Use profile management functions at authorization checking
This commit is contained in:
parent
8ff4a7d42a
commit
270f2b3582
93
acs/core.py
93
acs/core.py
|
@ -301,15 +301,7 @@ def isAuthorizedRBAC2(who, what, how):
|
|||
|
||||
* Error codes:
|
||||
0 : No error
|
||||
-1 : requester must be provided to request the policy on somebody
|
||||
-2 : what not found
|
||||
-3 : how not found
|
||||
-4 : namespace not found
|
||||
-5 : error processing request
|
||||
-6 : requester not found
|
||||
-7 : requester not authorized on who
|
||||
-8 : requester not authorized on what
|
||||
-9 : requester not authorized on how
|
||||
TBD
|
||||
|
||||
* Preface
|
||||
|
||||
|
@ -391,6 +383,7 @@ def isAuthorizedRBAC2(who, what, how):
|
|||
attr['name'] = 'certificate_type'
|
||||
attr['namespace'] = 'ACS-ABAC'
|
||||
attr['values'] = ('eID',)
|
||||
attr['expiration_date'] = '2011-09-05T11:48:24'
|
||||
|
||||
data.append(attr)
|
||||
|
||||
|
@ -509,15 +502,43 @@ def isAuthorizedRBAC2(who, what, how):
|
|||
cached_attributes source
|
||||
'''
|
||||
|
||||
|
||||
'''
|
||||
The function is not able to send the list of attributes necessary with the
|
||||
signal.
|
||||
A new rule may be returned and another function will have to grab the
|
||||
attributes and put them in the session or in parameter
|
||||
'''
|
||||
|
||||
|
||||
'''
|
||||
A profile contains data assertions.
|
||||
A profile may be built for an anonymous user. Then a routine must be used
|
||||
to clean the db.
|
||||
|
||||
Else, a user has a profile which contain all the attributes provided.
|
||||
Attributes may be providing with an expiration date (ISO 8601 format).
|
||||
|
||||
Then, we look at the user profile if existing and at loading, every
|
||||
outdated are removed.
|
||||
|
||||
If is expected to check an authorization with an existing profil an no
|
||||
other attributes, it is enough to call is_authorized_by_names_with_abac
|
||||
with no attributes in parameter nor in session and
|
||||
no_attribute_signal=True
|
||||
|
||||
If a new rule is returned, it is enough to ask only attributes missing
|
||||
from that rule.
|
||||
However, the function won't send in the signal the list of necessary
|
||||
attributes.
|
||||
'''
|
||||
|
||||
|
||||
def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
||||
how_name, namespace_name,
|
||||
view=False, activity=False, request=None, attributes={},
|
||||
no_rule_returned=False,
|
||||
no_attribute_signal=False):
|
||||
'''
|
||||
Check for an RBAC permission
|
||||
'''
|
||||
|
||||
if not what_name or not how_name or not namespace_name:
|
||||
logger.error('is_authorized_by_names_with_abac: \
|
||||
a parameters is missing')
|
||||
|
@ -677,30 +698,39 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
% (requestor, who))
|
||||
return (False, None, -11)
|
||||
|
||||
|
||||
'''
|
||||
Attribute loading in profile object
|
||||
'''
|
||||
|
||||
if not who.user:
|
||||
# We should remove the possibility to have a UserAlias not pointing to a
|
||||
# user
|
||||
logger.critical('is_authorized_by_names_with_abac: \
|
||||
No user associated with that alias %s' % who)
|
||||
return (False, None, -12)
|
||||
profile = UserAttributeProfile(user=who.user)
|
||||
profile.save()
|
||||
|
||||
from abac.core import load_profile_by_dic
|
||||
'''
|
||||
Attribute loading in profile object
|
||||
'''
|
||||
|
||||
from abac.core import load_profile_by_dic, load_or_create_user_profile
|
||||
|
||||
profile = load_or_create_user_profile(user=who.user)
|
||||
if not profile:
|
||||
logger.critical('is_authorized_by_names_with_abac: \
|
||||
Error to create or load profile for %s' % who)
|
||||
return (False, None, -13)
|
||||
logger.debug('is_authorized_by_names_with_abac: profile %s returned' \
|
||||
% profile)
|
||||
|
||||
if attributes:
|
||||
load_profile_by_dic(profile, attributes)
|
||||
|
||||
'''
|
||||
Requester is who, that means that the user is logged on
|
||||
the application.
|
||||
Requester is also who if both are None, the user is anonymous.
|
||||
We look for attributes in the session.
|
||||
The requester is who, that means that the user is logged on
|
||||
the application and request the policy.
|
||||
Attributes can be grabbed from local sources, the django session and
|
||||
in parameters.
|
||||
|
||||
Requester is also considered to be who, if requester and who are None.
|
||||
It means that the user is anonymous - not been authenticated.
|
||||
Attributes can be grabbed from the django session and in parameters.
|
||||
'''
|
||||
if (not requestor and not who) \
|
||||
or (requestor and who and requestor == who):
|
||||
|
@ -719,17 +749,7 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
logger.info('is_authorized_by_names_with_abac: attributes provided are %s' %str(attrs[1]))
|
||||
load_profile_by_dic(profile, attrs[1])
|
||||
|
||||
logger.debug('is_authorized_by_names_with_abac: The profile contains')
|
||||
ads = AssertionData.objects.filter(profile=profile)
|
||||
for ad in ads:
|
||||
attribute_data = ad.attribute_data
|
||||
logger.debug("From %s, definition %s" % (ad.source, attribute_data.definition.id))
|
||||
if attribute_data.definition.attribute_type == ACS_XACML_DATATYPE_STRING:
|
||||
values = StringM.objects.filter(data=attribute_data)
|
||||
logger.debug("with values %s" % str([x.value for x in values]))
|
||||
elif attribute_data.definition.attribute_type == ACS_XACML_DATATYPE_INTEGER:
|
||||
values = IntegerM.objects.filter(data=attribute_data)
|
||||
logger.debug("with values %s" % str([x.value for x in values]))
|
||||
logger.debug('is_authorized_by_names_with_abac: The profile is %s' % profile)
|
||||
|
||||
'''
|
||||
All the permissions with and view or an activity containing the what
|
||||
|
@ -3465,6 +3485,7 @@ def return_all_permissions_delegatable_by_names(alias, policy):
|
|||
return return_all_permissions_delegatable_by_objects(alias, policy)
|
||||
|
||||
|
||||
@transaction.commit_manually
|
||||
def add_permission_delegated_by_objects(policy, grantor, grantee,
|
||||
permission_source, what, how,
|
||||
delegable=False, expiration_date=None):
|
||||
|
|
Reference in New Issue