[abac] Treatment of predicates PredicateRole

acs/abac/core.py

@@ -27,6 +27,8 @@ from acs.abac.models import *
 
 from acs.xacml.constants import *
 
+from acs.core import get_alias_in_policy_from_namespace, \
+    stack_of_roles_from_user
 
 logger = logging.getLogger('abac')
 
@@ -51,6 +53,9 @@ def check_predicate(predicate, profile):
     if isinstance(predicate, PredicateComparison):
         logger.debug("check_predicate: PredicateComparison %s" % predicate)
         return check_predicate_comparison(predicate, profile)
+    if isinstance(predicate, PredicateRole):
+        logger.debug("check_predicate: PredicateRole %s" % predicate)
+        return check_predicate_role(predicate, profile)
     return False
 
 
@@ -493,6 +498,33 @@ def check_predicate_required(predicate, profile):
     return False
 
 
+def check_predicate_role(predicate, profile):
+    '''
+        Check that the user has the role or a senior role.
+        The user must be in the profile.
+    '''
+    if not predicate or not profile \
+            or not isinstance(predicate, PredicateRole) \
+            or not predicate.role \
+            or not profile.user:
+        return False
+    alias = get_alias_in_policy_from_namespace(profile.user, predicate.role.namespace)
+    if not alias:
+        logger.debug("check_predicate_role: no alias found for user: %s \
+            in namespace %s" % (profile.user, predicate.role.namespace))
+        return False
+    logger.debug("check_predicate_role: check if user %s has role %s" \
+        % (alias, predicate.role))
+    stack = stack_of_roles_from_user(alias)
+    logger.debug("check_predicate_role: roles of the user: %s" \
+        % stack)
+    if predicate.role in stack:
+        logger.debug("check_predicate_role: success")
+        return True
+    logger.debug("check_predicate_role: failure")
+    return False
+
+
 def check_predicates(rule, profile):
     '''
         Parse rule and list predicates