def _init_(self, **kwargs): """ Define the base permissions """ yield self.load_from_database() self.guard = vakt.Guard(self.vakt_storage, vakt.RulesChecker()) self.auth_platforms = deepcopy(AUTH_PLATFORMS) # Possible authentication platforms and their actions. self.system_seed = self._Configs.get("core.rand_seed")
def main(): # configure logger # root = logging.getLogger() # root.setLevel(logging.INFO) # root.addHandler(logging.StreamHandler()) # start server storage = vakt.MemoryStorage() # policy = vakt.Policy.from_json( # '{"actions": [{"py/object": "vakt.rules.operator.Eq", "val": "get"}, {"py/object": "vakt.rules.operator.Eq", "val": "list"}, {"py/object": "vakt.rules.operator.Eq", "val": "read"}], "context": {}, "description": "Grant read access to all states", "effect": "allow", "meta": {}, "resources": [{"id": {"py/object": "vakt.rules.logic.Any"}, "platform": {"py/object": "vakt.rules.operator.Eq", "val": "lib/states"}}], "subjects": [{"py/object": "vakt.rules.operator.Eq", "val": "user:joe"}], "type": 2, "uid": "7d8b335b-9ee8-420d-94e0-ef17e3b92b15"}') # storage.add(p) for p in policies: # print(f"adding p: {p}") # print(p.to_json()) storage.add(p) # print(f"references: {storage.get_all(100, 0)[0]}") guard = vakt.Guard(storage, vakt.RulesChecker()) # inq = vakt.Inquiry(action='get', # resource={'platform': 'lib/states', 'id': '*'}, # subject={'name': 'larry', 'role': 'admin'}, # context={'referer': 'https://github.com'}) # # print(f"get - larry - admin - * - {bool(guard.is_allowed(inq))}") # # inq = vakt.Inquiry(action='edit', # resource={'platform': 'lib/states', 'id': 'one'}, # subject={'name': 'larry', 'role': 'admin'}, # context={'referer': 'https://github.com'}) # # print(f"edit - larry - admin - one - {bool(guard.is_allowed(inq))}") # inq = vakt.Inquiry(action='get', resource={'platform': 'lib/states', 'id': '*'}, subject='user:joe', context={'referer': 'https://github.com'}) print(f"get - * - user___joe - {bool(guard.is_allowed(inq))}") roles = ['one', 'two'] inq = vakt.Inquiry(action='get', resource={'platform': 'lib/states', 'id': 'one'}, subject='user:joe', context={'referer': 'https://github.com'}) print(f"get - one - user___joe - {bool(guard.is_allowed(inq))}") roles = ['one', 'two']
def auth(request, resource): """ Authorize requester """ user, action = get_user(request) guard = vakt.Guard(storage, vakt.RulesChecker()) #print(resource, file=sys.stderr) inq = vakt.Inquiry( action=action, resource=resource, subject=user, ) print(inq, file=sys.stderr) allowed = guard.is_allowed(inq) print(allowed, file=sys.stderr) if allowed == False: unauthourized()
def __init__(self): self.storage = self._create_storage() self.guard = vakt.Guard(self.storage, vakt.RulesChecker()) for p in policies: self.storage.add(p)
}], resources=[Eq('GOOSE')], effect=vakt.ALLOW_ACCESS, ) storage.add(policy) policy = vakt.Policy( str(uuid.uuid4()), subjects=[Eq('ied02')], actions=[{ 'type': Or(Eq('subscribe')), 'dest': Eq('01:0c:cd:01:00:01') }], resources=[Eq('GOOSE')], effect=vakt.ALLOW_ACCESS, ) storage.add(policy) policy = vakt.Policy( str(uuid.uuid4()), subjects=[Any()], actions=[{ 'dest': Not(StartsWith('01:0c:cd:01')) }], resources=[Eq('GOOSE')], effect=vakt.DENY_ACCESS, ) storage.add(policy) guard = vakt.Guard(storage, vakt.RulesChecker())