def get_authz_permissions(self, identifier):
"""
Returns a dictionary mapping domain to permission parts.
Dict is a map of:
domain -> list of strings, each of which is a json-encoded dict: { 'domain': '...', 'action': '...', 'target': '...'}
Example:
{
'*': [ '{"domain":"*", "action": "read", "target": "*"}', '{"domain":"*", "action": "write", "target": "something"}'],
'users': [ '{"domain":"*", "action": "read", "target": "*"}', '{"domain":"*", "action": "write", "target": "blah"}']
}
Statically set to a single domain (*) and a single perm (*)
:param identifier:
:return: dict mapping a domain name to a list of permissions
"""
with session_scope() as db:
idp = idp_factory.for_session(db)
identity, _ = idp.lookup_user(identifier)
if identity:
perms = self._build_permissions_for(identity)
logger.debug('Using perms: {}'.format(perms))
return perms
else:
logger.debug("Found no account, so no perms")
return {}
def get_authz_permissions(self, identifier):
"""
Returns a dictionary mapping domain to permission parts.
Dict is a map of:
domain -> list of strings, each of which is a json-encoded dict: { 'domain': '...', 'action': '...', 'target': '...'}
Example:
{
'*': [ '{"domain":"*", "action": "read", "target": "*"}', '{"domain":"*", "action": "write", "target": "something"}'],
'users': [ '{"domain":"*", "action": "read", "target": "*"}', '{"domain":"*", "action": "write", "target": "blah"}']
}
Statically set to a single domain (*) and a single perm (*)
:param identifier:
:return: dict mapping a domain name to a list of permissions
"""
with session_scope() as db:
if isinstance(identifier, IdentityContext):
# If already looked-up, use it
identity = identifier
else:
# Lookup the user identity
idp = idp_factory.for_session(db)
identity, _ = idp.lookup_user(identifier)
if identity:
perms = self._build_permissions_for(identity)
return perms
else:
return {}
def _get_account_state(self, account):
"""
Verify that the namespace is enabled or else the calling identity is a user in the system admin group
"""
with session_scope() as session:
identities = idp_factory.for_session(session)
n = identities.lookup_account(account)
if n:
return n['state']
else:
return None
def healthcheck(self):
try:
with session_scope() as session:
mgr = idp_factory.for_session(session)
sys_usr = mgr.lookup_user(localconfig.SYSTEM_USERNAME)
if sys_usr is not None:
logger.debug('Healthcheck for native authz handler returning ok')
return True
except Exception as e:
logger.error('Healthcheck for native authz handler caught exception: {}'.format(e))
return False
def get_authc_info(self, authc_token):
"""
Function defined in the interface. Returns a dict:
{
'account_locked': bool,
'authc_info': { '<str cred type>': { 'credential': <value>, 'failed_attempts': <int> } }
'account_id': <str>
}
:param authc_token:
:return: populated dict defined above or empty structured dict above
"""
result_account = {
'account_locked': None,
'authc_info': [],
'account_id': None
}
with session_scope() as db:
idp = idp_factory.for_session(db)
try:
identity, creds = idp.lookup_user(authc_token)
except:
logger.exception('Error looking up user')
identity = None
creds = None
if identity:
result_account['account_locked'] = not (
identity.user_account_state == AccountStates.enabled)
if creds:
result_account['authc_info'] = {
cred.type.value: {
'credential': self.cc.hash(cred.value),
'failed_attempts': []
}
for cred in creds
}
logger.debug('Returning found authc credentials for {}'.format(
authc_token))
return result_account
else:
logger.debug(
'Found no authc info for token: {}'.format(authc_token))
return result_account
def get_authc_info(self, identifier):
"""
Function defined in the interface. Returns a dict:
{
'account_locked': bool,
'authc_info': { '<str cred type>': { 'credential': <value>, 'failed_attempts': <int> } }
'account_id': <str>
}
:param identifier:
:return: populated dict defined above or empty structured dict above
"""
result_account = {
'account_locked': None,
'authc_info': {},
'account_id': None,
'anchore_identity':
None # Used to transmit more than just username
}
with session_scope() as db:
idp = idp_factory.for_session(db)
try:
identity, creds = idp.lookup_user(identifier)
except:
logger.exception('Error looking up user')
identity = None
creds = None
result_account['account_locked'] = False
if identity:
result_account['anchore_identity'] = identity
if creds:
result_account['authc_info'] = {
cred.type.value: {
'credential': cred.value,
'failed_attempts': []
}
for cred in creds
}
return result_account
def get_authc_info(self, identifier):
"""
Function defined in the interface. Returns a dict:
{
'account_locked': bool,
'authc_info': { '<str cred type>': { 'credential': <value>, 'failed_attempts': <int> } }
'account_id': <str>
}
This differs from the password-flow lookup in that it uses the users's uuid rather than username since tokens
are tied to the uuid to ensure lifecycle tied to a specific instance of a username.
:param identifier: the user's uuid as signed/encoded in the token
:return: populated dict defined above or empty structured dict above
"""
result_account = {
"account_locked": None,
"authc_info": {},
"account_id": None,
"anchore_identity": None,
}
with session_scope() as db:
idp = idp_factory.for_session(db)
try:
identity, creds = idp.lookup_user_by_uuid(identifier)
except:
logger.exception("Error looking up user")
identity = None
creds = None
result_account["account_locked"] = False
if identity:
result_account["anchore_identity"] = identity
result_account["authc_info"]["jwt"] = {
"credential": identity.user_uuid,
"failed_attempts": [],
}
return result_account
