
list_services['list_permissions'] = \
"List and delete IBAC or RBAC permissions"
if at_least_one_permission_to_remove(request.user, policy):
list_services['list_permissions'] = "Delete a permission"
if at_least_one_permission_to_remove(request.user, policy) \
or at_least_one_abac_permission_to_admin(request.user,
policy):
list_other_services['ask_decision'] = "Ask for a decision"
list_other_services['ask_decision_regex'] = \
"Ask for a decision with a regex"
@ -409,10 +416,6 @@ def mod_policy(request):
if list_user_services:
list_authorized_services['Users and Roles management'] = \
list_user_services
if list_abac_services:
list_authorized_services[\
'Attribute based access control management'] = \
list_abac_services
if list_object_services:
list_authorized_services['Objects and Views management'] = \
list_object_services

481
acs/templates/add_abac_permission.html
View File

@ -92,224 +92,256 @@
{% endif %}
{% else %}
<p>{% trans "The working predicate is of type" %} <strong>{{ working_predicate.type_friendly }}</strong>.</p>
{% if not working_predicate.multivalues_step_one %}
{% if working_predicate.type == "urn:entrouvert:acs:constants:predicate-role" %}
{% if working_predicate.role %}
<p>
{% trans "The working predicate is role" %} <strong>{{ working_predicate.role }} {% trans "is required" %}</strong>.
</p>
<p>
<form method="post" action="">
<p>
{% trans "The predicate have two operands. The first one indicate an attribute expected from a source. The second one might be one or multiple values, or an a different attribute from the same source, or another attribute issued from a different source." %}
</p>
<p>
{% trans "You can indicate that an attribute might be provided by one source among many, it is a or statement. Then, you can't enforce that an attribute be provided by a unique source among multiple. You can not also enforce singlevalued attributes if you want to let the choice in the source. Then, if you want that an attribute be single-valued, you will only be authorized to select one source. If you want single-valued attribute but let the choice in the source, you have to declare multiple predicate." %}
</p>
<p>
{% trans "If you authorize that an attribute be multivalued or you to let the choice in sources, you will be prompt to choose how multivalues must be handled." %}
</p>
<p>
{% trans "By checking the following box you indicate that the operand one must be single-valued." %}
<input type="checkbox" name="operandone_singlevalued" value="singlevalued"/>
</p>
<p>
{% trans "By checking the following box you indicate that the opernad two must be single-valued or that you wish indicate a unique value of comparison." %}
<input type="checkbox" name="operandtwo_singlevalued" value="singlevalued"/>
</p>
<input type="submit" name="select_multivalue_step_one" value="{% trans "Ok" %}"/>
<input type="submit" name="close_working_predicate" value="{% trans "Finish predicate" %}"/>
</form>
</p>
{% else %}
<p>{% trans "The working predicate is of type" %} <strong>{% trans "role required" %}</strong>.</p>
<form method="post" action="">
<p>{% trans "Choose a role" %}:
<select name="role_id" id="role">
{% for role in roles %}
<option value="{{ role.id }}">{{ role.name }}</option>
{% endfor %}
</select>
<p>
<input type="submit" name="select_role" value="{% trans "Choose" %}"/>
</p>
</p>
</form>
{% endif %}
{% else %}
<p>
{% if working_predicate.operandone_singlevalued %}
{% trans "Operand one must be single-valued." %}
{% else %}
{% trans "Operand one may be multivalued." %}
{% endif %}
{% if working_predicate.operandtwo_singlevalued %}
{% trans "Operand two must be single-valued." %}
{% else %}
{% trans "Operand two may be multivalued." %}
{% endif %}
</p>
<p>{% trans "The working predicate is of type" %} <strong>{{ working_predicate.type_friendly }}</strong>.</p>
{% if not working_predicate.multivalues_step_one %}
{% if not working_predicate.multivalues_step_two %}
<p>{% trans "Choose how multivalued attribued are compared:" %}
<form method="post" action="">
<select name="multivalues" id="multivalues">
{% for multivalue, f_multivalue in multivalues %}
<option value="{{ multivalue }}">{{ f_multivalue }}</option>
{% endfor %}
</select>
<input type="submit" name="select_multivalue_step_two" value="{% trans "Ok" %}"/>
<p>
{% trans "The predicate have two operands. The first one indicate an attribute expected from a source. The second one might be one or multiple values, or an a different attribute from the same source, or another attribute issued from a different source." %}
</p>
<p>
{% trans "You can indicate that an attribute might be provided by one source among many, it is a or statement. Then, you can't enforce that an attribute be provided by a unique source among multiple. You can not also enforce singlevalued attributes if you want to let the choice in the source. Then, if you want that an attribute be single-valued, you will only be authorized to select one source. If you want single-valued attribute but let the choice in the source, you have to declare multiple predicate." %}
</p>
<p>
{% trans "If you authorize that an attribute be multivalued or you to let the choice in sources, you will be prompt to choose how multivalues must be handled." %}
</p>
<p>
{% trans "By checking the following box you indicate that the operand one must be single-valued." %}
<input type="checkbox" name="operandone_singlevalued" value="singlevalued"/>
</p>
<p>
{% trans "By checking the following box you indicate that the opernad two must be single-valued or that you wish indicate a unique value of comparison." %}
<input type="checkbox" name="operandtwo_singlevalued" value="singlevalued"/>
</p>
<input type="submit" name="select_multivalue_step_one" value="{% trans "Ok" %}"/>
</form>
</p>
{% else %}
<p>{{ working_predicate.multivalues_explanation }}</p>
{% if working_predicate.operand1_defined %}
<p>{% trans "Operand one is attribute" %} <strong>{{ working_predicate.operand1_defined.definition_name }}</strong>
{% if working_predicate.operand1_defined.type == "definition" %}
{% trans " from" %}(
{% for s_id, s_name in working_predicate.operand1_defined.sources_selected %}
<strong>{{ s_name }}</strong>,
{% endfor %})<p/>
{% else %}
{% trans "of values" %}(
{% for value in working_predicate.operand1_defined.values_selected %}
<strong>{{ value }}</strong>,
{% endfor %})<p/>
{% endif %}
<p>
{% if working_predicate.operandone_singlevalued %}
{% trans "Operand one must be single-valued." %}
{% else %}
{% trans "Operand one may be multivalued." %}
{% endif %}
{% if working_predicate.operand2_defined %}
{% if working_predicate.operand2_defined.type == "definition" %}
<p>{% trans "Operand two is attribute" %} <strong>{{ working_predicate.operand2_defined.definition_name }}</strong>
{% trans " from" %}(
{% for s_id, s_name in working_predicate.operand2_defined.sources_selected %}
<strong>{{ s_name }}</strong>,
{% endfor %})<p/>
{% else %}
<p>{% trans "Compared with values" %}(
{% for value in working_predicate.operand2_defined.values_selected %}
<strong>{{ value }}</strong>,
{% endfor %})<p/>
{% endif %}
{% if working_predicate.operandtwo_singlevalued %}
{% trans "Operand two must be single-valued." %}
{% else %}
{% trans "Operand two may be multivalued." %}
{% endif %}
</p>
{% if not working_predicate.operand1_defined or not working_predicate.operand2_defined %}
{% if not working_predicate.working_operand %}
<form method="post" action="">
<p>{% trans "Compared with" %}:</p>
<ul>
<li>
<p>{% trans "the same attribute from another source or a different attribute" %}</p>
<input type="submit" name="operand_is_definition" value="{% trans "Attribute" %}"/>
</li>
<li>
<p>{% trans "with one or multiple values" %}</p>
<input type="submit" name="operand_is_definition_data" value="{% trans "Value" %}"/>
</li>
</ul>
</form>
</p>
{% else %}
{% if not working_predicate.working_operand.definition_name %}
{% if not working_predicate.operand1_defined %}
<p>{% trans "Choose an attribute as operand one of the comparison:" %}
{% else %}
<p>{% trans "Choose an attribute as operand two of the comparison:" %}
{% endif %}
<form method="post" action="">
<select name="attribute_definition_id" id="attribute_definition">
{% for attr_definition in attribute_definitions %}
<option value="{{ attr_definition.id }}">{{ attr_definition.attribute_name }}</option>
{% endfor %}
</select>
<input type="submit" name="select_attribute_definition_operand" value="{% trans "Ok" %}"/>
</form>
{% if not working_predicate.multivalues_step_two %}
<p>{% trans "Choose how multivalued attribued are compared:" %}
<form method="post" action="">
<select name="multivalues" id="multivalues">
{% for multivalue, f_multivalue in multivalues %}
<option value="{{ multivalue }}">{{ f_multivalue }}</option>
{% endfor %}
</select>
<input type="submit" name="select_multivalue_step_two" value="{% trans "Ok" %}"/>
</form>
</p>
{% else %}
<p>{{ working_predicate.multivalues_explanation }}</p>
{% if working_predicate.operand1_defined %}
<p>{% trans "Operand one is attribute" %} <strong>{{ working_predicate.operand1_defined.definition_name }}</strong>
{% if working_predicate.operand1_defined.type == "definition" %}
{% trans " from" %}(
{% for s_id, s_name in working_predicate.operand1_defined.sources_selected %}
<strong>{{ s_name }}</strong>,
{% endfor %})<p/>
{% else %}
{% trans "of values" %}(
{% for value in working_predicate.operand1_defined.values_selected %}
<strong>{{ value }}</strong>,
{% endfor %})<p/>
{% endif %}
{% endif %}
{% if working_predicate.operand2_defined %}
{% if working_predicate.operand2_defined.type == "definition" %}
<p>{% trans "Operand two is attribute" %} <strong>{{ working_predicate.operand2_defined.definition_name }}</strong>
{% trans " from" %}(
{% for s_id, s_name in working_predicate.operand2_defined.sources_selected %}
<strong>{{ s_name }}</strong>,
{% endfor %})<p/>
{% else %}
<p>{% trans "Compared with values" %}(
{% for value in working_predicate.operand2_defined.values_selected %}
<strong>{{ value }}</strong>,
{% endfor %})<p/>
{% endif %}
{% endif %}
{% if not working_predicate.operand1_defined or not working_predicate.operand2_defined %}
{% if not working_predicate.working_operand %}
<form method="post" action="">
<p>{% trans "Compared with" %}:</p>
<ul>
<li>
<p>{% trans "the same attribute from another source or a different attribute" %}</p>
<input type="submit" name="operand_is_definition" value="{% trans "Attribute" %}"/>
</li>
<li>
<p>{% trans "with one or multiple values" %}</p>
<input type="submit" name="operand_is_definition_data" value="{% trans "Value" %}"/>
</li>
</ul>
</form>
</p>
{% else %}
{% if working_predicate.working_operand.type == "definition" %}
{% if not working_predicate.working_operand.definition_name %}
{% if not working_predicate.operand1_defined %}
<p>{% trans "Operand one is the attribute" %} <strong>{{ working_predicate.working_operand.definition_name }}</strong></p>
{% if working_predicate.operandone_singlevalued and not working_predicate.working_operand.sources_selected or not working_predicate.operandone_singlevalued%}
<p>{% trans "From:" %}
<form method="post" action="">
<select name="source_operand_id" id="source">
{% for source in sources %}
<option value="{{ source.id }}">{{ source.name }}</option>
{% endfor %}
</select>
<input type="submit" name="select_source_operand" value="{% trans "Add" %}"/>
</form>
</p>
{% endif %}
<p>{% trans "Choose an attribute as operand one of the comparison:" %}
{% else %}
<p>{% trans "Operand two is the attribute" %} <strong>{{ working_predicate.working_operand.definition_name }}</strong></p>
{% if working_predicate.operandtwo_singlevalued and not working_predicate.working_operand.sources_selected or not working_predicate.operandtwo_singlevalued%}
<p>{% trans "From:" %}
<form method="post" action="">
<select name="source_operand_id" id="source">
{% for source in sources %}
<option value="{{ source.id }}">{{ source.name }}</option>
{% endfor %}
</select>
<input type="submit" name="select_source_operand" value="{% trans "Add" %}"/>
</form>
</p>
{% endif %}
<p>{% trans "Choose an attribute as operand two of the comparison:" %}
{% endif %}
{% if working_predicate.working_operand.sources_selected %}
<p>{% trans "Sources already defined:" %}
<ul>
{% for s_id, s_name in working_predicate.working_operand.sources_selected %}
<li><strong>{{ s_name }}</strong></option>
{% endfor %}
</ul>
</p>
<p>
<form method="post" action="">
<input type="submit" name="close_working_operand" value="{% trans "Finish operand" %}"/>
<select name="attribute_definition_id" id="attribute_definition">
{% for attr_definition in attribute_definitions %}
<option value="{{ attr_definition.id }}">{{ attr_definition.attribute_name }}</option>
{% endfor %}
</select>
<input type="submit" name="select_attribute_definition_operand" value="{% trans "Ok" %}"/>
</form>
</p>
{% endif %}
</p>
{% else %}
<p>{% trans "Compared with..." %}</p>
{% if working_predicate.working_operand.type == "definition" %}
{% if not working_predicate.operand1_defined %}
<p>{% trans "Operand one is the attribute" %} <strong>{{ working_predicate.working_operand.definition_name }}</strong></p>
{% if working_predicate.operandone_singlevalued and not working_predicate.working_operand.sources_selected or not working_predicate.operandone_singlevalued%}
<p>{% trans "From:" %}
<form method="post" action="">
<select name="source_operand_id" id="source">
{% for source in sources %}
<option value="{{ source.id }}">{{ source.name }}</option>
{% endfor %}
</select>
<input type="submit" name="select_source_operand" value="{% trans "Add" %}"/>
</form>
</p>
{% endif %}
{% else %}
<p>{% trans "Operand two is the attribute" %} <strong>{{ working_predicate.working_operand.definition_name }}</strong></p>
{% if working_predicate.operandtwo_singlevalued and not working_predicate.working_operand.sources_selected or not working_predicate.operandtwo_singlevalued%}
<p>{% trans "From:" %}
<form method="post" action="">
<select name="source_operand_id" id="source">
{% for source in sources %}
<option value="{{ source.id }}">{{ source.name }}</option>
{% endfor %}
</select>
<input type="submit" name="select_source_operand" value="{% trans "Add" %}"/>
</form>
</p>
{% endif %}
{% endif %}
{% if not working_predicate.operand1_defined %}
{% if working_predicate.operandone_singlevalued and not working_predicate.working_operand.values_selected or not working_predicate.operandone_singlevalued%}
<p>{% trans "Add a value:" %}
<form method="post" action="">
<input type="text" name="value_operand" label="{% trans "Give a value to test" %}"/>
<input type="submit" name="value_operand_submitted" value="{% trans "Add" %}"/>
</form>
{% if working_predicate.working_operand.sources_selected %}
<p>{% trans "Sources already defined:" %}
<ul>
{% for s_id, s_name in working_predicate.working_operand.sources_selected %}
<li><strong>{{ s_name }}</strong></option>
{% endfor %}
</ul>
</p>
<p>
<form method="post" action="">
<input type="submit" name="close_working_operand" value="{% trans "Finish operand" %}"/>
</form>
</p>
{% endif %}
{% else %}
{% if working_predicate.operandtwo_singlevalued and not working_predicate.working_operand.values_selected or not working_predicate.operandtwo_singlevalued%}
<p>{% trans "Add a value:" %}
<form method="post" action="">
<input type="text" name="value_operand" label="{% trans "Give a value to test" %}"/>
<input type="submit" name="value_operand_submitted" value="{% trans "Add" %}"/>
</form>
<p>{% trans "Compared with..." %}</p>
{% if not working_predicate.operand1_defined %}
{% if working_predicate.operandone_singlevalued and not working_predicate.working_operand.values_selected or not working_predicate.operandone_singlevalued%}
<p>{% trans "Add a value:" %}
<form method="post" action="">
<input type="text" name="value_operand" label="{% trans "Give a value to test" %}"/>
<input type="submit" name="value_operand_submitted" value="{% trans "Add" %}"/>
</form>
</p>
{% endif %}
{% else %}
{% if working_predicate.operandtwo_singlevalued and not working_predicate.working_operand.values_selected or not working_predicate.operandtwo_singlevalued%}
<p>{% trans "Add a value:" %}
<form method="post" action="">
<input type="text" name="value_operand" label="{% trans "Give a value to test" %}"/>
<input type="submit" name="value_operand_submitted" value="{% trans "Add" %}"/>
</form>
</p>
{% endif %}
{% endif %}
{% if working_predicate.working_operand.values_selected %}
<p>{% trans "Values already defined:" %}
<ul>
{% for v_value in working_predicate.working_operand.values_selected %}
<li><strong>{{ v_value }}</strong></option>
{% endfor %}
</ul>
</p>
<p>
<form method="post" action="">
<input type="submit" name="close_working_operand" value="{% trans "Finish operand" %}"/>
</form>
</p>
{% endif %}
{% endif %}
{% if working_predicate.working_operand.values_selected %}
<p>{% trans "Values already defined:" %}
<ul>
{% for v_value in working_predicate.working_operand.values_selected %}
<li><strong>{{ v_value }}</strong></option>
{% endfor %}
</ul>
</p>
<p>
<form method="post" action="">
<input type="submit" name="close_working_operand" value="{% trans "Finish operand" %}"/>
</form>
</p>
{% endif %}
{% endif %}
<!--<p>
<br style="clear: both;"/>
<form method="post" action="">
<input type="submit" name="delete_working_operand" value="{% trans "Cancel operand" %}"/>
</form>
<p>-->
{% endif %}
<!--<p>
<br style="clear: both;"/>
{% else %}
<p>
<form method="post" action="">
<input type="submit" name="delete_working_operand" value="{% trans "Cancel operand" %}"/>
<input type="submit" name="close_working_predicate" value="{% trans "Finish predicate" %}"/>
</form>
<p>-->
</p>
{% endif %}
{% else %}
<p>
<form method="post" action="">
<input type="submit" name="close_working_predicate" value="{% trans "Finish predicate" %}"/>
</form>
</p>
{% endif %}
{% endif %}
{% endif %}
@ -340,46 +372,57 @@
<strong>{{ s_name }}</strong>,
{% endfor %})
{% else %}
<p><strong>{{ predicate.type_friendly }}</strong><p/>
<p>
{% if predicate.operandone_singlevalued %}
{% trans "Operand one must be single-valued." %}
{% else %}
{% trans "Operand one may be multivalued." %}
{% endif %}
{% if predicate.operandtwo_singlevalued %}
{% trans "Operand two must be single-valued." %}
{% else %}
{% trans "Operand two may be multivalued." %}
{% endif %}
</p>
<p>{{ predicate.multivalues_explanation }}</p>
{% if predicate.type == "urn:entrouvert:acs:constants:predicate-role" %}
<p>
{% trans "The predicate is role" %} <strong>{{ predicate.role }} {% trans "is required" %}</strong>.
</p>
<p>{% trans "Operand one is attribute" %} <strong>{{ predicate.operand1_defined.definition_name }}</strong>
{% if predicate.operand1_defined.type == "definition" %}
{% trans " from" %}(
{% for s_id, s_name in predicate.operand1_defined.sources_selected %}
<strong>{{ s_name }}</strong>,
{% endfor %})<p/>
{% else %}
{% trans "of values" %}(
{% for value in predicate.operand1_defined.values_selected %}
<strong>{{ value }}</strong>,
{% endfor %})<p/>
{% endif %}
{% if predicate.operand2_defined.type == "definition" %}
<p>{% trans "Operand two is attribute" %} <strong>{{ predicate.operand2_defined.definition_name }}</strong>
{% trans " from" %}(
{% for s_id, s_name in predicate.operand2_defined.sources_selected %}
<strong>{{ s_name }}</strong>,
{% endfor %})<p/>
{% else %}
<p>{% trans "Compared with values" %}(
{% for value in predicate.operand2_defined.values_selected %}
<strong>{{ value }}</strong>,
{% endfor %})<p/>
<p><strong>{{ predicate.type_friendly }}</strong><p/>
<p>
{% if predicate.operandone_singlevalued %}
{% trans "Operand one must be single-valued." %}
{% else %}
{% trans "Operand one may be multivalued." %}
{% endif %}
{% if predicate.operandtwo_singlevalued %}
{% trans "Operand two must be single-valued." %}
{% else %}
{% trans "Operand two may be multivalued." %}
{% endif %}
</p>
<p>{{ predicate.multivalues_explanation }}</p>
<p>{% trans "Operand one is attribute" %} <strong>{{ predicate.operand1_defined.definition_name }}</strong>
{% if predicate.operand1_defined.type == "definition" %}
{% trans " from" %}(
{% for s_id, s_name in predicate.operand1_defined.sources_selected %}
<strong>{{ s_name }}</strong>,
{% endfor %})<p/>
{% else %}
{% trans "of values" %}(
{% for value in predicate.operand1_defined.values_selected %}
<strong>{{ value }}</strong>,
{% endfor %})<p/>
{% endif %}
{% if predicate.operand2_defined.type == "definition" %}
<p>{% trans "Operand two is attribute" %} <strong>{{ predicate.operand2_defined.definition_name }}</strong>
{% trans " from" %}(
{% for s_id, s_name in predicate.operand2_defined.sources_selected %}
<strong>{{ s_name }}</strong>,
{% endfor %})<p/>
{% else %}
<p>{% trans "Compared with values" %}(
{% for value in predicate.operand2_defined.values_selected %}
<strong>{{ value }}</strong>,
{% endfor %})<p/>
{% endif %}
{% endif %}
{% endif %}
</li>
@ -432,15 +475,13 @@
{% if who_to_display %}
<p>
<h3>{% trans "Who" %}</h3>
<p>{% trans "You can set an ABAC rule on a user a role or anybody. If you indicate 'Anybody' in the following list, it means that there exist mechanisms to make a user able to present (certified) attributes to the system. If you indicate a role, take that it does not conflict with a role in the rule that the user should not have, for instance due to heritage and a 'not' statement." %}
<p>{% trans "Usually an ABAC is set for 'Anybody' since the access is granted to anybody able to satisfy the abac rule, including having roles. However who may choos a user in the list below to indicate that you want to grant an access to a user only if the user also satisfy the rule." %}
</p>
<select name="who_matches" id="id_who_matches">
<option value="_">-- {% trans "Anybody" %} --</option>
{% for it in who_to_display %}
{% if it|klass == "UserAlias" %}
<option value="{{ it.id }}_{{ it|klass }}">{{ it.alias }}</option>
{% else %}
<option value="{{ it.id }}_{{ it|klass }}">{{ it.name }}</option>
{% endif %}
{% endfor %}
</select>

31
acs/templates/mod_any_new.html Normal file
View File

@ -0,0 +1,31 @@
{% extends "base.html" %}
{% load i18n %}
{% block content %}
{% if title %}
<h2>{{ title }}</h2>
{% else %}
<h2>{% trans "Modify an entity" %}</h2>
{% endif %}
{% if messages %}
<ul class="messages">
{% for message in messages %}
<li{% if message.tags %} class="{{ message.tags }}"{% endif %}>{{ message }}</li>
{% endfor %}
</ul>
{% endif %}
<div>
<form method="post" action="">
{{ form.as_p }}
<input id="id_id" type="hidden" name="id" value="{{ item.id }}"/>
<input id="id_namespace" type="hidden" name="namespace" value="{{ item.namespace.id }}"/>
<input type="submit" name="{{ submit_name }}" value="{% trans "Modify" %}"/>
</form>
</div>
<p><a href="{{ backlink }}">{% trans "Back" %}</a></p>
{% endblock %}

42
acs/templates/select_permission_type.html Normal file
View File

@ -0,0 +1,42 @@
{% extends "base.html" %}
{% load i18n %}
{% block content %}
{% if title %}
<h2>{{ title }}</h2>
{% else %}
<h2>{% trans "Select the type of permission you want to add" %}</h2>
{% endif %}
{% if messages %}
<ul class="messages">
{% for message in messages %}
<li{% if message.tags %} class="{{ message.tags }}"{% endif %}>{{ message }}</li>
{% endfor %}
</ul>
{% endif %}
<p>
<ul>
<li><a href='/add_permission'>Add an IBAC or RBAC permission</a></li>
<li><a href='/add_abac_permission'>Add an ABAC permission</a></li>
</ul>
</p>
<p>
Choose here if you want to add an IBAC or RBAC permission only or if you want to add an ABAC permission.
</p>
<p>
An IBAC or RBAC permission is delegable if you define it as is. It means that a user that is enabled as self-administrator and granted an access through a permission delegable will be able to set a permission for another user on the 'what' and 'how' of the permission.
</p>
<p>
An ABAC permission is not delegable. And this even if you can define ABAC permissions that are IBAC or ABAC permissions. Indeed, consider that ABAC_permission(Anybody, object_1, action_1, ABAC rule is PredicateRole(role_1)) is equivalent to RBAC_permission(role_1, object_1, action_1), and ABAC_permission(user_1, object_1, action_1, ABAC rule is empty) is equivalent to IBAC_permission(user_1, object_1, action_1). You should by yourself determine when it is the case and then define them as IBAC or RBAC permissions.
</p>
<p><a href="{{ backlink }}">{% trans "Back" %}</a></p>
{% endblock %}

1
acs/urls.py
View File

@ -104,6 +104,7 @@ urlpatterns = patterns('',
url(r'^add_action$', 'acs.views.add_action'),
url(r'^add_activity$', 'acs.views.add_activity'),
url(r'^add_permission$', 'acs.views.add_permission'),
url(r'^add_permission_any$', 'acs.views.add_permission_any'),
url(r'^list_roles$', 'acs.views.list_roles'),
url(r'^list_objects$', 'acs.views.list_objects'),

13
acs/views.py
View File

@ -1328,6 +1328,16 @@ def return_mod_any(request, form, title, tpl_p={},
'''
@csrf_exempt
@prevent_access_to_normal_users
@check_policy_in_session
def add_permission_any(request):
policy = get_policy_from_session(request)
return render_to_response('select_permission_type.html',
{'backlink': 'mod_policy?id=' + str(policy.id)},
context_instance=RequestContext(request))
@csrf_exempt
@prevent_access_to_normal_users
@check_policy_in_session
@ -1336,6 +1346,7 @@ def add_permission(request):
Add permissions into policies
'''
policy = get_policy_from_session(request)
if request.method == 'POST':
if not 'who_matches' in request.POST \
or not request.POST['who_matches']:
@ -1384,7 +1395,7 @@ def add_permission(request):
Fail to save permission with error: %s' %err)
messages.add_message(request, messages.ERROR,
_('Fail to save permission with error: %s') %err)
return return_add_permission_form(request)
return HttpResponseRedirect('mod_policy?id=' + str(policy.id))
logger.info('add_permission: Permission added: %s' %str(p))
messages.add_message(request, messages.INFO,
_('Permission added'))