def make_resources(self) -> List[Resource]:
if isinstance(self.res, str):
return [
Resource(settings.APP_ID, self.resource_type, self.res,
self._make_attribute(self.res))
]
return [
Resource(settings.APP_ID, self.resource_type, res_id,
self._make_attribute(res_id)) for res_id in self.res
]
def resource_inst_multi_actions_allowed(self, username, actions_ids,
resource_id):
resource = Resource(settings.APP_ID, self.resource_type_id,
resource_id, {})
actions = [Action(action_id) for action_id in actions_ids]
request = MultiActionRequest(settings.APP_ID,
Subject("user", username), actions,
[resource], None)
return self.iam.resource_multi_actions_allowed(request)
def allowed_do_resource_inst(self,
username,
action_id,
resource_type,
resource_id,
attribute=None):
attribute = attribute or {}
r = Resource(settings.APP_ID, resource_type, resource_id, attribute)
request = self._make_request_with_resources(username,
action_id,
resources=[r])
return self.iam.is_allowed(request)
def make_resources(self, res_ids: Union[List[str], str]) -> List[Resource]:
"""
:param res_ids: 单个资源 ID 或资源 ID 列表
"""
if isinstance(res_ids, (str, int)):
res_ids = [res_ids]
res_ids = [str(_id) for _id in res_ids]
return [
Resource(settings.BK_IAM_SYSTEM_ID, self.resource_type, _id,
self._make_attribute(_id)) for _id in res_ids
]
def get_resources(self, bundle):
attributes = {}
if self.creator_field:
attributes["iam_resource_owner"] = getattr(bundle.obj,
self.creator_field)
if self.name_field:
attributes["name"] = getattr(bundle.obj, self.name_field)
return [
Resource(SYSTEM_ID, self.type,
str(getattr(bundle.obj, self.id_field)), attributes)
]
def batch_resource_multi_actions_allowed(self, username, actions_ids,
resource_ids):
actions = [Action(action_id) for action_id in actions_ids]
request = MultiActionRequest(settings.APP_ID,
Subject("user",
username), actions, [], None)
resources = []
for resource_id in resource_ids:
resources.append([
Resource(settings.APP_ID, self.resource_type_id, resource_id,
{})
])
return self.iam.batch_resource_multi_actions_allowed(
request, resources)
def is_allow(request):
data = json.loads(request.body)
action_id = data["action"]
resources = data.get("resources", [])
subject = Subject("user", request.user.username)
action = Action(action_id)
resource = [
Resource(r["system"], r["type"], str(r["id"]), r["attributes"])
for r in resources
]
iam = get_iam_client()
try:
is_allow = iam.is_allowed(
Request(conf.SYSTEM_ID, subject, action, resource, None))
except (AuthInvalidRequest, AuthAPIError) as e:
return standard_response(False, str(e))
return standard_response(True, "success", {"is_allow": is_allow})
def test_gen_perms_apply_data():
system = "test_system"
subject = Subject("user", "admin")
action1 = Action("action1")
action2 = Action("action2")
action3 = Action("action3")
action4 = Action("action4")
resource1 = Resource("test_system", "r1", "r1id", {"name": "r1n"})
resource2 = Resource("test_system", "r2", "r2id", None)
resource3 = Resource("test_system", "r3", "r3id", {})
resource4 = Resource("another_system", "r4", "r4id", {"name": "r4n"})
resource5 = Resource("another_system", "r4", "r5id", {"name": "r5n"})
resource6 = Resource("test_system", "r6", "r6id", {
"name": "r6n",
"_bk_iam_path_": "/biz,1/set,2/module,3/"
})
def get_system_name(system):
return {
"test_system": "test_system_name",
"another_system": "another_system_name"
}[system]
def get_action_name(system, action):
return {
"test_system": {
"action1": "action1_name",
"action2": "action2_name",
"action3": "action3_name",
"action4": "action4_name",
}
}[system][action]
def get_resource_name(system, resource):
return {
"test_system": {
"r1": "r1_type",
"r2": "r2_type",
"r3": "r3_type",
"r6": "r6_type",
"biz": "biz_type",
"set": "set_type",
"module": "module_type",
},
"another_system": {
"r4": "r4_type"
},
}[system][resource]
with patch("iam.utils.meta.get_system_name",
MagicMock(side_effect=get_system_name)):
with patch("iam.utils.meta.get_action_name",
MagicMock(side_effect=get_action_name)):
with patch("iam.utils.meta.get_resource_name",
MagicMock(side_effect=get_resource_name)):
data = utils.gen_perms_apply_data(
system,
subject,
[
{
"action":
action1,
"resources_list":
[[resource1, resource2, resource3, resource4]]
},
{
"action": action2,
"resources_list": [[]]
},
{
"action":
action3,
"resources_list": [
[resource1, resource3, resource4],
[resource1, resource3, resource4],
[resource2, resource3, resource5],
],
},
{
"action": action4,
"resources_list": [[resource6]]
},
],
)
# assert data
# TODO: fix dict compare
assert data == {
"system_id":
"test_system",
"system_name":
"test_system_name",
"actions": [
{
"id":
"action1",
"name":
"action1_name",
"related_resource_types": [
{
"system_id":
"test_system",
"system_name":
"test_system_name",
"type":
"r3",
"type_name":
"r3_type",
"instances": [
[{
"type": "r1",
"type_name": "r1_type",
"id": "r1id",
"name": "r1n"
}],
[{
"type": "r2",
"type_name": "r2_type",
"id": "r2id",
"name": ""
}],
[{
"type": "r3",
"type_name": "r3_type",
"id": "r3id",
"name": ""
}],
],
},
{
"system_id":
"another_system",
"system_name":
"another_system_name",
"type":
"r4",
"type_name":
"r4_type",
"instances": [[{
"type": "r4",
"type_name": "r4_type",
"id": "r4id",
"name": "r4n"
}]],
},
],
},
{
"id": "action2",
"name": "action2_name",
"related_resource_types": []
},
{
"id":
"action3",
"name":
"action3_name",
"related_resource_types": [
{
"system_id":
"test_system",
"system_name":
"test_system_name",
"type":
"r3",
"type_name":
"r3_type",
"instances": [
[{
"type": "r1",
"type_name": "r1_type",
"id": "r1id",
"name": "r1n"
}],
[{
"type": "r3",
"type_name": "r3_type",
"id": "r3id",
"name": ""
}],
[{
"type": "r1",
"type_name": "r1_type",
"id": "r1id",
"name": "r1n"
}],
[{
"type": "r3",
"type_name": "r3_type",
"id": "r3id",
"name": ""
}],
[{
"type": "r2",
"type_name": "r2_type",
"id": "r2id",
"name": ""
}],
[{
"type": "r3",
"type_name": "r3_type",
"id": "r3id",
"name": ""
}],
],
},
{
"system_id":
"another_system",
"system_name":
"another_system_name",
"type":
"r4",
"type_name":
"r4_type",
"instances": [
[{
"type": "r4",
"type_name": "r4_type",
"id": "r4id",
"name": "r4n"
}],
[{
"type": "r4",
"type_name": "r4_type",
"id": "r4id",
"name": "r4n"
}],
[{
"type": "r4",
"type_name": "r4_type",
"id": "r5id",
"name": "r5n"
}],
],
},
],
},
{
"id":
"action4",
"name":
"action4_name",
"related_resource_types": [{
"system_id":
"test_system",
"system_name":
"test_system_name",
"type":
"r6",
"type_name":
"r6_type",
"instances": [[
{
"type": "biz",
"type_name": "biz_type",
"id": "1",
"name": "biz,1"
},
{
"type": "set",
"type_name": "set_type",
"id": "2",
"name": "set,2"
},
{
"type": "module",
"type_name": "module_type",
"id": "3",
"name": "module,3"
},
{
"type": "r6",
"type_name": "r6_type",
"id": "r6id",
"name": "r6n"
},
]],
}],
},
],
}
if __name__ == "__main__":
# eval
print("\nTHE EVAL EXAMPLE:\n")
eval_exmaple()
print_spearator()
# convert to sql / django queryset
print("\nTHE CONVERT EXAMPLE:\n")
convert_example()
# make a request
print_spearator()
subject = Subject("user", "admin")
# action = Action("edit_app")
# action = Action("access_developer_center")
action = Action("develop_app")
resource = Resource("bk_paas", "app", "bk_test", {})
request = Request("bk_paas", subject, action, [resource], None)
print("the request: ", request.to_dict())
iam = IAM("bk_paas", "2353e89a-10a2-4f30-9f6b-8973e9cd1404",
"http://127.0.0.1:8080", "https://{PAAS_DOMAIN}")
# recommend if got an APIGateway
# iam = IAM("bk_paas", "2353e89a-10a2-4f30-9f6b-8973e9cd1404", bk_apigateway_url="http://{IAM_APIGATEWAY_URL}")
print("is_allowed: ", iam.is_allowed(request))
print("query: ", iam.make_filter(request))