Enhance RBAC and ABAC support and update UI.
- The authorisation decision function now support regex object and first try to find an IBAC or RBAC permission. If not found try to find an ABAC permission. - The user inteface for ABAC permission creation propose the predicateRole - Single point of entry to add a permission with a page explaining the between RBAC and IBAC and inviting user to select a type or permission. - Review of navigation elements
This commit is contained in:
parent
bdcb85065d
commit
1db7883e7a
|
@ -24,6 +24,7 @@ import time
|
|||
|
||||
from django.db import transaction
|
||||
from django.core.exceptions import ObjectDoesNotExist, MultipleObjectsReturned
|
||||
from django.utils.translation import ugettext as _
|
||||
|
||||
from acs.models import Namespace, UserAlias
|
||||
|
||||
|
@ -51,6 +52,7 @@ def extract_predicate_ids(expression):
|
|||
|
||||
|
||||
def check_predicate(predicate, profile):
|
||||
logger.debug("check_predicate: predicate id %s" % predicate.id)
|
||||
if isinstance(predicate, PredicateRequired):
|
||||
logger.debug("check_predicate: PredicateRequired %s" % predicate)
|
||||
return check_predicate_required(predicate, profile)
|
||||
|
@ -910,33 +912,42 @@ def load_profile_by_dic(profile, dic):
|
|||
logger.debug('load_profile_by_dic: attributes: %s' \
|
||||
% str(dic[source]))
|
||||
for attr in dic[source]:
|
||||
logger.debug('load_profile_by_dic: attribute %s of %s with values %s' \
|
||||
% (attr['name'], attr['namespace'], str([x for x in attr['values']])))
|
||||
expiration_date = None
|
||||
if 'expiration_date' in attr:
|
||||
logger.debug('load_profile_by_dic: expire at %s' \
|
||||
% attr['expiration_date'])
|
||||
expiration_date = attr['expiration_date']
|
||||
d = get_def_from_name_and_ns(attr['name'], attr['namespace'])
|
||||
if not d:
|
||||
logger.error('load_profile_by_dic: \
|
||||
definition not found for %s %s' \
|
||||
% (attr['name'], attr['namespace']))
|
||||
if not 'name' in attr or not 'namespace' in attr \
|
||||
or not 'values' in attr:
|
||||
logger.debug('load_profile_by_dic: \
|
||||
missing data in attribute')
|
||||
else:
|
||||
logger.debug('load_profile_by_dic: \
|
||||
definition %s found' % d)
|
||||
a = add_assertion_to_profile(profile, s, d, attr['values'],
|
||||
expiration_date=expiration_date)
|
||||
if not a:
|
||||
logger.debug('load_profile_by_dic: \
|
||||
error adding assertion')
|
||||
attribute %s of %s with values %s' \
|
||||
% (attr['name'], attr['namespace'],
|
||||
str([x for x in attr['values']])))
|
||||
expiration_date = None
|
||||
if 'expiration_date' in attr:
|
||||
logger.debug('load_profile_by_dic: expire at %s' \
|
||||
% attr['expiration_date'])
|
||||
expiration_date = attr['expiration_date']
|
||||
d = get_def_from_name_and_ns(attr['name'],
|
||||
attr['namespace'])
|
||||
if not d:
|
||||
logger.error('load_profile_by_dic: \
|
||||
definition not found for %s %s' \
|
||||
% (attr['name'], attr['namespace']))
|
||||
else:
|
||||
logger.debug('load_profile_by_dic: \
|
||||
assertion %s added' % a)
|
||||
definition %s found' % d)
|
||||
a = add_assertion_to_profile(profile, s, d,
|
||||
attr['values'], expiration_date=expiration_date)
|
||||
if not a:
|
||||
logger.debug('load_profile_by_dic: \
|
||||
error adding assertion')
|
||||
else:
|
||||
logger.debug('load_profile_by_dic: \
|
||||
assertion %s added' % a)
|
||||
else:
|
||||
logger.critical('load_profile_by_dic: \
|
||||
The source with name %s and attributes %s is unknown of the system'
|
||||
% (str(source), str(dic[source])))
|
||||
The source with name %s and attributes %s \
|
||||
is unknown of the system' \
|
||||
% (str(source), str(dic[source])))
|
||||
|
||||
|
||||
@transaction.commit_manually
|
||||
|
@ -952,6 +963,9 @@ def remove_predicate(predicate):
|
|||
- AssertionDefinition
|
||||
- Attached source
|
||||
|
||||
Objects to delete for predicate role:
|
||||
- None
|
||||
|
||||
Objects to delete for predicate comparisons:
|
||||
- AssertionDefinition
|
||||
- Attached source
|
||||
|
@ -961,7 +975,9 @@ def remove_predicate(predicate):
|
|||
'''
|
||||
|
||||
instance = predicate.get_predicate_instance()
|
||||
if isinstance(instance, PredicateRequired):
|
||||
if isinstance(instance, PredicateRole):
|
||||
pass
|
||||
elif isinstance(instance, PredicateRequired):
|
||||
logger.debug('remove_predicate: predicate required found')
|
||||
for s in AttachedSource.objects.filter(assertion=instance.definition):
|
||||
logger.debug('remove_predicate: remove attached source with id %s' %s.id)
|
||||
|
|
|
@ -93,14 +93,20 @@ root_url = settings.ROOT_URL
|
|||
PREDICATE_REQUIRED = \
|
||||
"urn:entrouvert:acs:constants:predicate-required"
|
||||
|
||||
COMPARISON_TYPE_DIC = dict({PREDICATE_REQUIRED: _('Require attribute presence')}.items() \
|
||||
PREDICATE_ROLE = \
|
||||
"urn:entrouvert:acs:constants:predicate-role"
|
||||
|
||||
PREDICATE_TYPE_EXPL_DIC = \
|
||||
dict({PREDICATE_REQUIRED: _('Require attribute presence'),
|
||||
PREDICATE_ROLE: _('Require role')}.items() \
|
||||
+ XACML_COMPARISON_TYPE_DIC.items())
|
||||
|
||||
PREDICATE_TYPES = (PREDICATE_REQUIRED, ) + ACS_XACML_COMPARISON \
|
||||
PREDICATE_TYPES = (PREDICATE_REQUIRED, PREDICATE_ROLE, ) + ACS_XACML_COMPARISON \
|
||||
+ XACML_COMPARISON_EQUALITY
|
||||
|
||||
PREDICATE_TYPES_TYPE = ((PREDICATE_REQUIRED, _('Require attribute presence')),) \
|
||||
+ XACML_COMPARISON_DIFF_TYPE + XACML_COMPARISON_EQUALITY_TYPE
|
||||
PREDICATE_TYPES_TYPE = ((PREDICATE_REQUIRED, _('Require attribute presence')),
|
||||
(PREDICATE_ROLE, _('Require role')), ) \
|
||||
+ XACML_COMPARISON_DIFF_TYPE + XACML_COMPARISON_EQUALITY_TYPE
|
||||
|
||||
|
||||
@csrf_exempt
|
||||
|
@ -149,6 +155,12 @@ def add_abac_permission(request):
|
|||
_('Working operand removed'))
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
'''
|
||||
Predicate choice
|
||||
- creation
|
||||
- validation
|
||||
- deletion
|
||||
'''
|
||||
if 'predicate_type' in request.POST \
|
||||
and 'new_predicate' in request.POST:
|
||||
if 'working_predicate' in request.session:
|
||||
|
@ -157,7 +169,7 @@ def add_abac_permission(request):
|
|||
before defining a new one'))
|
||||
return return_add_abac_permission_form(request)
|
||||
else:
|
||||
if not request.POST['predicate_type'] in COMPARISON_TYPE_DIC:
|
||||
if not request.POST['predicate_type'] in PREDICATE_TYPE_EXPL_DIC:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unknown predicate type %s') \
|
||||
% request.POST['predicate_type'])
|
||||
|
@ -166,11 +178,57 @@ def add_abac_permission(request):
|
|||
request.session['working_predicate']['type'] = \
|
||||
request.POST['predicate_type']
|
||||
request.session['working_predicate']['type_friendly'] = \
|
||||
COMPARISON_TYPE_DIC[(request.POST['predicate_type'])]
|
||||
PREDICATE_TYPE_EXPL_DIC[(request.POST['predicate_type'])]
|
||||
request.session['working_predicate']['working_operand'] = {}
|
||||
request.session['working_predicate']['working_operand']['type'] = 'definition'
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
if 'close_working_predicate' in request.POST:
|
||||
if not 'working_predicate' in request.session:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('No working predicate'))
|
||||
elif not 'type' in request.session['working_predicate']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Missing predicate type'))
|
||||
else:
|
||||
predicates = []
|
||||
if 'predicates' in request.session:
|
||||
predicates = request.session['predicates']
|
||||
request.session.pop('predicates')
|
||||
predicates.append(request.session['working_predicate'])
|
||||
request.session.pop('working_predicate')
|
||||
request.session['predicates'] = predicates
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('Predicate recorded'))
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
if 'delete_predicate' in request.POST \
|
||||
and 'predicate_id' in request.POST:
|
||||
if not 'predicates' in request.session:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('No predicate to delete'))
|
||||
elif int(request.POST['predicate_id']) > len(request.session['predicates']):
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unknown predicate'))
|
||||
else:
|
||||
predicates = request.session['predicates']
|
||||
predicates.pop(int(request.POST['predicate_id'])-1)
|
||||
request.session.pop('predicates')
|
||||
if not predicates:
|
||||
if 'rule' in request.session:
|
||||
request.session.pop('rule')
|
||||
else:
|
||||
request.session['predicates'] = predicates
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('Predicate removed'))
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
|
||||
'''
|
||||
Predicate choice:
|
||||
- select definition and require single-valued
|
||||
- select source
|
||||
'''
|
||||
if 'select_attribute_definition' in request.POST \
|
||||
and 'attribute_definition_id' in request.POST:
|
||||
if not 'working_predicate' in request.session:
|
||||
|
@ -236,46 +294,43 @@ def add_abac_permission(request):
|
|||
_('Source not found'))
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
if 'close_working_predicate' in request.POST:
|
||||
|
||||
'''
|
||||
Predicate role:
|
||||
- select role
|
||||
'''
|
||||
if 'select_role' in request.POST \
|
||||
and 'role_id' in request.POST:
|
||||
if not 'working_predicate' in request.session:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('No working predicate'))
|
||||
elif not 'type' in request.session['working_predicate']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Missing predicate type'))
|
||||
elif request.session['working_predicate']['type'] != \
|
||||
PREDICATE_ROLE:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Working predicate is not a required role'))
|
||||
else:
|
||||
predicates = []
|
||||
if 'predicates' in request.session:
|
||||
predicates = request.session['predicates']
|
||||
request.session.pop('predicates')
|
||||
predicates.append(request.session['working_predicate'])
|
||||
request.session.pop('working_predicate')
|
||||
request.session['predicates'] = predicates
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('Predicate recorded'))
|
||||
try:
|
||||
role = Role.objects.get(id=request.POST['role_id'])
|
||||
working_predicate = request.session['working_predicate']
|
||||
request.session.pop('working_predicate')
|
||||
working_predicate['role'] \
|
||||
= role
|
||||
request.session['working_predicate'] = working_predicate
|
||||
except:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Role not found'))
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
if 'delete_predicate' in request.POST \
|
||||
and 'predicate_id' in request.POST:
|
||||
if not 'predicates' in request.session:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('No predicate to delete'))
|
||||
elif int(request.POST['predicate_id']) > len(request.session['predicates']):
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unknown predicate'))
|
||||
else:
|
||||
predicates = request.session['predicates']
|
||||
predicates.pop(int(request.POST['predicate_id'])-1)
|
||||
request.session.pop('predicates')
|
||||
if not predicates:
|
||||
if 'rule' in request.session:
|
||||
request.session.pop('rule')
|
||||
else:
|
||||
request.session['predicates'] = predicates
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('Predicate removed'))
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
'''
|
||||
Predicate comparison:
|
||||
- indicate single-valued operand
|
||||
- as a consequence, choice multivalues management option
|
||||
- define operands
|
||||
'''
|
||||
if 'select_multivalue_step_one' in request.POST:
|
||||
if not 'working_predicate' in request.session:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
|
@ -303,6 +358,8 @@ def add_abac_permission(request):
|
|||
and working_predicate['type'] \
|
||||
in XACML_COMPARISON_EQUALITY:
|
||||
working_predicate['multivalues_step_two'] = 'EQUAL_ONE_VALUE'
|
||||
working_predicate['multivalues_explanation'] = \
|
||||
_('One of the two operand might be multivalued, then the comparison will search that at least one value of multi values is equal to the value of the other attribute.')
|
||||
|
||||
request.session['working_predicate'] = working_predicate
|
||||
return return_add_abac_permission_form(request)
|
||||
|
@ -373,14 +430,16 @@ def add_abac_permission(request):
|
|||
_('The first attribute may have multiple values that exactly match the values of the second attribute.')
|
||||
elif working_predicate['multivalues_step_two'] \
|
||||
== 'EQUAL_ONE_VALUE':
|
||||
if 'operandtwo_singlevalued' in working_predicate \
|
||||
or 'operandtwo_singlevalued' in working_predicate:
|
||||
working_predicate['multivalues_explanation'] = \
|
||||
_('One of the two operand might be multivalued, then the comparison will search that at least one value of multi values is equal to the value of the other attribute.')
|
||||
elif not 'operandtwo_singlevalued' in working_predicate \
|
||||
and not 'operandtwo_singlevalued' in working_predicate:
|
||||
working_predicate['multivalues_explanation'] = \
|
||||
_('The first attribute may have multiple values and at least one must be equal to a value of the second attribute.')
|
||||
working_predicate['multivalues_explanation'] = \
|
||||
_('The first attribute may have multiple values and at least one must be equal to a value of the second attribute.')
|
||||
|
||||
logger.debug('add_abac_permission: predicate %s' \
|
||||
% working_predicate['type'])
|
||||
logger.debug('add_abac_permission: multivalues %s' \
|
||||
% working_predicate['multivalues_step_two'])
|
||||
logger.debug('add_abac_permission: explanation %s' \
|
||||
% working_predicate['multivalues_explanation'])
|
||||
|
||||
|
||||
request.session['working_predicate'] = working_predicate
|
||||
return return_add_abac_permission_form(request)
|
||||
|
@ -596,6 +655,9 @@ def add_abac_permission(request):
|
|||
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
'''
|
||||
Rule definition
|
||||
'''
|
||||
if 'set_rule' in request.POST and \
|
||||
'rule_string' in request.POST:
|
||||
if not 'predicates' in request.session:
|
||||
|
@ -611,16 +673,14 @@ def add_abac_permission(request):
|
|||
for predicate in request.session['predicates']:
|
||||
check = re.sub(str(p_id), '', check)
|
||||
p_id = p_id + 1
|
||||
check = re.sub(' ', '', check)
|
||||
check = re.sub('\)', '', check)
|
||||
check = re.sub('\(', '', check)
|
||||
check = re.sub('&', '', check)
|
||||
check = re.sub('|', '', check)
|
||||
check = re.sub('-', '', check)
|
||||
for it in [' ', '\)', '\(', '&', '\|', '-']:
|
||||
check = re.sub(it, '', check)
|
||||
if check:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('The logical expression contains unknown \
|
||||
predicates or unauthorized characters (%s)' % check))
|
||||
logger.debug('add_abac_permission: check failure: %s' \
|
||||
% check)
|
||||
elif not is_proposition(request.POST['rule_string']):
|
||||
'''
|
||||
Check that the logical expression is well-formed
|
||||
|
@ -633,6 +693,9 @@ def add_abac_permission(request):
|
|||
request.session['rule'] = request.POST['rule_string']
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
'''
|
||||
Permission definition
|
||||
'''
|
||||
if 'add_permission' in request.POST:
|
||||
if not 'predicates' in request.session:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
|
@ -661,6 +724,12 @@ def add_abac_permission(request):
|
|||
messages.add_message(request, messages.ERROR,
|
||||
_('Fail to find who due to %s') % err)
|
||||
return return_add_abac_permission_form(request)
|
||||
if not isinstance(who, UserAlias):
|
||||
logger.error('add_permission: \
|
||||
who should only be a user')
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_("Who should only be a user or 'Anybody'"))
|
||||
return return_add_abac_permission_form(request)
|
||||
try:
|
||||
what = get_what_from_one_post_field(request, 'what_matches')
|
||||
how = get_how_from_one_post_field(request, 'how_matches')
|
||||
|
@ -745,6 +814,10 @@ def check_data_and_create_permission(request, who, what, how):
|
|||
if 'singlevalued' in predicate:
|
||||
single_value = True
|
||||
pred = PredicateRequired(definition=ad, rule=rule, single_value=single_value)
|
||||
elif predicate['type'] == PREDICATE_ROLE:
|
||||
if not 'role' in predicate:
|
||||
raise Exception('Missing role of predicate %s' %str(p_id))
|
||||
pred = PredicateRole(role=predicate['role'], rule=rule)
|
||||
else:
|
||||
if not 'multivalues_step_two' in predicate \
|
||||
or not 'multivalues_explanation' in predicate \
|
||||
|
@ -836,12 +909,8 @@ def check_data_and_create_permission(request, who, what, how):
|
|||
check = expression
|
||||
for key in p_ids1.keys():
|
||||
check = re.sub(str(key), '', check)
|
||||
check = re.sub(' ', '', check)
|
||||
check = re.sub('\)', '', check)
|
||||
check = re.sub('\(', '', check)
|
||||
check = re.sub('&', '', check)
|
||||
check = re.sub('|', '', check)
|
||||
check = re.sub('-', '', check)
|
||||
for it in [' ', '\)', '\(', '&', '\|', '-']:
|
||||
check = re.sub(it, '', check)
|
||||
if check:
|
||||
raise Exception('The logical expression contains unknown \
|
||||
predicates or unauthorized characters (%s)' % check)
|
||||
|
@ -971,7 +1040,7 @@ def handle_operand(predicate, p_id, name, d):
|
|||
v = value
|
||||
else:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
IpAddress(data=data, value=v).save()
|
||||
IpAddressM(data=data, value=v).save()
|
||||
except:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
try:
|
||||
|
@ -981,7 +1050,6 @@ def handle_operand(predicate, p_id, name, d):
|
|||
raise Exception('Unable to create assertion of %s of predicate %s' % (name, str(p_id)))
|
||||
return a
|
||||
|
||||
#Previouslu define choices of multival according to the working pred
|
||||
|
||||
@check_policy_in_session
|
||||
@check_authorized_for_abac
|
||||
|
@ -989,10 +1057,11 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
|
|||
tpl_p = {}
|
||||
policy = get_policy_from_session(request)
|
||||
|
||||
|
||||
tpl_p['multivalues'] = []
|
||||
if 'working_predicate' in request.session \
|
||||
and 'type' in request.session['working_predicate']:
|
||||
and 'type' in request.session['working_predicate'] \
|
||||
and request.session['working_predicate']['type'] \
|
||||
in (XACML_COMPARISON_EQUALITY, ACS_XACML_COMPARISON):
|
||||
|
||||
if 'multivalues_step_one' in request.session['working_predicate'] \
|
||||
and request.session['working_predicate']['type'] \
|
||||
|
@ -1004,18 +1073,18 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
|
|||
tpl_p['multivalues'].append(('EQUAL_OP1_SUBSET_OP2', _('The first attribute may have multiple values and each must be equal to a value of the second attribute (subset)')))
|
||||
tpl_p['multivalues'].append(('EQUAL_EXACT_MATCH', _('The first attribute may have multiple values that exactly match the values of the second attribute')))
|
||||
|
||||
if 'multivalues_step_one' in request.session['working_predicate'] \
|
||||
elif 'multivalues_step_one' in request.session['working_predicate'] \
|
||||
and request.session['working_predicate']['type'] \
|
||||
in ACS_XACML_COMPARISON \
|
||||
and not 'multivalues_step_two' in request.session['working_predicate']:
|
||||
s = None
|
||||
if request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_LT:
|
||||
s = 'less than'
|
||||
if request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_LT_OE:
|
||||
elif request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_LT_OE:
|
||||
s = 'less than or equal to'
|
||||
if request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_GRT:
|
||||
elif request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_GRT:
|
||||
s = 'greater than'
|
||||
if request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_GRT_OE:
|
||||
elif request.session['working_predicate']['type'] in ACS_XACML_COMPARISON_GRT_OE:
|
||||
s = 'greater than or equal to'
|
||||
tpl_p['multivalues'].append(('DIFF_ALL_OP1_WITH_UPPER_LIMIT_OP2', _('All values of operand one must be %s the highest value of operand two') %s))
|
||||
tpl_p['multivalues'].append(('DIFF_ALL_OP1_WITH_BOTTOM_LIMIT_OP2', _('All values of operand one must be %s the smallest value of operand two') %s))
|
||||
|
@ -1027,6 +1096,16 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
|
|||
if request.session['working_predicate']['type'] == \
|
||||
PREDICATE_REQUIRED:
|
||||
tpl_p['attribute_definitions'] = get_all_attribute_definitions()
|
||||
elif request.session['working_predicate']['type'] == \
|
||||
PREDICATE_ROLE:
|
||||
if is_policy_user_administrator(request.user, policy):
|
||||
tpl_p['roles'] = Role.objects.filter(namespace=policy.namespace)
|
||||
else:
|
||||
tpl_p['roles'] = \
|
||||
return_list_roles_authorized_for_admin(
|
||||
set_default_alias(request.user))
|
||||
tpl_p['roles'] = \
|
||||
filter_list_in_namespace(tpl_p['roles'], policy.namespace)
|
||||
else:
|
||||
tpl_p['attribute_definitions'] = \
|
||||
AttributeDefinition.objects.filter(attribute_type=ACS_COMP_TYPE[request.session['working_predicate']['type']])
|
||||
|
@ -1044,20 +1123,15 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
|
|||
if 'rule' in request.session:
|
||||
tpl_p['rule'] = request.session['rule']
|
||||
|
||||
tpl_p['who_to_display'] = \
|
||||
return_list_users_authorized_for_admin(
|
||||
set_default_alias(request.user)) + \
|
||||
return_list_roles_authorized_for_admin(
|
||||
set_default_alias(request.user))
|
||||
tpl_p['who_to_display'] = \
|
||||
filter_list_in_namespace(tpl_p['who_to_display'], policy.namespace)
|
||||
if is_policy_user_administrator(request.user, policy):
|
||||
for a in UserAlias.objects.filter(namespace=policy.namespace):
|
||||
if not a in tpl_p['who_to_display']:
|
||||
tpl_p['who_to_display'].append(a)
|
||||
for a in Role.objects.filter(namespace=policy.namespace):
|
||||
if not a in tpl_p['who_to_display']:
|
||||
tpl_p['who_to_display'].append(a)
|
||||
tpl_p['who_to_display'] = \
|
||||
UserAlias.objects.filter(namespace=policy.namespace)
|
||||
else:
|
||||
tpl_p['who_to_display'] = \
|
||||
filter_list_in_namespace(
|
||||
return_list_users_authorized_for_admin(
|
||||
set_default_alias(request.user)),
|
||||
policy.namespace)
|
||||
|
||||
tpl_p['what_to_display'] = \
|
||||
return_list_objects_authorized_for_admin(
|
||||
|
|
|
@ -282,7 +282,7 @@ def list_aliases(request, pk=None):
|
|||
|
||||
sources = None
|
||||
try:
|
||||
sources = Source.objects.all()
|
||||
sources = LdapSource.objects.all()
|
||||
except Exception, err:
|
||||
logger.error('list_aliases: An error occurred looking for \
|
||||
sources: %s' % err)
|
||||
|
@ -316,8 +316,7 @@ def list_aliases(request, pk=None):
|
|||
'''
|
||||
aliases_sources = []
|
||||
for source in sources:
|
||||
if not (isinstance(source.get_source_instance(), LdapSource) \
|
||||
and source.get_source_instance().is_auth_backend):
|
||||
if not source.get_source_instance().is_auth_backend:
|
||||
ns = None
|
||||
try:
|
||||
ns = Namespace.objects.get(name=source.name)
|
||||
|
|
114
acs/core.py
114
acs/core.py
|
@ -567,6 +567,7 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
|
||||
|
||||
what = None
|
||||
whats_regexp = None
|
||||
if view:
|
||||
try:
|
||||
what = View.objects.get(name=what_name, namespace=ns)
|
||||
|
@ -583,12 +584,14 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
View %s - Error due to %s' % (what_name, err))
|
||||
return (False, None, -5)
|
||||
else:
|
||||
whats_regexp = get_objects_from_regex(what_name, ns)
|
||||
try:
|
||||
what = AcsObject.objects.get(name=what_name, namespace=ns)
|
||||
except ObjectDoesNotExist:
|
||||
logger.error('is_authorized_by_names_with_abac: \
|
||||
unable to find the object object')
|
||||
return (False, None, -2)
|
||||
if not whats_regexp:
|
||||
return (False, None, -2)
|
||||
except MultipleObjectsReturned:
|
||||
logger.critical('is_authorized_by_names_with_abac: \
|
||||
Multiple objects with name %s' %what_name)
|
||||
|
@ -681,22 +684,50 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
logger.debug("The requester is different from who that means that the requester must \
|
||||
be authorized on the parameters of its request")
|
||||
administration = Action.objects.get(name='administration')
|
||||
p = isAuthorizedRBAC2(set_default_alias(requestor), what, administration)
|
||||
if not is_policy_object_creator(requestor, policy) and not p:
|
||||
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
|
||||
% (requestor, what))
|
||||
return (False, None, -9)
|
||||
p = isAuthorizedRBAC2(set_default_alias(requestor), how, administration)
|
||||
if not is_policy_action_creator(requestor, policy) and not p:
|
||||
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
|
||||
% (requestor, how))
|
||||
return (False, None, -10)
|
||||
if who:
|
||||
p = isAuthorizedRBAC2(set_default_alias(requestor), who, administration)
|
||||
if not is_policy_user_administrator(requestor, policy) and not p:
|
||||
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
|
||||
% (requestor, who))
|
||||
return (False, None, -11)
|
||||
if what:
|
||||
p = isAuthorizedRBAC2(set_default_alias(requestor), what, administration)
|
||||
if not is_policy_object_creator(requestor, policy) and not p:
|
||||
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
|
||||
% (requestor, what))
|
||||
return (False, None, -9)
|
||||
if whats_regexp:
|
||||
for o in whats_regexp:
|
||||
p = isAuthorizedRBAC2(set_default_alias(requestor), o, administration)
|
||||
if not is_policy_object_creator(requestor, policy) and not p:
|
||||
logger.warning('is_authorized_by_names_with_abac: %s is not authorized on %s \
|
||||
This object is removed from permission lookup!' \
|
||||
% (requestor, o))
|
||||
whats_regexp.pop(o)
|
||||
p = isAuthorizedRBAC2(set_default_alias(requestor), how, administration)
|
||||
if not is_policy_action_creator(requestor, policy) and not p:
|
||||
logger.debug('is_authorized_by_names_with_abac: %s is not authorized on %s' \
|
||||
% (requestor, how))
|
||||
return (False, None, -10)
|
||||
|
||||
|
||||
'''
|
||||
RBAC permission checking
|
||||
'''
|
||||
|
||||
if who and what:
|
||||
p = isAuthorizedRBAC2(who, what, how)
|
||||
if p:
|
||||
return (True, p, 0)
|
||||
if who and whats_regexp:
|
||||
for o in whats_regexp:
|
||||
p = isAuthorizedRBAC2(who, o, how)
|
||||
if p:
|
||||
return (True, p, 0)
|
||||
|
||||
'''
|
||||
ABAC permission checking
|
||||
'''
|
||||
|
||||
'''
|
||||
Attribute loading in profile object
|
||||
|
@ -755,35 +786,45 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
All the permissions with and view or an activity containing the what
|
||||
and how
|
||||
'''
|
||||
'''
|
||||
There are no ABAC permissions for administration and then what is only
|
||||
AcsObject or View
|
||||
'''
|
||||
what_list = []
|
||||
if isinstance(what, AcsObject):
|
||||
if whats_regexp:
|
||||
for o in whats_regexp:
|
||||
views = View.objects.filter(acs_objects__id=o.id)
|
||||
for view in views:
|
||||
if view.namespace == ns and not view in what_list:
|
||||
what_list.append(view)
|
||||
if what and isinstance(what, AcsObject):
|
||||
views = View.objects.filter(acs_objects__id=what.id)
|
||||
for view in views:
|
||||
if view.namespace == ns:
|
||||
if view.namespace == ns and not view in what_list:
|
||||
what_list.append(view)
|
||||
elif isinstance(what, View):
|
||||
elif what and isinstance(what, View):
|
||||
if what.namespace == ns:
|
||||
what_list.append(what)
|
||||
elif isinstance(what, UserAlias):
|
||||
views = View.objects.filter(users__id=what.id)
|
||||
for view in views:
|
||||
if view.namespace == ns:
|
||||
what_list.append(view)
|
||||
elif isinstance(what, Role):
|
||||
views = View.objects.filter(roles__id=what.id)
|
||||
for view in views:
|
||||
if view.namespace == ns:
|
||||
what_list.append(view)
|
||||
elif isinstance(what, Action):
|
||||
views = View.objects.filter(actions__id=what.id)
|
||||
for view in views:
|
||||
if view.namespace == ns:
|
||||
what_list.append(view)
|
||||
elif isinstance(what, Activity):
|
||||
views = View.objects.filter(activities__id=what.id)
|
||||
for view in views:
|
||||
if view.namespace == ns:
|
||||
what_list.append(view)
|
||||
# elif isinstance(what, UserAlias):
|
||||
# views = View.objects.filter(users__id=what.id)
|
||||
# for view in views:
|
||||
# if view.namespace == ns:
|
||||
# what_list.append(view)
|
||||
# elif isinstance(what, Role):
|
||||
# views = View.objects.filter(roles__id=what.id)
|
||||
# for view in views:
|
||||
# if view.namespace == ns:
|
||||
# what_list.append(view)
|
||||
# elif isinstance(what, Action):
|
||||
# views = View.objects.filter(actions__id=what.id)
|
||||
# for view in views:
|
||||
# if view.namespace == ns:
|
||||
# what_list.append(view)
|
||||
# elif isinstance(what, Activity):
|
||||
# views = View.objects.filter(activities__id=what.id)
|
||||
# for view in views:
|
||||
# if view.namespace == ns:
|
||||
# what_list.append(view)
|
||||
|
||||
'''Limit the number of views to check'''
|
||||
limit = 0
|
||||
|
@ -798,7 +839,10 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
if it not in what_list and it.namespace == ns:
|
||||
what_list.append(it)
|
||||
i = i + 1
|
||||
what_list.append(what)
|
||||
if what:
|
||||
what_list.append(what)
|
||||
for o in whats_regexp:
|
||||
what_list.append(o)
|
||||
|
||||
how_list = []
|
||||
if isinstance(how, Action):
|
||||
|
|
|
@ -361,15 +361,6 @@ def mod_policy(request):
|
|||
list_other_services['graph?type_graph=whole_policy'] = \
|
||||
"Display the whole policy"
|
||||
|
||||
if is_policy_abac_administrator(request.user, policy):
|
||||
if at_least_one_abac_permission_to_set(request.user, policy):
|
||||
list_abac_services['add_abac_permission'] = \
|
||||
"Create an ABAC permission"
|
||||
if at_least_one_abac_permission_to_admin(request.user,
|
||||
policy):
|
||||
list_abac_services['list_abac_permissions'] = \
|
||||
"Modify or delete an ABAC permission"
|
||||
|
||||
if at_least_one_role_to_admin(request.user, policy):
|
||||
list_user_services['list_roles'] = "Modify or delete a role"
|
||||
|
||||
|
@ -392,12 +383,28 @@ def mod_policy(request):
|
|||
list_action_services['list_activities'] = \
|
||||
"Modify or delete an activity"
|
||||
|
||||
if at_least_one_permission_to_set(request.user, policy):
|
||||
list_services['add_permission'] = "Add a permission"
|
||||
if is_policy_user_administrator(request.user, policy):
|
||||
if at_least_one_permission_to_set(request.user, policy) \
|
||||
or at_least_one_abac_permission_to_set(request.user,
|
||||
policy):
|
||||
list_services['add_permission_any'] = "Add a permission"
|
||||
if at_least_one_abac_permission_to_admin(request.user,
|
||||
policy):
|
||||
list_services['list_abac_permissions'] = \
|
||||
"List and delete ABAC permissions"
|
||||
if at_least_one_permission_to_remove(request.user, policy):
|
||||
list_services['list_permissions'] = \
|
||||
"List and delete IBAC or RBAC permissions"
|
||||
else:
|
||||
if at_least_one_permission_to_set(request.user, policy):
|
||||
list_services['add_permission'] = \
|
||||
"Add a permission (only IBAC or RABC)"
|
||||
list_services['list_permissions'] = \
|
||||
"List and delete IBAC or RBAC permissions"
|
||||
|
||||
|
||||
if at_least_one_permission_to_remove(request.user, policy):
|
||||
list_services['list_permissions'] = "Delete a permission"
|
||||
if at_least_one_permission_to_remove(request.user, policy) \
|
||||
or at_least_one_abac_permission_to_admin(request.user,
|
||||
policy):
|
||||
list_other_services['ask_decision'] = "Ask for a decision"
|
||||
list_other_services['ask_decision_regex'] = \
|
||||
"Ask for a decision with a regex"
|
||||
|
@ -409,10 +416,6 @@ def mod_policy(request):
|
|||
if list_user_services:
|
||||
list_authorized_services['Users and Roles management'] = \
|
||||
list_user_services
|
||||
if list_abac_services:
|
||||
list_authorized_services[\
|
||||
'Attribute based access control management'] = \
|
||||
list_abac_services
|
||||
if list_object_services:
|
||||
list_authorized_services['Objects and Views management'] = \
|
||||
list_object_services
|
||||
|
|
|
@ -92,224 +92,256 @@
|
|||
{% endif %}
|
||||
|
||||
{% else %}
|
||||
<p>{% trans "The working predicate is of type" %} <strong>{{ working_predicate.type_friendly }}</strong>.</p>
|
||||
|
||||
{% if not working_predicate.multivalues_step_one %}
|
||||
{% if working_predicate.type == "urn:entrouvert:acs:constants:predicate-role" %}
|
||||
|
||||
{% if working_predicate.role %}
|
||||
<p>
|
||||
{% trans "The working predicate is role" %} <strong>{{ working_predicate.role }} {% trans "is required" %}</strong>.
|
||||
</p>
|
||||
<p>
|
||||
<form method="post" action="">
|
||||
<p>
|
||||
{% trans "The predicate have two operands. The first one indicate an attribute expected from a source. The second one might be one or multiple values, or an a different attribute from the same source, or another attribute issued from a different source." %}
|
||||
</p>
|
||||
<p>
|
||||
{% trans "You can indicate that an attribute might be provided by one source among many, it is a or statement. Then, you can't enforce that an attribute be provided by a unique source among multiple. You can not also enforce singlevalued attributes if you want to let the choice in the source. Then, if you want that an attribute be single-valued, you will only be authorized to select one source. If you want single-valued attribute but let the choice in the source, you have to declare multiple predicate." %}
|
||||
</p>
|
||||
<p>
|
||||
{% trans "If you authorize that an attribute be multivalued or you to let the choice in sources, you will be prompt to choose how multivalues must be handled." %}
|
||||
</p>
|
||||
<p>
|
||||
{% trans "By checking the following box you indicate that the operand one must be single-valued." %}
|
||||
<input type="checkbox" name="operandone_singlevalued" value="singlevalued"/>
|
||||
</p>
|
||||
<p>
|
||||
{% trans "By checking the following box you indicate that the opernad two must be single-valued or that you wish indicate a unique value of comparison." %}
|
||||
<input type="checkbox" name="operandtwo_singlevalued" value="singlevalued"/>
|
||||
</p>
|
||||
<input type="submit" name="select_multivalue_step_one" value="{% trans "Ok" %}"/>
|
||||
<input type="submit" name="close_working_predicate" value="{% trans "Finish predicate" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% else %}
|
||||
<p>{% trans "The working predicate is of type" %} <strong>{% trans "role required" %}</strong>.</p>
|
||||
<form method="post" action="">
|
||||
<p>{% trans "Choose a role" %}:
|
||||
<select name="role_id" id="role">
|
||||
{% for role in roles %}
|
||||
<option value="{{ role.id }}">{{ role.name }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<p>
|
||||
<input type="submit" name="select_role" value="{% trans "Choose" %}"/>
|
||||
</p>
|
||||
</p>
|
||||
</form>
|
||||
{% endif %}
|
||||
|
||||
{% else %}
|
||||
|
||||
<p>
|
||||
{% if working_predicate.operandone_singlevalued %}
|
||||
{% trans "Operand one must be single-valued." %}
|
||||
{% else %}
|
||||
{% trans "Operand one may be multivalued." %}
|
||||
{% endif %}
|
||||
{% if working_predicate.operandtwo_singlevalued %}
|
||||
{% trans "Operand two must be single-valued." %}
|
||||
{% else %}
|
||||
{% trans "Operand two may be multivalued." %}
|
||||
{% endif %}
|
||||
</p>
|
||||
<p>{% trans "The working predicate is of type" %} <strong>{{ working_predicate.type_friendly }}</strong>.</p>
|
||||
|
||||
{% if not working_predicate.multivalues_step_one %}
|
||||
|
||||
{% if not working_predicate.multivalues_step_two %}
|
||||
<p>{% trans "Choose how multivalued attribued are compared:" %}
|
||||
<form method="post" action="">
|
||||
<select name="multivalues" id="multivalues">
|
||||
{% for multivalue, f_multivalue in multivalues %}
|
||||
<option value="{{ multivalue }}">{{ f_multivalue }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_multivalue_step_two" value="{% trans "Ok" %}"/>
|
||||
<p>
|
||||
{% trans "The predicate have two operands. The first one indicate an attribute expected from a source. The second one might be one or multiple values, or an a different attribute from the same source, or another attribute issued from a different source." %}
|
||||
</p>
|
||||
<p>
|
||||
{% trans "You can indicate that an attribute might be provided by one source among many, it is a or statement. Then, you can't enforce that an attribute be provided by a unique source among multiple. You can not also enforce singlevalued attributes if you want to let the choice in the source. Then, if you want that an attribute be single-valued, you will only be authorized to select one source. If you want single-valued attribute but let the choice in the source, you have to declare multiple predicate." %}
|
||||
</p>
|
||||
<p>
|
||||
{% trans "If you authorize that an attribute be multivalued or you to let the choice in sources, you will be prompt to choose how multivalues must be handled." %}
|
||||
</p>
|
||||
<p>
|
||||
{% trans "By checking the following box you indicate that the operand one must be single-valued." %}
|
||||
<input type="checkbox" name="operandone_singlevalued" value="singlevalued"/>
|
||||
</p>
|
||||
<p>
|
||||
{% trans "By checking the following box you indicate that the opernad two must be single-valued or that you wish indicate a unique value of comparison." %}
|
||||
<input type="checkbox" name="operandtwo_singlevalued" value="singlevalued"/>
|
||||
</p>
|
||||
<input type="submit" name="select_multivalue_step_one" value="{% trans "Ok" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
|
||||
{% else %}
|
||||
|
||||
<p>{{ working_predicate.multivalues_explanation }}</p>
|
||||
|
||||
{% if working_predicate.operand1_defined %}
|
||||
<p>{% trans "Operand one is attribute" %} <strong>{{ working_predicate.operand1_defined.definition_name }}</strong>
|
||||
{% if working_predicate.operand1_defined.type == "definition" %}
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in working_predicate.operand1_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
{% trans "of values" %}(
|
||||
{% for value in working_predicate.operand1_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
<p>
|
||||
{% if working_predicate.operandone_singlevalued %}
|
||||
{% trans "Operand one must be single-valued." %}
|
||||
{% else %}
|
||||
{% trans "Operand one may be multivalued." %}
|
||||
{% endif %}
|
||||
|
||||
{% if working_predicate.operand2_defined %}
|
||||
{% if working_predicate.operand2_defined.type == "definition" %}
|
||||
<p>{% trans "Operand two is attribute" %} <strong>{{ working_predicate.operand2_defined.definition_name }}</strong>
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in working_predicate.operand2_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
<p>{% trans "Compared with values" %}(
|
||||
{% for value in working_predicate.operand2_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% if working_predicate.operandtwo_singlevalued %}
|
||||
{% trans "Operand two must be single-valued." %}
|
||||
{% else %}
|
||||
{% trans "Operand two may be multivalued." %}
|
||||
{% endif %}
|
||||
</p>
|
||||
|
||||
{% if not working_predicate.operand1_defined or not working_predicate.operand2_defined %}
|
||||
{% if not working_predicate.working_operand %}
|
||||
<form method="post" action="">
|
||||
<p>{% trans "Compared with" %}:</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>{% trans "the same attribute from another source or a different attribute" %}</p>
|
||||
<input type="submit" name="operand_is_definition" value="{% trans "Attribute" %}"/>
|
||||
</li>
|
||||
<li>
|
||||
<p>{% trans "with one or multiple values" %}</p>
|
||||
<input type="submit" name="operand_is_definition_data" value="{% trans "Value" %}"/>
|
||||
</li>
|
||||
</ul>
|
||||
</form>
|
||||
</p>
|
||||
{% else %}
|
||||
{% if not working_predicate.working_operand.definition_name %}
|
||||
{% if not working_predicate.operand1_defined %}
|
||||
<p>{% trans "Choose an attribute as operand one of the comparison:" %}
|
||||
{% else %}
|
||||
<p>{% trans "Choose an attribute as operand two of the comparison:" %}
|
||||
{% endif %}
|
||||
<form method="post" action="">
|
||||
<select name="attribute_definition_id" id="attribute_definition">
|
||||
{% for attr_definition in attribute_definitions %}
|
||||
<option value="{{ attr_definition.id }}">{{ attr_definition.attribute_name }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_attribute_definition_operand" value="{% trans "Ok" %}"/>
|
||||
</form>
|
||||
{% if not working_predicate.multivalues_step_two %}
|
||||
<p>{% trans "Choose how multivalued attribued are compared:" %}
|
||||
<form method="post" action="">
|
||||
<select name="multivalues" id="multivalues">
|
||||
{% for multivalue, f_multivalue in multivalues %}
|
||||
<option value="{{ multivalue }}">{{ f_multivalue }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_multivalue_step_two" value="{% trans "Ok" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% else %}
|
||||
|
||||
<p>{{ working_predicate.multivalues_explanation }}</p>
|
||||
|
||||
{% if working_predicate.operand1_defined %}
|
||||
<p>{% trans "Operand one is attribute" %} <strong>{{ working_predicate.operand1_defined.definition_name }}</strong>
|
||||
{% if working_predicate.operand1_defined.type == "definition" %}
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in working_predicate.operand1_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
{% trans "of values" %}(
|
||||
{% for value in working_predicate.operand1_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if working_predicate.operand2_defined %}
|
||||
{% if working_predicate.operand2_defined.type == "definition" %}
|
||||
<p>{% trans "Operand two is attribute" %} <strong>{{ working_predicate.operand2_defined.definition_name }}</strong>
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in working_predicate.operand2_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
<p>{% trans "Compared with values" %}(
|
||||
{% for value in working_predicate.operand2_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if not working_predicate.operand1_defined or not working_predicate.operand2_defined %}
|
||||
{% if not working_predicate.working_operand %}
|
||||
<form method="post" action="">
|
||||
<p>{% trans "Compared with" %}:</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>{% trans "the same attribute from another source or a different attribute" %}</p>
|
||||
<input type="submit" name="operand_is_definition" value="{% trans "Attribute" %}"/>
|
||||
</li>
|
||||
<li>
|
||||
<p>{% trans "with one or multiple values" %}</p>
|
||||
<input type="submit" name="operand_is_definition_data" value="{% trans "Value" %}"/>
|
||||
</li>
|
||||
</ul>
|
||||
</form>
|
||||
</p>
|
||||
{% else %}
|
||||
{% if working_predicate.working_operand.type == "definition" %}
|
||||
{% if not working_predicate.working_operand.definition_name %}
|
||||
{% if not working_predicate.operand1_defined %}
|
||||
<p>{% trans "Operand one is the attribute" %} <strong>{{ working_predicate.working_operand.definition_name }}</strong></p>
|
||||
{% if working_predicate.operandone_singlevalued and not working_predicate.working_operand.sources_selected or not working_predicate.operandone_singlevalued%}
|
||||
<p>{% trans "From:" %}
|
||||
<form method="post" action="">
|
||||
<select name="source_operand_id" id="source">
|
||||
{% for source in sources %}
|
||||
<option value="{{ source.id }}">{{ source.name }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_source_operand" value="{% trans "Add" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
<p>{% trans "Choose an attribute as operand one of the comparison:" %}
|
||||
{% else %}
|
||||
<p>{% trans "Operand two is the attribute" %} <strong>{{ working_predicate.working_operand.definition_name }}</strong></p>
|
||||
{% if working_predicate.operandtwo_singlevalued and not working_predicate.working_operand.sources_selected or not working_predicate.operandtwo_singlevalued%}
|
||||
<p>{% trans "From:" %}
|
||||
<form method="post" action="">
|
||||
<select name="source_operand_id" id="source">
|
||||
{% for source in sources %}
|
||||
<option value="{{ source.id }}">{{ source.name }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_source_operand" value="{% trans "Add" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
<p>{% trans "Choose an attribute as operand two of the comparison:" %}
|
||||
{% endif %}
|
||||
|
||||
{% if working_predicate.working_operand.sources_selected %}
|
||||
<p>{% trans "Sources already defined:" %}
|
||||
<ul>
|
||||
{% for s_id, s_name in working_predicate.working_operand.sources_selected %}
|
||||
<li><strong>{{ s_name }}</strong></option>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
</p>
|
||||
<p>
|
||||
<form method="post" action="">
|
||||
<input type="submit" name="close_working_operand" value="{% trans "Finish operand" %}"/>
|
||||
<select name="attribute_definition_id" id="attribute_definition">
|
||||
{% for attr_definition in attribute_definitions %}
|
||||
<option value="{{ attr_definition.id }}">{{ attr_definition.attribute_name }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_attribute_definition_operand" value="{% trans "Ok" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
|
||||
</p>
|
||||
{% else %}
|
||||
<p>{% trans "Compared with..." %}</p>
|
||||
{% if working_predicate.working_operand.type == "definition" %}
|
||||
{% if not working_predicate.operand1_defined %}
|
||||
<p>{% trans "Operand one is the attribute" %} <strong>{{ working_predicate.working_operand.definition_name }}</strong></p>
|
||||
{% if working_predicate.operandone_singlevalued and not working_predicate.working_operand.sources_selected or not working_predicate.operandone_singlevalued%}
|
||||
<p>{% trans "From:" %}
|
||||
<form method="post" action="">
|
||||
<select name="source_operand_id" id="source">
|
||||
{% for source in sources %}
|
||||
<option value="{{ source.id }}">{{ source.name }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_source_operand" value="{% trans "Add" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
{% else %}
|
||||
<p>{% trans "Operand two is the attribute" %} <strong>{{ working_predicate.working_operand.definition_name }}</strong></p>
|
||||
{% if working_predicate.operandtwo_singlevalued and not working_predicate.working_operand.sources_selected or not working_predicate.operandtwo_singlevalued%}
|
||||
<p>{% trans "From:" %}
|
||||
<form method="post" action="">
|
||||
<select name="source_operand_id" id="source">
|
||||
{% for source in sources %}
|
||||
<option value="{{ source.id }}">{{ source.name }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_source_operand" value="{% trans "Add" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if not working_predicate.operand1_defined %}
|
||||
{% if working_predicate.operandone_singlevalued and not working_predicate.working_operand.values_selected or not working_predicate.operandone_singlevalued%}
|
||||
<p>{% trans "Add a value:" %}
|
||||
<form method="post" action="">
|
||||
<input type="text" name="value_operand" label="{% trans "Give a value to test" %}"/>
|
||||
<input type="submit" name="value_operand_submitted" value="{% trans "Add" %}"/>
|
||||
</form>
|
||||
{% if working_predicate.working_operand.sources_selected %}
|
||||
<p>{% trans "Sources already defined:" %}
|
||||
<ul>
|
||||
{% for s_id, s_name in working_predicate.working_operand.sources_selected %}
|
||||
<li><strong>{{ s_name }}</strong></option>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
</p>
|
||||
<p>
|
||||
<form method="post" action="">
|
||||
<input type="submit" name="close_working_operand" value="{% trans "Finish operand" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
|
||||
{% else %}
|
||||
{% if working_predicate.operandtwo_singlevalued and not working_predicate.working_operand.values_selected or not working_predicate.operandtwo_singlevalued%}
|
||||
<p>{% trans "Add a value:" %}
|
||||
<form method="post" action="">
|
||||
<input type="text" name="value_operand" label="{% trans "Give a value to test" %}"/>
|
||||
<input type="submit" name="value_operand_submitted" value="{% trans "Add" %}"/>
|
||||
</form>
|
||||
<p>{% trans "Compared with..." %}</p>
|
||||
|
||||
{% if not working_predicate.operand1_defined %}
|
||||
{% if working_predicate.operandone_singlevalued and not working_predicate.working_operand.values_selected or not working_predicate.operandone_singlevalued%}
|
||||
<p>{% trans "Add a value:" %}
|
||||
<form method="post" action="">
|
||||
<input type="text" name="value_operand" label="{% trans "Give a value to test" %}"/>
|
||||
<input type="submit" name="value_operand_submitted" value="{% trans "Add" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
{% else %}
|
||||
{% if working_predicate.operandtwo_singlevalued and not working_predicate.working_operand.values_selected or not working_predicate.operandtwo_singlevalued%}
|
||||
<p>{% trans "Add a value:" %}
|
||||
<form method="post" action="">
|
||||
<input type="text" name="value_operand" label="{% trans "Give a value to test" %}"/>
|
||||
<input type="submit" name="value_operand_submitted" value="{% trans "Add" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if working_predicate.working_operand.values_selected %}
|
||||
<p>{% trans "Values already defined:" %}
|
||||
<ul>
|
||||
{% for v_value in working_predicate.working_operand.values_selected %}
|
||||
<li><strong>{{ v_value }}</strong></option>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
</p>
|
||||
<p>
|
||||
<form method="post" action="">
|
||||
<input type="submit" name="close_working_operand" value="{% trans "Finish operand" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if working_predicate.working_operand.values_selected %}
|
||||
<p>{% trans "Values already defined:" %}
|
||||
<ul>
|
||||
{% for v_value in working_predicate.working_operand.values_selected %}
|
||||
<li><strong>{{ v_value }}</strong></option>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
</p>
|
||||
<p>
|
||||
<form method="post" action="">
|
||||
<input type="submit" name="close_working_operand" value="{% trans "Finish operand" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
<!--<p>
|
||||
<br style="clear: both;"/>
|
||||
<form method="post" action="">
|
||||
<input type="submit" name="delete_working_operand" value="{% trans "Cancel operand" %}"/>
|
||||
</form>
|
||||
<p>-->
|
||||
{% endif %}
|
||||
<!--<p>
|
||||
<br style="clear: both;"/>
|
||||
{% else %}
|
||||
<p>
|
||||
<form method="post" action="">
|
||||
<input type="submit" name="delete_working_operand" value="{% trans "Cancel operand" %}"/>
|
||||
<input type="submit" name="close_working_predicate" value="{% trans "Finish predicate" %}"/>
|
||||
</form>
|
||||
<p>-->
|
||||
</p>
|
||||
{% endif %}
|
||||
{% else %}
|
||||
<p>
|
||||
<form method="post" action="">
|
||||
<input type="submit" name="close_working_predicate" value="{% trans "Finish predicate" %}"/>
|
||||
</form>
|
||||
</p>
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
|
@ -340,46 +372,57 @@
|
|||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})
|
||||
{% else %}
|
||||
<p><strong>{{ predicate.type_friendly }}</strong><p/>
|
||||
|
||||
<p>
|
||||
{% if predicate.operandone_singlevalued %}
|
||||
{% trans "Operand one must be single-valued." %}
|
||||
{% else %}
|
||||
{% trans "Operand one may be multivalued." %}
|
||||
{% endif %}
|
||||
{% if predicate.operandtwo_singlevalued %}
|
||||
{% trans "Operand two must be single-valued." %}
|
||||
{% else %}
|
||||
{% trans "Operand two may be multivalued." %}
|
||||
{% endif %}
|
||||
</p>
|
||||
|
||||
<p>{{ predicate.multivalues_explanation }}</p>
|
||||
{% if predicate.type == "urn:entrouvert:acs:constants:predicate-role" %}
|
||||
|
||||
<p>
|
||||
{% trans "The predicate is role" %} <strong>{{ predicate.role }} {% trans "is required" %}</strong>.
|
||||
</p>
|
||||
|
||||
<p>{% trans "Operand one is attribute" %} <strong>{{ predicate.operand1_defined.definition_name }}</strong>
|
||||
{% if predicate.operand1_defined.type == "definition" %}
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in predicate.operand1_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
{% trans "of values" %}(
|
||||
{% for value in predicate.operand1_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% if predicate.operand2_defined.type == "definition" %}
|
||||
<p>{% trans "Operand two is attribute" %} <strong>{{ predicate.operand2_defined.definition_name }}</strong>
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in predicate.operand2_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
<p>{% trans "Compared with values" %}(
|
||||
{% for value in predicate.operand2_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
|
||||
<p><strong>{{ predicate.type_friendly }}</strong><p/>
|
||||
|
||||
<p>
|
||||
{% if predicate.operandone_singlevalued %}
|
||||
{% trans "Operand one must be single-valued." %}
|
||||
{% else %}
|
||||
{% trans "Operand one may be multivalued." %}
|
||||
{% endif %}
|
||||
{% if predicate.operandtwo_singlevalued %}
|
||||
{% trans "Operand two must be single-valued." %}
|
||||
{% else %}
|
||||
{% trans "Operand two may be multivalued." %}
|
||||
{% endif %}
|
||||
</p>
|
||||
|
||||
<p>{{ predicate.multivalues_explanation }}</p>
|
||||
|
||||
<p>{% trans "Operand one is attribute" %} <strong>{{ predicate.operand1_defined.definition_name }}</strong>
|
||||
{% if predicate.operand1_defined.type == "definition" %}
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in predicate.operand1_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
{% trans "of values" %}(
|
||||
{% for value in predicate.operand1_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% if predicate.operand2_defined.type == "definition" %}
|
||||
<p>{% trans "Operand two is attribute" %} <strong>{{ predicate.operand2_defined.definition_name }}</strong>
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in predicate.operand2_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
<p>{% trans "Compared with values" %}(
|
||||
{% for value in predicate.operand2_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
</li>
|
||||
|
@ -432,15 +475,13 @@
|
|||
{% if who_to_display %}
|
||||
<p>
|
||||
<h3>{% trans "Who" %}</h3>
|
||||
<p>{% trans "You can set an ABAC rule on a user a role or anybody. If you indicate 'Anybody' in the following list, it means that there exist mechanisms to make a user able to present (certified) attributes to the system. If you indicate a role, take that it does not conflict with a role in the rule that the user should not have, for instance due to heritage and a 'not' statement." %}
|
||||
<p>{% trans "Usually an ABAC is set for 'Anybody' since the access is granted to anybody able to satisfy the abac rule, including having roles. However who may choos a user in the list below to indicate that you want to grant an access to a user only if the user also satisfy the rule." %}
|
||||
</p>
|
||||
<select name="who_matches" id="id_who_matches">
|
||||
<option value="_">-- {% trans "Anybody" %} --</option>
|
||||
{% for it in who_to_display %}
|
||||
{% if it|klass == "UserAlias" %}
|
||||
<option value="{{ it.id }}_{{ it|klass }}">{{ it.alias }}</option>
|
||||
{% else %}
|
||||
<option value="{{ it.id }}_{{ it|klass }}">{{ it.name }}</option>
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
</select>
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
{% extends "base.html" %}
|
||||
{% load i18n %}
|
||||
|
||||
{% block content %}
|
||||
|
||||
{% if title %}
|
||||
<h2>{{ title }}</h2>
|
||||
{% else %}
|
||||
<h2>{% trans "Modify an entity" %}</h2>
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if messages %}
|
||||
<ul class="messages">
|
||||
{% for message in messages %}
|
||||
<li{% if message.tags %} class="{{ message.tags }}"{% endif %}>{{ message }}</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
{% endif %}
|
||||
|
||||
<div>
|
||||
<form method="post" action="">
|
||||
{{ form.as_p }}
|
||||
<input id="id_id" type="hidden" name="id" value="{{ item.id }}"/>
|
||||
<input id="id_namespace" type="hidden" name="namespace" value="{{ item.namespace.id }}"/>
|
||||
<input type="submit" name="{{ submit_name }}" value="{% trans "Modify" %}"/>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
<p><a href="{{ backlink }}">{% trans "Back" %}</a></p>
|
||||
{% endblock %}
|
|
@ -0,0 +1,42 @@
|
|||
{% extends "base.html" %}
|
||||
{% load i18n %}
|
||||
|
||||
{% block content %}
|
||||
|
||||
{% if title %}
|
||||
<h2>{{ title }}</h2>
|
||||
{% else %}
|
||||
<h2>{% trans "Select the type of permission you want to add" %}</h2>
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if messages %}
|
||||
<ul class="messages">
|
||||
{% for message in messages %}
|
||||
<li{% if message.tags %} class="{{ message.tags }}"{% endif %}>{{ message }}</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
{% endif %}
|
||||
|
||||
<p>
|
||||
<ul>
|
||||
<li><a href='/add_permission'>Add an IBAC or RBAC permission</a></li>
|
||||
<li><a href='/add_abac_permission'>Add an ABAC permission</a></li>
|
||||
</ul>
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Choose here if you want to add an IBAC or RBAC permission only or if you want to add an ABAC permission.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
An IBAC or RBAC permission is delegable if you define it as is. It means that a user that is enabled as self-administrator and granted an access through a permission delegable will be able to set a permission for another user on the 'what' and 'how' of the permission.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
An ABAC permission is not delegable. And this even if you can define ABAC permissions that are IBAC or ABAC permissions. Indeed, consider that ABAC_permission(Anybody, object_1, action_1, ABAC rule is PredicateRole(role_1)) is equivalent to RBAC_permission(role_1, object_1, action_1), and ABAC_permission(user_1, object_1, action_1, ABAC rule is empty) is equivalent to IBAC_permission(user_1, object_1, action_1). You should by yourself determine when it is the case and then define them as IBAC or RBAC permissions.
|
||||
</p>
|
||||
|
||||
|
||||
<p><a href="{{ backlink }}">{% trans "Back" %}</a></p>
|
||||
{% endblock %}
|
|
@ -104,6 +104,7 @@ urlpatterns = patterns('',
|
|||
url(r'^add_action$', 'acs.views.add_action'),
|
||||
url(r'^add_activity$', 'acs.views.add_activity'),
|
||||
url(r'^add_permission$', 'acs.views.add_permission'),
|
||||
url(r'^add_permission_any$', 'acs.views.add_permission_any'),
|
||||
|
||||
url(r'^list_roles$', 'acs.views.list_roles'),
|
||||
url(r'^list_objects$', 'acs.views.list_objects'),
|
||||
|
|
13
acs/views.py
13
acs/views.py
|
@ -1328,6 +1328,16 @@ def return_mod_any(request, form, title, tpl_p={},
|
|||
'''
|
||||
|
||||
|
||||
@csrf_exempt
|
||||
@prevent_access_to_normal_users
|
||||
@check_policy_in_session
|
||||
def add_permission_any(request):
|
||||
policy = get_policy_from_session(request)
|
||||
return render_to_response('select_permission_type.html',
|
||||
{'backlink': 'mod_policy?id=' + str(policy.id)},
|
||||
context_instance=RequestContext(request))
|
||||
|
||||
|
||||
@csrf_exempt
|
||||
@prevent_access_to_normal_users
|
||||
@check_policy_in_session
|
||||
|
@ -1336,6 +1346,7 @@ def add_permission(request):
|
|||
Add permissions into policies
|
||||
'''
|
||||
|
||||
policy = get_policy_from_session(request)
|
||||
if request.method == 'POST':
|
||||
if not 'who_matches' in request.POST \
|
||||
or not request.POST['who_matches']:
|
||||
|
@ -1384,7 +1395,7 @@ def add_permission(request):
|
|||
Fail to save permission with error: %s' %err)
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Fail to save permission with error: %s') %err)
|
||||
return return_add_permission_form(request)
|
||||
return HttpResponseRedirect('mod_policy?id=' + str(policy.id))
|
||||
logger.info('add_permission: Permission added: %s' %str(p))
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('Permission added'))
|
||||
|
|
Reference in New Issue