Use profile management functions at authorization checking

This commit is contained in:
Mikaël Ates 2011-09-05 12:27:42 +02:00
parent 8ff4a7d42a
commit 270f2b3582
1 changed files with 57 additions and 36 deletions

View File

@ -301,15 +301,7 @@ def isAuthorizedRBAC2(who, what, how):
* Error codes:
0 : No error
-1 : requester must be provided to request the policy on somebody
-2 : what not found
-3 : how not found
-4 : namespace not found
-5 : error processing request
-6 : requester not found
-7 : requester not authorized on who
-8 : requester not authorized on what
-9 : requester not authorized on how
TBD
* Preface
@ -391,6 +383,7 @@ def isAuthorizedRBAC2(who, what, how):
attr['name'] = 'certificate_type'
attr['namespace'] = 'ACS-ABAC'
attr['values'] = ('eID',)
attr['expiration_date'] = '2011-09-05T11:48:24'
data.append(attr)
@ -509,15 +502,43 @@ def isAuthorizedRBAC2(who, what, how):
cached_attributes source
'''
'''
The function is not able to send the list of attributes necessary with the
signal.
A new rule may be returned and another function will have to grab the
attributes and put them in the session or in parameter
'''
'''
A profile contains data assertions.
A profile may be built for an anonymous user. Then a routine must be used
to clean the db.
Else, a user has a profile which contain all the attributes provided.
Attributes may be providing with an expiration date (ISO 8601 format).
Then, we look at the user profile if existing and at loading, every
outdated are removed.
If is expected to check an authorization with an existing profil an no
other attributes, it is enough to call is_authorized_by_names_with_abac
with no attributes in parameter nor in session and
no_attribute_signal=True
If a new rule is returned, it is enough to ask only attributes missing
from that rule.
However, the function won't send in the signal the list of necessary
attributes.
'''
def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
how_name, namespace_name,
view=False, activity=False, request=None, attributes={},
no_rule_returned=False,
no_attribute_signal=False):
'''
Check for an RBAC permission
'''
if not what_name or not how_name or not namespace_name:
logger.error('is_authorized_by_names_with_abac: \
a parameters is missing')
@ -677,30 +698,39 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
% (requestor, who))
return (False, None, -11)
'''
Attribute loading in profile object
'''
if not who.user:
# We should remove the possibility to have a UserAlias not pointing to a
# user
logger.critical('is_authorized_by_names_with_abac: \
No user associated with that alias %s' % who)
return (False, None, -12)
profile = UserAttributeProfile(user=who.user)
profile.save()
from abac.core import load_profile_by_dic
'''
Attribute loading in profile object
'''
from abac.core import load_profile_by_dic, load_or_create_user_profile
profile = load_or_create_user_profile(user=who.user)
if not profile:
logger.critical('is_authorized_by_names_with_abac: \
Error to create or load profile for %s' % who)
return (False, None, -13)
logger.debug('is_authorized_by_names_with_abac: profile %s returned' \
% profile)
if attributes:
load_profile_by_dic(profile, attributes)
'''
Requester is who, that means that the user is logged on
the application.
Requester is also who if both are None, the user is anonymous.
We look for attributes in the session.
The requester is who, that means that the user is logged on
the application and request the policy.
Attributes can be grabbed from local sources, the django session and
in parameters.
Requester is also considered to be who, if requester and who are None.
It means that the user is anonymous - not been authenticated.
Attributes can be grabbed from the django session and in parameters.
'''
if (not requestor and not who) \
or (requestor and who and requestor == who):
@ -719,17 +749,7 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
logger.info('is_authorized_by_names_with_abac: attributes provided are %s' %str(attrs[1]))
load_profile_by_dic(profile, attrs[1])
logger.debug('is_authorized_by_names_with_abac: The profile contains')
ads = AssertionData.objects.filter(profile=profile)
for ad in ads:
attribute_data = ad.attribute_data
logger.debug("From %s, definition %s" % (ad.source, attribute_data.definition.id))
if attribute_data.definition.attribute_type == ACS_XACML_DATATYPE_STRING:
values = StringM.objects.filter(data=attribute_data)
logger.debug("with values %s" % str([x.value for x in values]))
elif attribute_data.definition.attribute_type == ACS_XACML_DATATYPE_INTEGER:
values = IntegerM.objects.filter(data=attribute_data)
logger.debug("with values %s" % str([x.value for x in values]))
logger.debug('is_authorized_by_names_with_abac: The profile is %s' % profile)
'''
All the permissions with and view or an activity containing the what
@ -3465,6 +3485,7 @@ def return_all_permissions_delegatable_by_names(alias, policy):
return return_all_permissions_delegatable_by_objects(alias, policy)
@transaction.commit_manually
def add_permission_delegated_by_objects(policy, grantor, grantee,
permission_source, what, how,
delegable=False, expiration_date=None):