Exemple #1
0
 def initialise_ACL(self):
     accessControlLogger.info("Initialising the ACL")
     self.load_roles()
     self.load_resources()
     self.load_permissions()
     self.initialise_base_role()
     self.context = IdentityContext(self.acl)
     self.context.set_roles_loader(self.role_loader)
     accessControlLogger.info("Access Control List Initialised!")
 def __init__(self, operation, resource, user=None, **exception_kwargs):
     self.operation = operation
     self.resource = resource
     self.user = user
     self.exception_kwargs = exception_kwargs
     self.exception_kwargs.setdefault('exception', PermissionDenied)
     rbac_context = IdentityContext(acl)
     rbac_context.set_roles_loader(self._roles_loader)
     self.checker = rbac_context.check_permission(self.operation,
                                                  self.resource,
                                                  **self.exception_kwargs)
Exemple #3
0
    def __init__(self, user):
        acl = RegistryProxy(Registry())
        self.identity = IdentityContext(acl, lambda: user.get_roles())

        role_list = [
            getattr(AUTH.ROLE, role) for role in dir(AUTH.ROLE)
            if "__" not in role
        ]
        for role in role_list:
            acl.add_role(role)

        for res in AUTH.RESOURCES:
            acl.add_resource(res)

        for a in AUTH.ALLOWS:
            acl.allow(a[0], a[1][2],
                      a[2])  # пример: ("админ", "Поиск по коду", "чек")

        for d in AUTH.DENYS:
            acl.deny(d[0], d[1][2], d[2])
Exemple #4
0
 def get_identity(self, current_user):
     identity = IdentityContext(self.__acl,
                                lambda: current_user.get_roles())
     return identity
Exemple #5
0
def main():
    # current context user
    current_user = None

    # create a access control list
    acl = RegistryProxy(Registry())
    identity = IdentityContext(acl, lambda: current_user.get_roles())

    # registry roles and resources
    acl.add_role("staff")
    acl.add_role("admin")
    acl.add_resource(Message)

    # add rules
    is_message_owner = lambda acl, role, operation, resource: \
            db.query(Message).get(resource.id).owner is current_user
    acl.allow("staff", "create", Message)
    acl.allow("staff", "edit", Message, assertion=is_message_owner)
    acl.allow("admin", "edit", Message)

    db = Session()
    ModelBase.metadata.create_all(engine)

    tonyseek = User(name="tonyseek")
    tonyseek.set_roles(["staff"])
    tom = User(name="tom")
    tom.set_roles(["staff"])
    admin = User(name="admin")
    admin.set_roles(["admin"])
    db.add_all([tonyseek, tom, admin])
    db.commit()

    @identity.check_permission("create", Message)
    def create_message(content):
        message = Message(content=content, owner=current_user)
        db.add(message)
        db.commit()
        print "%s has craeted a message: '%s'." % (
                current_user.name.capitalize(), content)

    def edit_message(content, new_content):
        message = db.query(Message).filter_by(content=content).one()

        if not identity.check_permission("edit", message):
            print "%s tried to edit the message '%s' but he will fail." % (
                    current_user.name.capitalize(), content)
        else:
            print "%s will edit the message '%s'." % (
                    current_user.name.capitalize(), content)

        with identity.check_permission("edit", message):
            message.content = new_content
            db.commit()

        print "The message '%s' has been edit by %s," % (content,
                    current_user.name.capitalize()),
        print "the new content is '%s'" % new_content

    # tonyseek signed in and create a message
    current_user = tonyseek
    create_message("Please open the door.")

    # tom signed in and edit tonyseek's message
    current_user = tom
    try:
        edit_message("Please open the door.", "Please don't open the door.")
    except PermissionDenied:
        print "Oh, the operation has been denied."

    # tonyseek signed in and edit his message
    current_user = tonyseek
    edit_message("Please open the door.", "Please don't open the door.")

    # admin signed in and edit tonyseek's message
    current_user = admin
    edit_message("Please don't open the door.", "Please open the window.")
Exemple #6
0
########NEW FILE########
__FILENAME__ = context
#!/usr/bin/env python
# -*- coding:utf-8 -*-

from rbac.acl import Registry
from rbac.context import IdentityContext, PermissionDenied


# -----------------------------------------------
# build the access control list and add the rules
# -----------------------------------------------

acl = Registry()
context = IdentityContext(acl)

acl.add_role("staff")
acl.add_role("editor", parents=["staff"])
acl.add_role("bad man", parents=["staff"])
acl.add_resource("article")

acl.allow("staff", "view", "article")
acl.allow("editor", "edit", "article")
acl.deny("bad man", None, "article")


# -------------
# to be a staff
# -------------
Exemple #7
0
#!/usr/bin/env python

from rbac.acl import Registry
from rbac.context import IdentityContext, PermissionDenied


# -----------------------------------------------
# build the access control list and add the rules
# -----------------------------------------------

acl = Registry()
context = IdentityContext(acl)

acl.add_role("staff")
acl.add_role("editor", parents=["staff"])
acl.add_role("bad man", parents=["staff"])
acl.add_resource("article")

acl.allow("staff", "view", "article")
acl.allow("editor", "edit", "article")
acl.deny("bad man", None, "article")


# -------------
# to be a staff
# -------------

@context.set_roles_loader
def first_load_roles():
    yield "staff"
Exemple #8
0
from models import *
from controllers.scan_controller import ScanController
from controllers.audit_controller import AuditController
from controllers.access_controller import AccessController
from rbac.acl import Registry
from rbac.proxy import RegistryProxy
from rbac.context import IdentityContext, PermissionDenied

# create a access control list
acl = RegistryProxy(Registry())
identity = IdentityContext(acl, lambda: User.current_user().get_roles())

# registry roles and resources
acl.add_role("staff")
acl.add_role("audit")
acl.add_role("admin")
acl.add_resource(ScanController)
acl.add_resource(AuditController)
acl.add_resource(AccessController)

# add rules
acl.allow("staff", "use", ScanController)
acl.allow("audit", "use", AuditController)
acl.allow("admin", "use", AccessController)
Exemple #9
0
#!/usr/bin/env python
#-*- coding:utf-8 -*-

from rbac.acl import Registry
from rbac.context import IdentityContext
from flask import session

from flask_jwt_extended import (get_jwt_identity)
from model.db import db, Project, ProjectMember, ActivityMember

acl = Registry()
identity = IdentityContext(acl)


def is_task_member(_, role, operation, resource):
    '''判断是否是活动成员'''
    data = ActivityMember.select().where(
        ActivityMember.activityId == session['task_id'])
    print("操作:", role, operation, resource, data)
    for d in data:
        # print('##########',d.memberId_id, get_jwt_identity())
        if d.memberId_id == get_jwt_identity():
            return True
    return False
    # with db.cursor() as cursor:
    #     sql = "SELECT * FROM activity_member WHERE activityId_id=%s"
    #     cursor.execute(sql, (session['task_id']))
    #     result = cursor.fetchall()
    # return result['memberId_id'] == get_jwt_identity()

Exemple #10
0
class AccessControlManager:
    def __init__(self, name):
        self.acl = Registry()
        self.context = None
        self.blueprint = Blueprint(name, __name__)
        self.current_service_resource_registration = None
        self.resource_registration = models.ResourceRegistration.objects(
            name="access_control").first()
        if self.resource_registration is None:
            self.resource_registration = models.ResourceRegistration(
                name="access_control")
            self.resource_registration.save()
        self.route_loader()

    @staticmethod
    def role_loader():
        roles = models.RoleUserStore.objects(
            user=AuthenticationManager.user_loader(
                get_jwt_identity())).values_list("role")
        return roles

    # Runtime Registrations
    # =======================
    # These functions allow for performing changes to
    # the Access Control List in-memory during application run-time.
    # ---------------------------------------------------------------
    #
    # Register Permission:
    # Adds a permission rule to the ACL based on the PermissionGrant object passed into it.
    def register_permission(self, permissionGrant):
        self.acl.allow(permissionGrant.role, permissionGrant.action,
                       permissionGrant.resource)
        accessControlLogger.info("Registered permission!")

    # Register Role:
    # Adds a role to the ACL based on the RoleRegistration object passed into it.
    def register_role(self, roleRegistration):
        self.acl.add_role(roleRegistration)
        accessControlLogger.info(f"Registered Role: {roleRegistration.name}")

    # Permission System Initialising Functions
    # ==========================================
    # As this is a server platform, load-times are viewed as
    # less important than quick response times after initial load.
    # Thus I have opted to load all permissions into an in memory
    # store instead of doing a database lookup on every request.
    # --------------------------------------------------------------
    #
    # Initialise Access Control List:
    # Uses the below functions to initialise an in-memory permission store and validator.
    def initialise_ACL(self):
        accessControlLogger.info("Initialising the ACL")
        self.load_roles()
        self.load_resources()
        self.load_permissions()
        self.initialise_base_role()
        self.context = IdentityContext(self.acl)
        self.context.set_roles_loader(self.role_loader)
        accessControlLogger.info("Access Control List Initialised!")

    # Load Roles:
    # Loads all RoleRegistration objects from DB, applies them to ACL
    def load_roles(self):
        accessControlLogger.info("Loading Roles into memory...")
        roles = models.RoleRegistration.objects().all()
        for role in roles:
            self.acl.add_role(role)

    # Load Resources:
    # Loads all ResourceRegistration objects from DB, applies them to ACL
    def load_resources(self):
        accessControlLogger.info("Loading Resources into memory...")
        resources = models.ResourceRegistration.objects.all()
        for resource in resources:
            self.acl.add_resource(resource)

    # Load Permissions:
    # Loads all PermissionGrant objects from DB, applies them to ACL
    def load_permissions(self):
        accessControlLogger.info("Loading Permissions into memory...")
        permissions = models.PermissionGrant.objects.all()
        for permission in permissions:
            self.acl.allow(permission.role, permission.action,
                           permission.resource)

    # Initialise Base Role:
    # Creates at run-time a role that is applied to every user, that denies every permission, so that access_control requires an explicit allowance.
    # This is an inefficient way of doing this however, and will not scale.
    # TODO: Improve Efficiency.
    def initialise_base_role(self):
        accessControlLogger.info("Initialising Base Role.")
        roleRegistration = models.RoleRegistration.objects(name="base").first()
        if roleRegistration is None:
            roleRegistration = models.RoleRegistration(name="base",
                                                       pretty_name="Everyone")
            roleRegistration.save()
        self.register_role(roleRegistration)
        userRegistrations = UserRegistration.objects.all()
        for userRegistration in userRegistrations:
            roleUserStore = models.RoleUserStore.objects(
                user=userRegistration, role=roleRegistration).first()
            if roleUserStore is None:
                roleUserStore = models.RoleUserStore(user=userRegistration,
                                                     role=roleRegistration)
                roleUserStore.save()

        # TODO: Use permission grants to make this configurable.
        resourceRegistrations = models.ResourceRegistration.objects().all()
        for resourceRegistration in resourceRegistrations:
            for action in resourceRegistration.actions:
                self.acl.deny(roleRegistration, action, resourceRegistration)

    # Resource Registration
    # =======================
    # When service are loaded, the below decorator is used to register all protected
    # endpoints, it handles authentication_old and access control for those resources.
    # ---------------------------------------------------------------------------
    #
    # Resource Endpoint Decorator:
    # Handles auth.
    def resource_endpoint(self,
                          action,
                          resourceName,
                          serviceResourceRegistration=None):
        if serviceResourceRegistration is None:
            serviceResourceRegistration = self.current_service_resource_registration
        resourceRegistration = self.register_resource(
            action,
            resourceName,
            serviceResourceRegistration=serviceResourceRegistration)

        def decorator(func):
            @wraps(func)
            def decorated_func(*args, **kwargs):
                try:
                    verify_jwt_in_request()
                    self.context.check_permission(
                        "access", serviceResourceRegistration).check()
                    self.context.check_permission(
                        action, resourceRegistration).check()
                    return func(*args, **kwargs)
                except PermissionDenied:
                    return jsonify({"msg": "Not Authorised for Access!"})

            return decorated_func

        return decorator

    # Register Resource:
    # Creates/fetches ResourceRegistration object for the resource, adds action to that registration.
    def register_resource(self,
                          action,
                          resourceName,
                          serviceResourceRegistration=None):
        if serviceResourceRegistration is None:
            serviceResourceRegistration = self.current_service_resource_registration
        formattedName = f"{serviceResourceRegistration.name}.{resourceName}"
        resourceRegistration = models.ResourceRegistration.objects(
            name=formattedName,
            service=serviceResourceRegistration.service).first()
        if resourceRegistration is None:
            resourceRegistration = models.ResourceRegistration(
                name=formattedName,
                service=serviceResourceRegistration.service)
            resourceRegistration.actions.append(action)
        else:
            if action not in resourceRegistration.actions:
                resourceRegistration.actions.append(action)
            else:
                pass
        resourceRegistration.save()
        return resourceRegistration

    # Exposed Web API
    # =================
    # In the interest of organisation, the Access Control
    # manager also hosts its own API on the Flask webservice.
    # --------------------------------------------------------
    #
    # Flask Route Loader:
    # Loads all the flask routes.
    def route_loader(self):

        assign_role = self.resource_endpoint(
            "assign",
            "role",
            serviceResourceRegistration=self.resource_registration)(
                self.assign_role)
        self.blueprint.add_url_rule("/assign_role/<role_name>",
                                    view_func=assign_role,
                                    methods=["GET", "POST"])
        bootstrap = jwt_required(self.bootstrap_for_testing)
        self.blueprint.add_url_rule("/bootstrap_for_testing",
                                    view_func=bootstrap,
                                    methods=["GET", "POST"])
        get_my_roles = jwt_required(self.get_my_roles)
        self.blueprint.add_url_rule("/my_roles",
                                    view_func=get_my_roles,
                                    methods=["GET", "POST"])

        # Production Endpoints.
        # Create Role
        create_role = self.resource_endpoint(
            "create",
            "role",
            serviceResourceRegistration=self.resource_registration)(
                self.create_role)
        self.blueprint.add_url_rule("/create_role",
                                    view_func=create_role,
                                    methods=["POST"])
        # List Roles
        list_roles = self.resource_endpoint(
            "list",
            "role",
            serviceResourceRegistration=self.resource_registration)(
                self.list_roles)
        self.blueprint.add_url_rule("/role/list",
                                    view_func=list_roles,
                                    methods=["GET", "POST"])
        # Get Role
        get_role = self.resource_endpoint(
            "view",
            "role",
            serviceResourceRegistration=self.resource_registration)(
                self.get_role)
        self.blueprint.add_url_rule("/role/get/<role_id>",
                                    view_func=get_role,
                                    methods=["GET", "POST"])

        # Create Permissions
        create_permissions = self.resource_endpoint(
            "create",
            "permission",
            serviceResourceRegistration=self.resource_registration)(
                self.create_permissions)
        self.blueprint.add_url_rule("/permission/create",
                                    view_func=create_permissions,
                                    methods=["POST"])
        # List Permissions
        list_permissions = self.resource_endpoint(
            "list",
            "permission",
            serviceResourceRegistration=self.resource_registration)(
                self.list_permissions)
        self.blueprint.add_url_rule("/permission/list",
                                    view_func=list_permissions,
                                    methods=["GET", "POST"])

    @staticmethod
    def list_roles():
        try:
            page_number = request.args.get("page")
            if page_number is None:
                page_number = 1
            else:
                page_number = int(page_number)
        except ValueError:
            return invalidPageNumber(), 400

        roleQuerySet = models.RoleRegistration.objects()
        roleRegistrations = paginateMongoQuery(roleQuerySet,
                                               page_number=page_number)
        jsonRoleList = list()
        for roleRegistration in roleRegistrations:
            jsonRoleRepresentation = {
                "id": str(roleRegistration.id),
                "name": roleRegistration.name,
                "pretty_name": roleRegistration.pretty_name
            }
            jsonRoleList.append(jsonRoleRepresentation)
        return jsonify({"roles": jsonRoleList}), 200

    @staticmethod
    def get_role(role_id):
        roleRegistration = models.RoleRegistration.objects(id=role_id).first()
        if roleRegistration is None:
            return message("Role Not Found"), 400
        else:
            return jsonify({
                "name": roleRegistration.name,
                "pretty_name": roleRegistration.pretty_name
            })

    @staticmethod
    def list_permissions():
        role_id = request.args.get("role_id")
        if role_id is None:
            permissionsQuerySet = models.PermissionGrant.objects()
        else:
            roleRegistration = models.RoleRegistration.objects(
                id=role_id).first()
            if roleRegistration is None:
                return message("Role Not Found!"), 400
            else:
                permissionsQuerySet = models.PermissionGrant.objects(
                    role=roleRegistration)
        try:
            page_number = request.args.get("page")
            if page_number is None:
                page_number = 1
            else:
                page_number = int(page_number)
        except ValueError:
            return invalidPageNumber(), 400

        permissionGrants = paginateMongoQuery(permissionsQuerySet,
                                              page_number=page_number)
        jsonPermissionList = list()
        for permissionGrant in permissionGrants:
            jsonPermissionRep = {
                "id": str(permissionGrant.id),
                "action": permissionGrant.action,
                "resource": {
                    "id": str(permissionGrant.resource.id),
                    "name": permissionGrant.resource.name
                },
            }
            jsonPermissionList.append(jsonPermissionRep)
        return jsonify({"permissions": jsonPermissionList}), 200

    def create_role(self):
        if not request.is_json:
            return jsonExpected()

        roleName = request.json.get("name")
        rolePrettyName = request.json.get("name", roleName)
        roleRegistration = models.RoleRegistration.objects(
            name=roleName).first()
        if roleRegistration is not None:
            return message("Role already exists!"), 400
        else:
            roleRegistration = models.RoleRegistration(
                name=roleName, pretty_name=rolePrettyName)
            roleRegistration.save()
            self.register_role(roleRegistration)
            return jsonify({
                "msg": "Role Created!",
                "role": {
                    "id": str(roleRegistration.id),
                    "name": roleRegistration.name,
                    "pretty_name": roleRegistration.pretty_name
                }
            })

    def create_permissions(self):
        if not request.is_json:
            return jsonExpected()

        permissionGrantList = list()
        permissionsList = request.json.get("permissions")
        for permissionJSON in permissionsList:
            role_id = permissionJSON.get("role_id")
            resource_name = permissionJSON.get("resource_name")
            action = permissionJSON.get("action")
            roleRegistration = models.RoleRegistration.objects(
                id=role_id).first()
            if roleRegistration is None:
                return message(f"Role ID {role_id} not found!"), 400
            resourceRegistration = models.ResourceRegistration.objects(
                name=resource_name).first()
            if resourceRegistration is None:
                return message(f"Resource: {resource_name} not found!"), 400
            if action not in resourceRegistration.actions:
                return message(
                    f"Unsupported action: {action} for resource: {resource_name}"
                ), 400
            permissionGrant = models.PermissionGrant.objects(
                role=roleRegistration,
                action=action,
                resource=resourceRegistration).first()
            if permissionGrant is not None:
                pass
            else:
                permissionGrant = models.PermissionGrant(
                    role=roleRegistration,
                    action=action,
                    resource=resourceRegistration)
                permissionGrantList.append(permissionGrant)

        responsePermissionList = list()
        for permissionGrant in permissionGrantList:
            try:
                permissionGrant.save()
                self.register_permission(permissionGrant)
                responsePermissionList.append({
                    "role": {
                        "name": permissionGrant.role.name
                    },
                    "resource":
                    permissionGrant.resource.name,
                    "action":
                    permissionGrant.action
                })
            except:
                pass
        return jsonify({"applied_permissions": responsePermissionList}), 200

    @staticmethod
    def accessibleServices():
        userRegistration = AuthenticationManager.user_loader(
            get_jwt_identity())
        pass

    @staticmethod
    def assign_role(role_name):
        userRegistration = AuthenticationManager.user_loader(
            get_jwt_identity())
        roleRegistration = models.RoleRegistration.objects(
            name=role_name).first()
        if roleRegistration is None:
            return message("Role doesn't exist!"), 400
        else:
            newRoleUserStore = models.RoleUserStore.objects(
                user=userRegistration, role=roleRegistration).first()
            if newRoleUserStore is not None:
                return message("You already have this role!"), 200
            else:
                newRoleUserStore = models.RoleUserStore(user=userRegistration,
                                                        role=roleRegistration)
                newRoleUserStore.save()
                return message("Role given!"), 200

    @staticmethod
    def get_my_roles():
        userRegistration = AuthenticationManager.user_loader(
            get_jwt_identity())
        roleUserStores = models.RoleUserStore.objects(
            user=userRegistration).all()
        response = list()
        for roleUserStore in roleUserStores:
            response.append({"role_name": roleUserStore.role.name})
        return jsonify(response), 200

    def bootstrap_for_testing(self):
        userRegistration = AuthenticationManager.user_loader(
            get_jwt_identity())
        roleRegistration = models.RoleRegistration.objects(
            name="admin", pretty_name="Admin").first()
        if roleRegistration is None:
            roleRegistration = models.RoleRegistration(name="admin",
                                                       pretty_name="Admin")
            roleRegistration.save()
            self.register_role(roleRegistration)
        roleUserStore = models.RoleUserStore.objects(
            user=userRegistration, role=roleRegistration).first()
        if roleUserStore is None:
            roleUserStore = models.RoleUserStore(user=userRegistration,
                                                 role=roleRegistration)
            roleUserStore.save()
        serviceResourceRegistration = models.ResourceRegistration.objects(
            name="access_control").first()
        permissionGrant = models.PermissionGrant.objects(
            action="access",
            role=roleRegistration,
            resource=serviceResourceRegistration).first()
        if permissionGrant is None:
            permissionGrant = models.PermissionGrant(
                action="access",
                role=roleRegistration,
                resource=serviceResourceRegistration)
            permissionGrant.save()
            self.register_permission(permissionGrant)
        resourceRegistration = models.ResourceRegistration.objects(
            name="access_control.role").first()
        for action in resourceRegistration.actions:
            permissionGrant = models.PermissionGrant.objects(
                action=action,
                role=roleRegistration,
                resource=resourceRegistration).first()
            print(f"Added action {action}")
            if permissionGrant is None:
                permissionGrant = models.PermissionGrant(
                    action=action,
                    role=roleRegistration,
                    resource=resourceRegistration)
                permissionGrant.save()
                self.register_permission(permissionGrant)
        resourceRegistration = models.ResourceRegistration.objects(
            name="access_control.permission").first()
        for action in resourceRegistration.actions:
            permissionGrant = models.PermissionGrant.objects(
                action=action,
                role=roleRegistration,
                resource=resourceRegistration).first()
            print(f"Added action {action}")
            if permissionGrant is None:
                permissionGrant = models.PermissionGrant(
                    action=action,
                    role=roleRegistration,
                    resource=resourceRegistration)
                permissionGrant.save()
                self.register_permission(permissionGrant)
        return message("Boostrapped!")