ACS now supports the attribute management on attribute_aggregator module.
This commit is contained in:
parent
ab15e93dac
commit
deb81fafd6
|
@ -32,6 +32,17 @@ from django.http import HttpResponseRedirect
|
|||
from django.conf import settings
|
||||
from django.db import transaction
|
||||
|
||||
from attribute_aggregator.models import AttributeSource, AttributeData
|
||||
from attribute_aggregator.xacml_constants import *
|
||||
from attribute_aggregator.core import get_all_attribute_definitions, \
|
||||
get_all_sources, get_attribute_type_of_definition, \
|
||||
convert_from_string
|
||||
from attribute_aggregator.mapping import ATTRIBUTE_MAPPING
|
||||
|
||||
from acs.abac.core import remove_rule
|
||||
from acs.abac.logic import is_proposition
|
||||
from acs.abac.models import AbacRule, AssertionData, AssertionDefinition, \
|
||||
PredicateRequired, PredicateRole, PredicateComparison
|
||||
|
||||
from core import is_policy_action_creator, is_policy_object_creator, \
|
||||
is_policy_user_administrator, is_in_policy, is_valid_regex, \
|
||||
|
@ -60,24 +71,14 @@ from decorators import prevent_access_to_normal_users,\
|
|||
prevent_access_to_not_self_administrators_or_normal_users, \
|
||||
check_authorized_for_abac
|
||||
|
||||
from views import check_object_or_view, check_action_or_activity, \
|
||||
return_add_any
|
||||
|
||||
from utils_views import get_policy_from_session, \
|
||||
get_who_from_one_post_field, \
|
||||
get_what_from_one_post_field, \
|
||||
get_how_from_one_post_field
|
||||
|
||||
from views import check_object_or_view, check_action_or_activity, \
|
||||
return_add_any
|
||||
|
||||
from acs.abac.models import *
|
||||
|
||||
from acs.abac.core import get_all_attribute_definitions, get_all_sources, \
|
||||
get_attribute_definition_by_name, \
|
||||
remove_rule
|
||||
|
||||
from acs.abac.logic import is_proposition
|
||||
|
||||
from acs.xacml.constants import *
|
||||
|
||||
|
||||
logger = logging.getLogger('acs')
|
||||
|
||||
|
@ -225,12 +226,12 @@ def add_abac_permission(request):
|
|||
|
||||
|
||||
'''
|
||||
Predicate choice:
|
||||
Predicate required:
|
||||
- select definition and require single-valued
|
||||
- select source
|
||||
'''
|
||||
if 'select_attribute_definition' in request.POST \
|
||||
and 'attribute_definition_id' in request.POST:
|
||||
and 'attribute_definition' in request.POST:
|
||||
if not 'working_predicate' in request.session:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('No working predicate'))
|
||||
|
@ -241,21 +242,17 @@ def add_abac_permission(request):
|
|||
PREDICATE_REQUIRED:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Working predicate is not a required attribute'))
|
||||
elif not request.POST['attribute_definition'] in ATTRIBUTE_MAPPING:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unknown attribute definition'))
|
||||
else:
|
||||
try:
|
||||
ad = AttributeDefinition.objects.get(id=request.POST['attribute_definition_id'])
|
||||
working_predicate = request.session['working_predicate']
|
||||
request.session.pop('working_predicate')
|
||||
working_predicate['definition_id'] \
|
||||
= request.POST['attribute_definition_id']
|
||||
working_predicate['definition_name'] \
|
||||
= ad.attribute_name
|
||||
= request.POST['attribute_definition']
|
||||
if 'singlevalued' in request.POST:
|
||||
working_predicate['singlevalued'] = 'singlevalued'
|
||||
request.session['working_predicate'] = working_predicate
|
||||
except:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Attribute definition not found'))
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
if 'select_source' in request.POST \
|
||||
|
@ -272,7 +269,8 @@ def add_abac_permission(request):
|
|||
_('Working predicate is not a required attribute'))
|
||||
else:
|
||||
try:
|
||||
s = Source.objects.get(id=request.POST['source_id'])
|
||||
s = AttributeSource.objects.get(\
|
||||
id=request.POST['source_id'])
|
||||
working_predicate = request.session['working_predicate']
|
||||
if 'sources_selected' in working_predicate:
|
||||
if 'singlevalued' in working_predicate:
|
||||
|
@ -473,12 +471,11 @@ def add_abac_permission(request):
|
|||
working_predicate['working_operand']['type'] = 'value'
|
||||
# Definition type is the same as operand one
|
||||
working_predicate['working_operand']['definition_name'] = working_predicate['operand1_defined']['definition_name']
|
||||
working_predicate['working_operand']['definition_id'] = working_predicate['operand1_defined']['definition_id']
|
||||
request.session['working_predicate'] = working_predicate
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
if 'select_attribute_definition_operand' in request.POST \
|
||||
and 'attribute_definition_id' in request.POST:
|
||||
and 'attribute_definition' in request.POST:
|
||||
if not 'working_predicate' in request.session:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('No working predicate'))
|
||||
|
@ -497,23 +494,22 @@ def add_abac_permission(request):
|
|||
or not 'type' in request.session['working_predicate']['working_operand']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('There is no valid operand definition in progress'))
|
||||
else:
|
||||
try:
|
||||
ad = AttributeDefinition.objects.get(id=request.POST['attribute_definition_id'])
|
||||
if ad.attribute_type != ACS_COMP_TYPE[request.session['working_predicate']['type']]:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('The attribute type does not match the comparison type'))
|
||||
return return_add_abac_permission_form(request)
|
||||
working_predicate = request.session['working_predicate']
|
||||
request.session.pop('working_predicate')
|
||||
working_predicate['working_operand']['definition_id'] \
|
||||
= request.POST['attribute_definition_id']
|
||||
working_predicate['working_operand']['definition_name'] \
|
||||
= ad.attribute_name
|
||||
request.session['working_predicate'] = working_predicate
|
||||
except Exception, e:
|
||||
elif not request.POST['attribute_definition'] in ATTRIBUTE_MAPPING:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Attribute definition not found (%s)') %str(e))
|
||||
_('Unknown attribute definition'))
|
||||
else:
|
||||
definition = request.POST['attribute_definition']
|
||||
if get_attribute_type_of_definition(definition) \
|
||||
!= ACS_COMP_TYPE[\
|
||||
request.session['working_predicate']['type']]:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('The attribute type does not match the comparison type'))
|
||||
return return_add_abac_permission_form(request)
|
||||
working_predicate = request.session['working_predicate']
|
||||
request.session.pop('working_predicate')
|
||||
working_predicate['working_operand']['definition_name'] \
|
||||
= definition
|
||||
request.session['working_predicate'] = working_predicate
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
if 'select_source_operand' in request.POST \
|
||||
|
@ -536,13 +532,13 @@ def add_abac_permission(request):
|
|||
or not 'type' in request.session['working_predicate']['working_operand']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('There is no valid operand definition in progress'))
|
||||
elif not 'definition_id' in request.session['working_predicate']['working_operand'] \
|
||||
or not 'definition_name' in request.session['working_predicate']['working_operand']:
|
||||
elif not 'definition_name' in request.session['working_predicate']['working_operand']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Missing definition of the working operand'))
|
||||
else:
|
||||
try:
|
||||
s = Source.objects.get(id=request.POST['source_operand_id'])
|
||||
s = AttributeSource.objects.get(\
|
||||
id=request.POST['source_operand_id'])
|
||||
working_predicate = request.session['working_predicate']
|
||||
if 'sources_selected' in working_predicate['working_operand']:
|
||||
if not 'operand1_defined' in request.session['working_predicate'] and 'operandone_singlevalued' in working_predicate:
|
||||
|
@ -589,8 +585,7 @@ def add_abac_permission(request):
|
|||
or not 'type' in request.session['working_predicate']['working_operand']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('There is no valid operand definition in progress'))
|
||||
elif not 'definition_id' in request.session['working_predicate']['working_operand'] \
|
||||
or not 'definition_name' in request.session['working_predicate']['working_operand']:
|
||||
elif not 'definition_name' in request.session['working_predicate']['working_operand']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Missing definition of the working operand'))
|
||||
else:
|
||||
|
@ -635,8 +630,7 @@ def add_abac_permission(request):
|
|||
or not 'type' in request.session['working_predicate']['working_operand']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('There is no valid operand definition in progress'))
|
||||
elif not 'definition_id' in request.session['working_predicate']['working_operand'] \
|
||||
or not 'definition_name' in request.session['working_predicate']['working_operand']:
|
||||
elif not 'definition_name' in request.session['working_predicate']['working_operand']:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Missing definition of the working operand'))
|
||||
elif not 'values_selected' in request.session['working_predicate']['working_operand'] \
|
||||
|
@ -690,6 +684,8 @@ def add_abac_permission(request):
|
|||
else:
|
||||
if 'rule' in request.session:
|
||||
request.session.pop('rule')
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('The logical expression is well-formed'))
|
||||
request.session['rule'] = request.POST['rule_string']
|
||||
return return_add_abac_permission_form(request)
|
||||
|
||||
|
@ -757,10 +753,10 @@ def add_abac_permission(request):
|
|||
request.session.pop('predicates')
|
||||
if 'rule' in request.session:
|
||||
request.session.pop('rule')
|
||||
message += str(p)
|
||||
messages.add_message(request, messages.INFO,
|
||||
message)
|
||||
policy = get_policy_from_session(request)
|
||||
return HttpResponseRedirect('mod_policy?id=' + str(policy.id))
|
||||
return HttpResponseRedirect('add_permission_any')
|
||||
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unknown action'))
|
||||
|
@ -777,7 +773,7 @@ def check_data_and_create_permission(request, who, what, how):
|
|||
rule = AbacRule()
|
||||
rule.save()
|
||||
except:
|
||||
raise Exception('unable to initalize rule')
|
||||
raise Exception('Unable to initialize rule')
|
||||
p_ids1 = {}
|
||||
p_ids2 = {}
|
||||
p_id = 1
|
||||
|
@ -786,34 +782,40 @@ def check_data_and_create_permission(request, who, what, how):
|
|||
raise Exception('Missing type of predicate %s' %str(p_id))
|
||||
pred = None
|
||||
if predicate['type'] == PREDICATE_REQUIRED:
|
||||
if not 'definition_name' in predicate \
|
||||
or not 'definition_id' in predicate:
|
||||
raise Exception('Missing definition of predicate %s' %str(p_id))
|
||||
if not 'definition_name' in predicate:
|
||||
raise Exception('Missing definition of predicate %s' \
|
||||
% str(p_id))
|
||||
if not 'sources_selected' in predicate:
|
||||
raise Exception('Missing sources for predicate %s' %str(p_id))
|
||||
d = get_attribute_definition_by_name(predicate['definition_name'])
|
||||
if not d:
|
||||
raise Exception('Definition unknown for predicate %s' %str(p_id))
|
||||
raise Exception('Missing sources for predicate %s' \
|
||||
% str(p_id))
|
||||
ad = None
|
||||
try:
|
||||
ad = AssertionDefinition(attribute_definition=d)
|
||||
ad = AssertionDefinition(\
|
||||
definition=predicate['definition_name'])
|
||||
ad.save()
|
||||
except:
|
||||
raise Exception('Unable to create assertion for predicate %s' %str(p_id))
|
||||
raise Exception(\
|
||||
'Unable to create assertion for predicate %s' \
|
||||
% str(p_id))
|
||||
for s_id, s_name in predicate['sources_selected']:
|
||||
ss = None
|
||||
source = None
|
||||
try:
|
||||
ss = Source.objects.get(id=s_id)
|
||||
source = AttributeSource.objects.get(id=s_id)
|
||||
except:
|
||||
raise Exception('Unable to find source (%s, %s) for predicate %s' % (s_id, s_name, str(p_id)))
|
||||
raise Exception(\
|
||||
'Unable to find source (%s, %s) for predicate %s' \
|
||||
% (s_id, s_name, str(p_id)))
|
||||
try:
|
||||
AttachedSource(assertion=ad, source=ss).save()
|
||||
ad.add_source(source)
|
||||
except:
|
||||
raise Exception('Unable to attach source %s to predicate %s' % (ss, str(p_id)))
|
||||
raise Exception(\
|
||||
'Unable to add source %s to predicate %s' \
|
||||
% (source, str(p_id)))
|
||||
single_value = False
|
||||
if 'singlevalued' in predicate:
|
||||
single_value = True
|
||||
pred = PredicateRequired(definition=ad, rule=rule, single_value=single_value)
|
||||
pred = PredicateRequired(assertion_definition=ad,
|
||||
single_value=single_value, rule=rule)
|
||||
elif predicate['type'] == PREDICATE_ROLE:
|
||||
if not 'role' in predicate:
|
||||
raise Exception('Missing role of predicate %s' %str(p_id))
|
||||
|
@ -830,35 +832,40 @@ def check_data_and_create_permission(request, who, what, how):
|
|||
'DIFF_ALL_OP1_WITH_BOTTOM_LIMIT_OP2',
|
||||
'DIFF_ONE_OP1_WITH_UPPER_LIMIT_OP2',
|
||||
'DIFF_ONE_OP1_WITH_BOTTOM_LIMIT_OP2'):
|
||||
raise Exception('Missing suitable option for multivalues treatment')
|
||||
raise Exception(\
|
||||
'Missing suitable option for multivalues treatment')
|
||||
if 'operandone_singlevalued' in predicate \
|
||||
and 'operandtwo_singlevalued' in predicate \
|
||||
and predicate['multivalues_step_two'] != 'NO_MULTIVALUES':
|
||||
raise Exception('Unacceptable option for multivalues treatment')
|
||||
and predicate['multivalues_step_two'] \
|
||||
!= 'NO_MULTIVALUES':
|
||||
raise Exception(\
|
||||
'Unacceptable option for multivalues treatment')
|
||||
|
||||
if not 'operand1_defined' in predicate:
|
||||
raise Exception('Missing operand1 for predicate %s' %str(p_id))
|
||||
raise Exception('Missing operand1 for predicate %s' \
|
||||
% str(p_id))
|
||||
if not 'type' in predicate['operand1_defined']:
|
||||
raise Exception('Missing type of operand1 for predicate %s' %str(p_id))
|
||||
if not 'definition_name' in predicate['operand1_defined'] \
|
||||
or not 'definition_id' in predicate['operand1_defined']:
|
||||
raise Exception('Missing definition of operand1 of predicate %s' %str(p_id))
|
||||
raise Exception('Missing type of operand1 for predicate \
|
||||
%s' % str(p_id))
|
||||
if not 'definition_name' in predicate['operand1_defined']:
|
||||
raise Exception('Missing definition of operand1 of \
|
||||
predicate %s' %str(p_id))
|
||||
if not 'operand2_defined' in predicate:
|
||||
raise Exception('Missing operand2 for predicate %s' %str(p_id))
|
||||
raise Exception('Missing operand2 for predicate %s' \
|
||||
% str(p_id))
|
||||
if not 'type' in predicate['operand2_defined']:
|
||||
raise Exception('Missing type of operand2 for predicate %s' %str(p_id))
|
||||
if not 'definition_name' in predicate['operand2_defined'] \
|
||||
or not 'definition_id' in predicate['operand2_defined']:
|
||||
raise Exception('Missing definition of operand2 of predicate %s' %str(p_id))
|
||||
raise Exception('Missing type of operand2 for predicate \
|
||||
%s' % str(p_id))
|
||||
if not 'definition_name' in predicate['operand2_defined']:
|
||||
raise Exception('Missing definition of operand2 of \
|
||||
predicate %s' % str(p_id))
|
||||
|
||||
d1 = get_attribute_definition_by_name(predicate['operand1_defined']['definition_name'])
|
||||
if not d1:
|
||||
raise Exception('Definition unknown of operand1 of predicate %s' %str(p_id))
|
||||
d2 = get_attribute_definition_by_name(predicate['operand2_defined']['definition_name'])
|
||||
if not d2:
|
||||
raise Exception('Definition unknown of operand2 of predicate %s' %str(p_id))
|
||||
if d1.attribute_type != d2.attribute_type:
|
||||
raise Exception('Data types of the two operands of predicate %s differ' %str(p_id))
|
||||
d1 = predicate['operand1_defined']['definition_name']
|
||||
d2 = predicate['operand2_defined']['definition_name']
|
||||
if get_attribute_type_of_definition(d1) \
|
||||
!= get_attribute_type_of_definition(d2):
|
||||
raise Exception('Data types of the two operands of \
|
||||
predicate %s differ' %str(p_id))
|
||||
|
||||
a1 = handle_operand(predicate, p_id, 'operand1', d1)
|
||||
a2 = handle_operand(predicate, p_id, 'operand2', d2)
|
||||
|
@ -939,115 +946,68 @@ def check_data_and_create_permission(request, who, what, how):
|
|||
p.save()
|
||||
except Exception, err:
|
||||
raise Exception('Fail to save permission with error: %s' %err)
|
||||
logger.info('add_permission: Permission added: %s' %str(p))
|
||||
logger.info(\
|
||||
'check_data_and_create_permission: Permission added: %s' %str(p))
|
||||
|
||||
except Exception, err:
|
||||
logger.info(\
|
||||
'check_data_and_create_permission: \
|
||||
Rollback transaction because of %s.' % err)
|
||||
transaction.rollback()
|
||||
return (None, _('Failed to create permission due to %s') % str(err))
|
||||
else:
|
||||
logger.info(\
|
||||
'check_data_and_create_permission: Commit transaction.')
|
||||
transaction.commit()
|
||||
return (p, _('Successful permission creation'))
|
||||
return (p, _('Successful creation of permission'))
|
||||
|
||||
|
||||
def handle_operand(predicate, p_id, name, d):
|
||||
a = None
|
||||
if predicate[name + '_defined']['type'] == "definition":
|
||||
if not 'sources_selected' in predicate[name + '_defined']:
|
||||
raise Exception('Missing sources of %s of predicate %s' % (name, str(p_id)))
|
||||
raise Exception('Missing sources of %s of predicate %s' \
|
||||
% (name, str(p_id)))
|
||||
try:
|
||||
a = AssertionDefinition(attribute_definition=d)
|
||||
a = AssertionDefinition(definition=d)
|
||||
a.save()
|
||||
except:
|
||||
raise Exception('Unable to create assertion of %s of predicate %s' % (name, str(p_id)))
|
||||
raise Exception(\
|
||||
'Unable to create assertion of %s of predicate %s' \
|
||||
% (name, str(p_id)))
|
||||
for s_id, s_name in predicate[name + '_defined']['sources_selected']:
|
||||
ss = None
|
||||
source = None
|
||||
try:
|
||||
ss = Source.objects.get(id=s_id)
|
||||
source = AttributeSource.objects.get(id=s_id)
|
||||
except:
|
||||
raise Exception('Unable to find source (%s, %s) of %s of predicate %s' % (s_id, s_name, name, str(p_id)))
|
||||
raise Exception(\
|
||||
'Unable to find source (%s, %s) of %s of predicate %s' \
|
||||
% (s_id, s_name, name, str(p_id)))
|
||||
try:
|
||||
AttachedSource(assertion=a, source=ss).save()
|
||||
a.add_source(source)
|
||||
except:
|
||||
raise Exception('Unable to attach source %s of %s of predicate %s' % (ss, name, str(p_id)))
|
||||
raise Exception(\
|
||||
'Unable to attach source %s of %s of predicate %s' \
|
||||
% (source, name, str(p_id)))
|
||||
else:
|
||||
if not 'values_selected' in predicate[name + '_defined']:
|
||||
raise Exception('Missing values of %s of predicate %s' % (name, str(p_id)))
|
||||
try:
|
||||
data = AttributeData(definition=d)
|
||||
data.save()
|
||||
except:
|
||||
raise Exception('Unable to create data of %s of predicate %s' % (name, str(p_id)))
|
||||
raise Exception('Missing values of %s of predicate %s' \
|
||||
% (name, str(p_id)))
|
||||
for value in predicate[name + '_defined']['values_selected']:
|
||||
if d.attribute_type == ACS_XACML_DATATYPE_STRING:
|
||||
try:
|
||||
StringM(data=data, value=value).save()
|
||||
except Exception, err:
|
||||
raise Exception('Unable to set string %s i.e. %s of %s of predicate %s, err %s' % (value, d.attribute_type, name, str(p_id), str(err)))
|
||||
elif d.attribute_type == ACS_XACML_DATATYPE_INTEGER:
|
||||
try:
|
||||
v = int(value)
|
||||
IntegerM(data=data, value=v).save()
|
||||
except Exception, err:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s, err %s' % (value, d.attribute_type, name, str(p_id), str(err)))
|
||||
elif d.attribute_type == ACS_XACML_DATATYPE_DOUBLE:
|
||||
try:
|
||||
v = float(value)
|
||||
DoubleM(data=data, value=v).save()
|
||||
except:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
elif d.attribute_type == ACS_XACML_DATATYPE_BOOLEAN:
|
||||
try:
|
||||
v = False
|
||||
if value in ('True', 'true', 'Vrai', 'vrai'):
|
||||
v = True
|
||||
BooleanM(data=data, value=v).save()
|
||||
except:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
elif d.attribute_type == ACS_XACML_DATATYPE_TIME:
|
||||
try:
|
||||
v = time.strptime(value,"%h:%m:%s") #12:15:00
|
||||
TimeM(data=data, value=v).save()
|
||||
except:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
elif d.attribute_type == ACS_XACML_DATATYPE_DATE:
|
||||
try:
|
||||
v = time.strptime(value,"%d/%b/%Y") #28/01/1982
|
||||
DateM(data=data, value=v).save()
|
||||
except:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
elif d.attribute_type == ACS_XACML_DATATYPE_DATETIME:
|
||||
try:
|
||||
v = time.strptime(value,"%d/%b/%Y-%h:%m:%s") #28/01/1982-12:15:00
|
||||
DateTimeM(data=data, value=v).save()
|
||||
except:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
elif d.attribute_type == ACS_XACML_DATATYPE_RFC822NAME:
|
||||
try:
|
||||
v = None
|
||||
r = re.compile('[a-zA-Z0-9+_\-\.]+@[0-9a-zA-Z][.-0-9a-zA-Z]*.[a-zA-Z]+') # email
|
||||
if r.search(value):
|
||||
v = value
|
||||
else:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
Rfc822NameM(data=data, value=v).save()
|
||||
except:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
elif d.attribute_type == ACS_XACML_DATATYPE_IPADDRESS:
|
||||
try:
|
||||
v = None
|
||||
r = re.compile('(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})') # x.x.x.x
|
||||
if r.search(value):
|
||||
v = value
|
||||
else:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
IpAddressM(data=data, value=v).save()
|
||||
except:
|
||||
raise Exception('Unable to convert string %s to %s of %s of predicate %s' % (value, d.attribute_type, name, str(p_id)))
|
||||
if not convert_from_string(d, value):
|
||||
raise Exception('The value %s cannot be converted into the \
|
||||
type of the definition %s for predicate %s' \
|
||||
% (value, d, str(p_id)))
|
||||
data = AttributeData(definition=d,
|
||||
values=predicate[name + '_defined']['values_selected'])
|
||||
try:
|
||||
a = AssertionData(attribute_data=data)
|
||||
a = AssertionData()
|
||||
a.save()
|
||||
a.set_attribute_data(data)
|
||||
except:
|
||||
raise Exception('Unable to create assertion of %s of predicate %s' % (name, str(p_id)))
|
||||
raise Exception(\
|
||||
'Unable to create assertion data of predicate %s' \
|
||||
% str(p_id))
|
||||
return a
|
||||
|
||||
|
||||
|
@ -1058,10 +1018,13 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
|
|||
policy = get_policy_from_session(request)
|
||||
|
||||
tpl_p['multivalues'] = []
|
||||
|
||||
if 'working_predicate' in request.session \
|
||||
and 'type' in request.session['working_predicate'] \
|
||||
and request.session['working_predicate']['type'] \
|
||||
in (XACML_COMPARISON_EQUALITY, ACS_XACML_COMPARISON):
|
||||
and (request.session['working_predicate']['type'] \
|
||||
in XACML_COMPARISON_EQUALITY \
|
||||
or request.session['working_predicate']['type'] \
|
||||
in ACS_XACML_COMPARISON):
|
||||
|
||||
if 'multivalues_step_one' in request.session['working_predicate'] \
|
||||
and request.session['working_predicate']['type'] \
|
||||
|
@ -1107,8 +1070,11 @@ def return_add_abac_permission_form(request, template_name='add_abac_permission.
|
|||
tpl_p['roles'] = \
|
||||
filter_list_in_namespace(tpl_p['roles'], policy.namespace)
|
||||
else:
|
||||
tpl_p['attribute_definitions'] = \
|
||||
AttributeDefinition.objects.filter(attribute_type=ACS_COMP_TYPE[request.session['working_predicate']['type']])
|
||||
tpl_p['attribute_definitions'] = [definition \
|
||||
for definition in get_all_attribute_definitions() \
|
||||
if get_attribute_type_of_definition(definition) \
|
||||
== ACS_COMP_TYPE[\
|
||||
request.session['working_predicate']['type']]]
|
||||
tpl_p['sources'] = get_all_sources()
|
||||
|
||||
else:
|
||||
|
@ -1199,11 +1165,9 @@ def list_abac_permissions(request):
|
|||
@check_authorized_for_abac
|
||||
def del_abac_permission(request):
|
||||
policy = get_policy_from_session(request)
|
||||
administration = Action.objects.get(name='administration')
|
||||
back = '/list_abac_permissions'
|
||||
if request.method == 'POST':
|
||||
p = None
|
||||
delegateds = []
|
||||
if 'back_url' in request.POST and request.POST['back_url']:
|
||||
back = request.POST['back_url']
|
||||
if 'Cancel' in request.POST:
|
||||
|
|
|
@ -47,6 +47,7 @@ from utils_views import get_policy_from_session, \
|
|||
get_who_from_one_post_field, \
|
||||
get_what_admin_from_one_post_field
|
||||
|
||||
|
||||
logger = logging.getLogger('acs')
|
||||
|
||||
login_url = settings.LOGIN_URL
|
||||
|
|
|
@ -29,6 +29,9 @@ from django.http import HttpResponseRedirect
|
|||
from django.core.exceptions import ObjectDoesNotExist, MultipleObjectsReturned
|
||||
from django.conf import settings
|
||||
|
||||
from attribute_aggregator.models import AttributeSource, UserAliasInSource
|
||||
from attribute_aggregator.core import set_user_alias_in_source
|
||||
|
||||
from core import get_alias_in_policy, \
|
||||
is_policy_user_administrator, \
|
||||
is_user_administrator, \
|
||||
|
@ -39,14 +42,13 @@ from core import get_alias_in_policy, \
|
|||
|
||||
from models import UserAlias, Namespace, Policy
|
||||
|
||||
from abac.models import Source, LdapSource
|
||||
|
||||
from decorators import prevent_access_to_not_user_administrators, \
|
||||
check_policy_in_session, \
|
||||
check_authorized_on_users_and_roles
|
||||
|
||||
from utils_views import get_policy_from_session
|
||||
|
||||
|
||||
logger = logging.getLogger('acs')
|
||||
|
||||
login_url = settings.LOGIN_URL
|
||||
|
@ -282,7 +284,7 @@ def list_aliases(request, pk=None):
|
|||
|
||||
sources = None
|
||||
try:
|
||||
sources = LdapSource.objects.all()
|
||||
sources = AttributeSource.objects.all()
|
||||
except Exception, err:
|
||||
logger.error('list_aliases: An error occurred looking for \
|
||||
sources: %s' % err)
|
||||
|
@ -316,20 +318,12 @@ def list_aliases(request, pk=None):
|
|||
'''
|
||||
aliases_sources = []
|
||||
for source in sources:
|
||||
if not source.get_source_instance().is_auth_backend:
|
||||
ns = None
|
||||
try:
|
||||
ns = Namespace.objects.get(name=source.name)
|
||||
except Exception, err:
|
||||
logger.error('list_aliases: An error occurred \
|
||||
looking for the namespace of %s: %s\
|
||||
sources: %s' % (source.name, err))
|
||||
else:
|
||||
try:
|
||||
u = UserAlias.objects.get(user=user, namespace=ns)
|
||||
aliases_sources.append((ns, u))
|
||||
except:
|
||||
aliases_sources.append((ns, None))
|
||||
try:
|
||||
aliases_sources.append((source,
|
||||
UserAliasInSource.objects.get(user=user,
|
||||
source=source)))
|
||||
except:
|
||||
aliases_sources.append((source, None))
|
||||
|
||||
back_url = '/list_aliases?id=%s' %pk
|
||||
tpl_parameters = {'namespaces_not_in': namespaces_not_in,
|
||||
|
@ -452,7 +446,7 @@ def set_user_in_source(request):
|
|||
'''The admin must have admin right on this user'''
|
||||
if request.method == 'POST':
|
||||
if not 'alias' in request.POST or not 'user_id' in request.POST \
|
||||
or not 'namespace_id' in request.POST:
|
||||
or not 'source_id' in request.POST:
|
||||
logger.error('set_user_in_namespace_from_home: \
|
||||
missing data from %s' %request.user)
|
||||
messages.add_message(request, messages.ERROR, _('Invalid action'))
|
||||
|
@ -467,49 +461,29 @@ def set_user_in_source(request):
|
|||
HttpResponseRedirect('/list_users_for_aliases')
|
||||
backurl = '/list_aliases?id=' + request.POST['user_id']
|
||||
|
||||
ns = None
|
||||
source = None
|
||||
try:
|
||||
ns = Namespace.objects.get(id=request.POST['namespace_id'])
|
||||
source = AttributeSource.objects.get(id=request.POST['source_id'])
|
||||
except:
|
||||
logger.error('set_user_in_source: \
|
||||
unknown namespace with id %s' %request.POST['namespace_id'])
|
||||
unknown source with id %s' %request.POST['source_id'])
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unkown namespace'))
|
||||
return HttpResponseRedirect(backurl)
|
||||
|
||||
'''Create alias'''
|
||||
try:
|
||||
a = UserAlias.objects.get(user=user, namespace=ns)
|
||||
logger.error('set_user_in_source: the user %s \
|
||||
already has the alias %s in this namespace' %(user, a))
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('The user already has the alias %s in this namespace') %a)
|
||||
return HttpResponseRedirect(backurl)
|
||||
except ObjectDoesNotExist:
|
||||
pass
|
||||
except MultipleObjectsReturned:
|
||||
logger.critical('set_user_in_source: \
|
||||
the user has mulitple aliases in this namespace')
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('The user already has multiple aliases in this namespace'))
|
||||
return HttpResponseRedirect(backurl)
|
||||
|
||||
if not 'alias' in request.POST or not request.POST['alias']:
|
||||
alias = user.username
|
||||
name = user.username
|
||||
else:
|
||||
alias = request.POST['alias']
|
||||
|
||||
ua = None
|
||||
try:
|
||||
ua = UserAlias(alias=alias, user=user, namespace=ns)
|
||||
ua.save()
|
||||
except:
|
||||
name = request.POST['alias']
|
||||
ua = set_user_alias_in_source(user, source, name, force_change=True)
|
||||
if not ua:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unable to add %s for %s in %s') %(alias, user, ns))
|
||||
_('Unable to add %s for %s in %s') %(name, user, source))
|
||||
return HttpResponseRedirect(backurl)
|
||||
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('User %s added in %s') %(ua, ns))
|
||||
_('User %s added in %s') %(ua, source))
|
||||
return HttpResponseRedirect(backurl)
|
||||
|
||||
messages.add_message(request, messages.ERROR, _('Unknown action'))
|
||||
|
|
58
acs/core.py
58
acs/core.py
|
@ -28,7 +28,7 @@ from django.db import transaction
|
|||
|
||||
from models import UserAlias, Role, AcsObject, View, Action, Activity, \
|
||||
Namespace, AcsPermission, AcsAbacPermission, Policy
|
||||
from signals import attributes_call
|
||||
#from signals import attributes_call
|
||||
|
||||
from abac.models import *
|
||||
|
||||
|
@ -733,12 +733,14 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
Attribute loading in profile object
|
||||
'''
|
||||
|
||||
from abac.core import load_profile_by_dic, load_or_create_user_profile
|
||||
# from abac.core import load_profile_by_dic, load_or_create_user_profile
|
||||
from attribute_aggregator.core import load_or_create_user_profile
|
||||
|
||||
if who.user:
|
||||
profile = load_or_create_user_profile(user=who.user)
|
||||
else:
|
||||
profile = load_or_create_user_profile(user=None)
|
||||
# profile = load_or_create_user_profile(user=None)
|
||||
profile = load_or_create_user_profile()
|
||||
if not profile:
|
||||
logger.critical('is_authorized_by_names_with_abac: \
|
||||
Error to create or load profile for %s' % who)
|
||||
|
@ -747,7 +749,11 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
% profile)
|
||||
|
||||
if attributes:
|
||||
load_profile_by_dic(profile, attributes)
|
||||
logger.debug('is_authorized_by_names_with_abac: \
|
||||
load attributes %s in parameters' \
|
||||
% attributes)
|
||||
# load_profile_by_dic(profile, attributes)
|
||||
profile.load_by_dic(attributes)
|
||||
|
||||
'''
|
||||
The requester is who, that means that the user is logged on
|
||||
|
@ -762,23 +768,36 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
if (not requestor and not who) \
|
||||
or (requestor and who and requestor == who):
|
||||
if request and getattr(request, 'session', None) and 'attributes' in request.session:
|
||||
load_profile_by_dic(profile, request.session['attributes'])
|
||||
# load_profile_by_dic(profile, request.session['attributes'])
|
||||
logger.debug('is_authorized_by_names_with_abac: \
|
||||
load attributes %s in parameters' \
|
||||
% request.session['attributes'])
|
||||
profile.load_by_dic(request.session['attributes'])
|
||||
|
||||
if who and not no_attribute_signal:
|
||||
if not who.user:
|
||||
attributes_provided = attributes_call.send(sender=None,
|
||||
request=request, user=who)
|
||||
else:
|
||||
attributes_provided = attributes_call.send(sender=None,
|
||||
request=request, user=who.user)
|
||||
logger.info('is_authorized_by_names_with_abac: signal attributes_call sent')
|
||||
# if who and not no_attribute_signal:
|
||||
# if not who.user:
|
||||
# attributes_provided = attributes_call.send(sender=None,
|
||||
# request=request, user=who)
|
||||
# else:
|
||||
# attributes_provided = attributes_call.send(sender=None,
|
||||
# request=request, user=who.user)
|
||||
# logger.info('is_authorized_by_names_with_abac: signal attributes_call sent')
|
||||
|
||||
# attributes = {}
|
||||
# for attrs in attributes_provided:
|
||||
# logger.info('is_authorized_by_names_with_abac: attributes_call connected to function %s' % \
|
||||
# attrs[0].__name__)
|
||||
# logger.info('is_authorized_by_names_with_abac: attributes provided are %s' %str(attrs[1]))
|
||||
# load_profile_by_dic(profile, attrs[1])
|
||||
|
||||
'''
|
||||
Attribute profile filled by the signal only works with a User instance
|
||||
'''
|
||||
if who.user and not no_attribute_signal:
|
||||
logger.debug('is_authorized_by_names_with_abac: \
|
||||
load attributes in bulk for %s' % who.user)
|
||||
profile.load_greedy()
|
||||
|
||||
attributes = {}
|
||||
for attrs in attributes_provided:
|
||||
logger.info('is_authorized_by_names_with_abac: attributes_call connected to function %s' % \
|
||||
attrs[0].__name__)
|
||||
logger.info('is_authorized_by_names_with_abac: attributes provided are %s' %str(attrs[1]))
|
||||
load_profile_by_dic(profile, attrs[1])
|
||||
|
||||
logger.debug('is_authorized_by_names_with_abac: The profile is %s' % profile)
|
||||
|
||||
|
@ -890,6 +909,7 @@ def is_authorized_by_names_with_abac(requestor_name, who_name, what_name,
|
|||
content_type_how__pk=t_how.id,
|
||||
object_id_how=how.id))
|
||||
|
||||
|
||||
if not permissions:
|
||||
logger.debug('is_authorized_by_names_with_abac: Access denied - no permission found')
|
||||
return (False, None, 0)
|
||||
|
|
|
@ -30,6 +30,8 @@ from django.utils.translation import ugettext as _
|
|||
from django.template import RequestContext
|
||||
from django.contrib.contenttypes.models import ContentType
|
||||
|
||||
from attribute_aggregator.models import AttributeSource, UserAliasInSource
|
||||
|
||||
from core import isAuthorizedRBAC2, \
|
||||
set_default_alias, is_user_administrator, \
|
||||
is_policy_root_administrator, is_policy_user_administrator, \
|
||||
|
@ -44,12 +46,13 @@ from utils_views import get_policy_from_session
|
|||
from models import UserAlias, Role, AcsObject, View, Action, Activity, \
|
||||
Namespace, AcsPermission, Policy, AcsAbacPermission
|
||||
|
||||
from abac.models import Source, PredicateRequired, PredicateComparison
|
||||
from abac.models import PredicateRequired, PredicateComparison
|
||||
|
||||
from acs.abac.core import remove_rule
|
||||
|
||||
from decorators import prevent_access_to_normal_users
|
||||
|
||||
|
||||
logger = logging.getLogger('acs')
|
||||
|
||||
login_url = settings.LOGIN_URL
|
||||
|
@ -158,6 +161,23 @@ def del_any(request):
|
|||
ContentType.objects.get_for_model(administration).id,
|
||||
object_id_how=administration.id))
|
||||
|
||||
elif type_entity == 'alias_in_source':
|
||||
try:
|
||||
item = UserAliasInSource.objects.get(id=pk)
|
||||
except:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unable to find the object'))
|
||||
return list_aliases(request)
|
||||
'''Check authorization to delete this item'''
|
||||
back_url = root_url
|
||||
if 'back_url' in request.POST:
|
||||
back_url = request.POST['back_url']
|
||||
if not is_user_administrator(request.user):
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('You are not authorized to delete the user alias %s') %item)
|
||||
return HttpResponseRedirect(back_url)
|
||||
|
||||
|
||||
elif type_entity == 'role':
|
||||
if not policy:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
|
@ -400,49 +420,30 @@ def del_any(request):
|
|||
_('You are not authorized to delete a source of attributes'))
|
||||
return list_any(request, type_entity)
|
||||
try:
|
||||
item = Source.objects.get(id=pk)
|
||||
item = AttributeSource.objects.get(id=pk)
|
||||
except:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unable to find the source'))
|
||||
return list_any(request, type_entity)
|
||||
'''
|
||||
Grab all ABAC permissions that have a predicate with that
|
||||
source
|
||||
source.
|
||||
|
||||
Not for now. Need a fine-grained deletion, for instance
|
||||
some premission should not deleted if it based on a list of
|
||||
source. Only the source in the list should be deleted, not the
|
||||
permission.
|
||||
|
||||
TODO: A better solution should be in the deletion interface of
|
||||
permissions so look for permission containing a specified
|
||||
element, then to delete all the objects selected.
|
||||
'''
|
||||
ats = item.attachedsource_set.all()
|
||||
preds_req = []
|
||||
for at in ats:
|
||||
tmp = \
|
||||
PredicateRequired.objects.filter(definition=at.assertion)
|
||||
for t in tmp:
|
||||
if t not in preds_req:
|
||||
preds_req.append(t)
|
||||
preds_cmp = []
|
||||
for at in ats:
|
||||
tmp = \
|
||||
PredicateComparison.objects.filter(operand1=at.assertion)
|
||||
for t in tmp:
|
||||
if t not in preds_cmp:
|
||||
preds_cmp.append(t)
|
||||
tmp = \
|
||||
PredicateComparison.objects.filter(operand2=at.assertion)
|
||||
for t in tmp:
|
||||
if t not in preds_cmp:
|
||||
preds_cmp.append(t)
|
||||
p = []
|
||||
for it in preds_req:
|
||||
tmp = AcsAbacPermission.objects.filter(rule=it.rule)
|
||||
for t in tmp:
|
||||
if t not in p:
|
||||
p.append(t)
|
||||
for it in preds_cmp:
|
||||
tmp = AcsAbacPermission.objects.filter(rule=it.rule)
|
||||
for t in tmp:
|
||||
if t not in p:
|
||||
p.append(t)
|
||||
|
||||
'''
|
||||
Here we should remove assertionData of profile on such a
|
||||
source
|
||||
source.
|
||||
|
||||
TODO: No. Implement a cleaning interface for profiles.
|
||||
'''
|
||||
|
||||
else:
|
||||
|
@ -501,6 +502,10 @@ def del_any(request):
|
|||
for it in p_admin:
|
||||
collateral_damages.append(it)
|
||||
|
||||
'''
|
||||
TODO: We should ask also ask if the user only wants to delete the
|
||||
item and not the permissions.
|
||||
'''
|
||||
if not 'consent' in request.POST:
|
||||
tpl_parameters = {'item': item,
|
||||
'type_entity': type_entity,
|
||||
|
|
|
@ -26,7 +26,8 @@ from registration.forms import RegistrationForm
|
|||
|
||||
from models import Action, Activity, AcsObject, Role, View, Namespace
|
||||
|
||||
from abac.models import Source, LdapSource
|
||||
from attribute_aggregator.models import AttributeSource, LdapSource
|
||||
|
||||
|
||||
logger = logging.getLogger('acs')
|
||||
|
||||
|
@ -375,7 +376,7 @@ class AddSourceForm(forms.ModelForm):
|
|||
numbers and @/./+/-/_ characters.")})
|
||||
|
||||
class Meta:
|
||||
model = Source
|
||||
model = AttributeSource
|
||||
fields = ("name",)
|
||||
|
||||
def save(self, commit=True):
|
||||
|
|
|
@ -53,7 +53,8 @@ from decorators import prevent_access_to_not_root_administrators
|
|||
|
||||
from models import Policy
|
||||
|
||||
from abac.models import Source
|
||||
from attribute_aggregator.models import AttributeSource
|
||||
|
||||
|
||||
logger = logging.getLogger('acs')
|
||||
|
||||
|
@ -163,10 +164,10 @@ def index(request):
|
|||
'list_users': "Modify or delete a user",
|
||||
'add_abac_source': "Add a generic source of attributes",
|
||||
'add_abac_ldap_source': "Add a LDAP source of attributes"}
|
||||
sources = Source.objects.all()
|
||||
sources = AttributeSource.objects.all()
|
||||
if sources:
|
||||
list_power_services['Generic user management']\
|
||||
['list_abac_sources'] = 'Modify a source of attributes'
|
||||
['list_abac_sources'] = 'Modify or delete a source of attributes'
|
||||
if policies or sources:
|
||||
list_user_mgmt_services['list_users_for_aliases'] = \
|
||||
'Manage user aliases or \
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
'''
|
||||
|
||||
|
||||
from django.db import models
|
||||
from django.contrib.auth.models import User
|
||||
from django.utils.translation import ugettext as _
|
||||
|
@ -26,6 +27,7 @@ from django.contrib.contenttypes import generic
|
|||
|
||||
from abac.models import AbacRule
|
||||
|
||||
|
||||
class Namespace(models.Model):
|
||||
'''Namespace
|
||||
Allow objects of same name
|
||||
|
@ -174,9 +176,12 @@ class View(models.Model):
|
|||
|
||||
|
||||
class AcsPermission(models.Model):
|
||||
content_type_who = models.ForeignKey(ContentType, related_name = "who_rbac")
|
||||
content_type_what = models.ForeignKey(ContentType, related_name = "what_rbac")
|
||||
content_type_how = models.ForeignKey(ContentType, related_name = "how_rbac")
|
||||
content_type_who = models.ForeignKey(ContentType,
|
||||
related_name = "who_rbac")
|
||||
content_type_what = models.ForeignKey(ContentType,
|
||||
related_name = "what_rbac")
|
||||
content_type_how = models.ForeignKey(ContentType,
|
||||
related_name = "how_rbac")
|
||||
object_id_who = models.PositiveIntegerField()
|
||||
object_id_what = models.PositiveIntegerField()
|
||||
object_id_how = models.PositiveIntegerField()
|
||||
|
@ -189,8 +194,8 @@ class AcsPermission(models.Model):
|
|||
'''
|
||||
If set it means that the permission is obtained by delegation
|
||||
'''
|
||||
permission_source = models.ForeignKey('AcsPermission', blank=True, null=True,
|
||||
related_name = 'source_permission')
|
||||
permission_source = models.ForeignKey('AcsPermission',
|
||||
blank=True, null=True, related_name = 'source_permission')
|
||||
'''
|
||||
Means that a permission can be delegated
|
||||
Also that a permission delegated can be delegated
|
||||
|
@ -260,9 +265,10 @@ class AcsAbacPermission(models.Model):
|
|||
Who is only a User
|
||||
|
||||
When a request is treated:
|
||||
If who is a role. If there is a matching RBAC rule, the decision is True.
|
||||
If there is an ABAC rule set on anybody with a unique predicate role on
|
||||
that role, the decission is True.
|
||||
If who is a role. If there is a matching RBAC rule, the decision is
|
||||
True.
|
||||
If there is an ABAC rule set on anybody with a unique predicate role
|
||||
on that role, the decission is True.
|
||||
Else a new rule is returned made of permissions set on anybody.
|
||||
|
||||
Axiom:
|
||||
|
@ -276,9 +282,12 @@ class AcsAbacPermission(models.Model):
|
|||
|
||||
Should depreciate AcsPermission and RBAC only processing.
|
||||
'''
|
||||
who = models.ForeignKey(UserAlias, related_name = "who_abac", blank=True, null=True)
|
||||
content_type_what = models.ForeignKey(ContentType, related_name = "what_abac")
|
||||
content_type_how = models.ForeignKey(ContentType, related_name = "how_abac")
|
||||
who = models.ForeignKey(UserAlias, related_name = "who_abac",
|
||||
blank=True, null=True)
|
||||
content_type_what = models.ForeignKey(ContentType,
|
||||
related_name = "what_abac")
|
||||
content_type_how = models.ForeignKey(ContentType,
|
||||
related_name = "how_abac")
|
||||
object_id_what = models.PositiveIntegerField()
|
||||
object_id_how = models.PositiveIntegerField()
|
||||
what = generic.GenericForeignKey(ct_field='content_type_what',
|
||||
|
@ -311,7 +320,6 @@ class AcsAbacPermission(models.Model):
|
|||
|
||||
def save(self, *args, **kwargs):
|
||||
p = None
|
||||
t_who = None
|
||||
t_what = ContentType.objects.get_for_model(self.what)
|
||||
t_how = ContentType.objects.get_for_model(self.how)
|
||||
'''We check here the unicity, not redundant with unique_together'''
|
||||
|
|
|
@ -71,9 +71,9 @@
|
|||
|
||||
<form method="post" action="">
|
||||
<p>{% trans "Choose an attribute definition:" %}
|
||||
<select name="attribute_definition_id" id="attribute_definition">
|
||||
<select name="attribute_definition" id="attribute_definition">
|
||||
{% for attr_definition in attribute_definitions %}
|
||||
<option value="{{ attr_definition.id }}">{{ attr_definition.attribute_name }}</option>
|
||||
<option value="{{ attr_definition }}">{{ attr_definition }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
</p>
|
||||
|
@ -182,12 +182,12 @@
|
|||
{% if working_predicate.operand1_defined.type == "definition" %}
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in working_predicate.operand1_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
{% trans "of values" %}(
|
||||
{% for value in working_predicate.operand1_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
@ -197,12 +197,12 @@
|
|||
<p>{% trans "Operand two is attribute" %} <strong>{{ working_predicate.operand2_defined.definition_name }}</strong>
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in working_predicate.operand2_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
<p>{% trans "Compared with values" %}(
|
||||
{% for value in working_predicate.operand2_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
@ -231,9 +231,9 @@
|
|||
<p>{% trans "Choose an attribute as operand two of the comparison:" %}
|
||||
{% endif %}
|
||||
<form method="post" action="">
|
||||
<select name="attribute_definition_id" id="attribute_definition">
|
||||
<select name="attribute_definition" id="attribute_definition">
|
||||
{% for attr_definition in attribute_definitions %}
|
||||
<option value="{{ attr_definition.id }}">{{ attr_definition.attribute_name }}</option>
|
||||
<option value="{{ attr_definition }}">{{ attr_definition }}</option>
|
||||
{% endfor %}
|
||||
</select>
|
||||
<input type="submit" name="select_attribute_definition_operand" value="{% trans "Ok" %}"/>
|
||||
|
@ -369,7 +369,7 @@
|
|||
{% if predicate.singlevalued %}{% trans "The attribute must be single-valued." %}{% endif %}
|
||||
{% trans "It is expected from" %}(
|
||||
{% for s_id, s_name in predicate.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})
|
||||
{% else %}
|
||||
|
||||
|
@ -403,24 +403,24 @@
|
|||
{% if predicate.operand1_defined.type == "definition" %}
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in predicate.operand1_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
{% trans "of values" %}(
|
||||
{% for value in predicate.operand1_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% if predicate.operand2_defined.type == "definition" %}
|
||||
<p>{% trans "Operand two is attribute" %} <strong>{{ predicate.operand2_defined.definition_name }}</strong>
|
||||
{% trans " from" %}(
|
||||
{% for s_id, s_name in predicate.operand2_defined.sources_selected %}
|
||||
<strong>{{ s_name }}</strong>,
|
||||
<strong>{{ s_name }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% else %}
|
||||
<p>{% trans "Compared with values" %}(
|
||||
{% for value in predicate.operand2_defined.values_selected %}
|
||||
<strong>{{ value }}</strong>,
|
||||
<strong>{{ value }}</strong>,
|
||||
{% endfor %})<p/>
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
@ -529,7 +529,7 @@
|
|||
</div>
|
||||
|
||||
<div class="right">
|
||||
<a class="back" href="/">{% trans "Back" %}</a>
|
||||
<a class="back" href="{{ backlink }}">{% trans "Back" %}</a>
|
||||
</div>
|
||||
|
||||
{% endblock %}
|
||||
|
|
|
@ -67,22 +67,22 @@
|
|||
{% if aliases_sources %}
|
||||
<h3>{% trans "Manage aliases in sources" %}</h3>
|
||||
<ul>
|
||||
{% for ns, alias in aliases_sources %}
|
||||
{% for source, alias in aliases_sources %}
|
||||
<li>
|
||||
<p>{% trans "In " %}<strong>{{ ns.name }}</strong></p>
|
||||
<p>{% trans "In " %}<strong>{{ source.name }}</strong></p>
|
||||
{% if alias %}
|
||||
<form method="post" action="/del_any">
|
||||
<input type="hidden" name="type_entity" value="{{ type_entity }}"/>
|
||||
<input type="hidden" name="type_entity" value="alias_in_source"/>
|
||||
<input type="hidden" name="id" value="{{ alias.id }}"/>
|
||||
{% if back_url %}<input type="hidden" name="back_url" value="{{ back_url }}"/>{% endif %}
|
||||
<input type="submit" name="Delete" value="{% trans "Delete" %} {{ alias.alias }}"/>
|
||||
<input type="submit" name="Delete" value="{% trans "Delete" %} {{ alias.name }}"/>
|
||||
</form>
|
||||
{% else %}
|
||||
<p>
|
||||
<form method="post" action="/set_user_in_source">
|
||||
<p><label for="id_name">{% trans "The user is known as (provide DN if LDAP):" %}</label><input id="id_alias" type="text" name="alias" maxlength="100" value="{{ user.username }}"/> If not given, the username will be taken.</p>
|
||||
<input type="hidden" name="user_id" value="{{ user.id }}"/>
|
||||
<input type="hidden" name="namespace_id" value="{{ ns.id }}"/>
|
||||
<input type="hidden" name="source_id" value="{{ source.id }}"/>
|
||||
<input type="submit" name="{{ submit_name }}" value="{% trans "Add" %}"/>
|
||||
</form></p>
|
||||
{% endif %}
|
||||
|
|
|
@ -39,7 +39,7 @@ An ABAC permission is not delegable. And this even if you can define ABAC permis
|
|||
|
||||
|
||||
<div class="right">
|
||||
<a class="back" href="/">{% trans "Back" %}</a>
|
||||
<a class="back" href="{{ backlink }}">{% trans "Back" %}</a>
|
||||
</div>
|
||||
|
||||
{% endblock %}
|
||||
|
|
20
acs/views.py
20
acs/views.py
|
@ -30,6 +30,8 @@ from django.contrib.auth.decorators import login_required
|
|||
from django.http import HttpResponseRedirect
|
||||
from django.conf import settings
|
||||
|
||||
from attribute_aggregator.models import AttributeSource
|
||||
|
||||
from forms import AddRoleForm, AddObjectForm, AddViewForm, AddActionForm, \
|
||||
AddActivityForm, RoleChangeForm, \
|
||||
ViewChangeForm, ActivityChangeForm, \
|
||||
|
@ -55,8 +57,6 @@ from core import is_policy_action_creator, is_policy_object_creator, \
|
|||
from models import UserAlias, Role, AcsObject, View, Action, Activity, \
|
||||
AcsPermission, Namespace
|
||||
|
||||
from abac.models import Source
|
||||
|
||||
from decorators import prevent_access_to_normal_users,\
|
||||
check_policy_in_session, \
|
||||
prevent_access_to_not_user_administrators, \
|
||||
|
@ -72,6 +72,7 @@ from utils_views import get_policy_from_session, \
|
|||
|
||||
from build_policy_display import draw_graph
|
||||
|
||||
|
||||
logger = logging.getLogger('acs')
|
||||
|
||||
login_url = settings.LOGIN_URL
|
||||
|
@ -134,9 +135,9 @@ def add_abac_ldap_source(request):
|
|||
@csrf_exempt
|
||||
@prevent_access_to_not_user_administrators
|
||||
def list_abac_sources(request):
|
||||
title = _('Modify or delete an ABAC source')
|
||||
title = _('Modify or delete an attribute source')
|
||||
type_entity = 'source'
|
||||
objects = Source.objects.all()
|
||||
objects = AttributeSource.objects.all()
|
||||
return return_list_any(request, objects, title, type_entity,
|
||||
backlink=root_url, back_url='list_abac_sources')
|
||||
|
||||
|
@ -149,7 +150,7 @@ def mod_source(request):
|
|||
if request.method == 'GET':
|
||||
if 'source' in request.GET and request.GET['source']:
|
||||
try:
|
||||
source = Source.objects.get(id=request.GET['source'])
|
||||
source = AttributeSource.objects.get(id=request.GET['source'])
|
||||
except:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unknown source'))
|
||||
|
@ -172,7 +173,7 @@ def mod_source(request):
|
|||
return HttpResponseRedirect('/list_abac_sources')
|
||||
if 'id' in request.POST and request.POST['id']:
|
||||
try:
|
||||
source = Source.objects.get(id=request.POST['id'])
|
||||
source = AttributeSource.objects.get(id=request.POST['id'])
|
||||
except:
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Unknown source'))
|
||||
|
@ -1295,15 +1296,16 @@ def add_permission(request):
|
|||
return return_add_permission_form(request)
|
||||
try:
|
||||
p.save()
|
||||
logger.info('add_permission: Permission added: %s' % str(p))
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('Permission %s added') % str(p))
|
||||
return HttpResponseRedirect('add_permission_any')
|
||||
except Exception, err:
|
||||
logger.error('add_permission: \
|
||||
Fail to save permission with error: %s' %err)
|
||||
messages.add_message(request, messages.ERROR,
|
||||
_('Fail to save permission with error: %s') %err)
|
||||
return HttpResponseRedirect('mod_policy?id=' + str(policy.id))
|
||||
logger.info('add_permission: Permission added: %s' %str(p))
|
||||
messages.add_message(request, messages.INFO,
|
||||
_('Permission added'))
|
||||
|
||||
return return_add_permission_form(request)
|
||||
|
||||
|
|
Reference in New Issue