def main():
# sleep(5) #added a sleep to avoid "Connection refused" or "404" errors
parser = argparse.ArgumentParser()
parser.add_argument('dir', help='the directory of the example')
args = parser.parse_args()
# locate config file
base_path = os.path.abspath(
os.path.join(os.path.dirname(os.path.realpath(__file__)), "..",
"examples", args.dir, "config"))
config_file = os.path.join(base_path, "sdx_global.cfg")
# locate the monitor's flows configuration file
access_control_flows_file = os.path.join(base_path,
"access_control_flows.cfg")
config = Config(config_file)
if os.path.exists(access_control_flows_file):
with file(access_control_flows_file) as f:
flows = json.load(f)
else:
flows = {"access_control_flows": {}}
# start umbrella fabric manager
logger = util.log.getLogger('access-control')
logger.info('init')
# Keep it for now just in case we decide to send messages to Refmon
logger.info('REFMON client: ' + str(config.refmon["IP"]) + ' ' +
str(config.refmon["Port"]))
client = RefMonClient(config.refmon["IP"], config.refmon["Port"],
config.refmon["key"])
controller = AccessControl(config, flows, client, logger)
logger.info('start')
controller.start()
def main():
"""Main function for the project.
"""
# Call CreateConfig class
cc = CreateConfig()
# Read config.ini file
config = cc.read()
cd_port = config["Card_Reader"]["Port"]
cd_id = config["Card_Reader"]["ID"]
io_port = config["Controller"]["Port"]
io_id = config["Controller"]["ID"]
# Create card reader one
card_reader = ACT230(cd_port, cd_id)
# Call class Tokens and get_tokens method
tokens = Tokens()
# Create controller
controller = IOController(io_port, io_id)
# Call AccessControl class
ac = AccessControl(card_reader, tokens, controller)
#call update method in a while cycle to check for token input non-stop
while (1):
ac.update()
def main():
# Relay GPIO Board Pin
RELAY_PIN = 37
# Setup relay
relay = Relay(RELAY_PIN)
# Setup Databases
credentials = []
with open("/home/pi/fecoteme_access_control/dbcredentials.txt") as f:
for line in f:
credentials.append(line.split())
# Read-Only Access Subscription Database
accessDB = Database(*credentials[0])
accessDB.connect()
# Write-Only Movements Register Database (Handled by daemon)
movQueue = multiprocessing.JoinableQueue(False)
movementsDB_Handler = multiprocessing.Process(target=mov_write_db_handle,
args=(credentials[1], movQueue))
movementsDB_Handler.daemon = True
movementsDB_Handler.start()
# Setup Access Control System
accessControl = AccessControl(accessDB, movQueue)
# Set Barscanners Callbacks
barscanner_cb = functools.partial(barscanner_handle,
relay=relay,
access_ctl=accessControl)
# Setup Barscanners
barscanner0 = Barscanner('/dev/barscanner0', "in", barscanner_cb)
barscanner1 = Barscanner('/dev/barscanner1', "out", barscanner_cb)
barscanners = {bs.device.fd: bs for bs in [barscanner0,barscanner1]}
devices = {bs.device.fd: bs.device for bs in [barscanner0,barscanner1]}
try:
while True:
r, w, x = select(devices, [], [])
for fd in r:
barscanners[fd].read_code_handler()
finally:
movQueue.join(10) # Wait for all DB transactions to complete
def test_rules_only_(self):
config_rules_only = """
[[rules]]
allow = [
['user1', 'res_a', 'GET'],
]
deny = [
['user1', 'res_a', 'POST'],
]
"""
ac = AccessControl(config_rules_only)
is_allowed, reason = ac.check('user1', 'res_a', 'GET')
self.assertEqual(is_allowed, True)
self.assertEqual(reason, '[rules.1] "user1" is allowed to do "GET" on "res_a"')
is_allowed, reason = ac.check('user1', 'res_a', 'POST')
self.assertEqual(is_allowed, False)
self.assertEqual(reason, '[rules.1] "user1" is not allowed to do "POST" on "res_a"')
def main():
"""Main function for the project.
"""
# Create card reader one
card_reader = ACT230("COM3")
# Call class Tokens and get_database method
tokens = Tokens()
tbase = tokens.get_database()
# Create controller
controller = IOController()
# Call AccessControl class
ac = AccessControl(card_reader, tbase, controller)
#call update method in a while cycle to check for token input non-stop
while (1):
ac.update()
def check_init(self, sas_if, sas_api, config=None, logger=print) -> bool:
final_ret = True
with self.__lock:
if self.__init:
return True
self.__sas_if = sas_if
self.__sas_api = sas_api
self.__config = config if config is not None else self.__sas_api.config(
)
self.__logger = logger
self.__sas_terminal = SasTerminal(self.__sas_if, self.__sas_api)
self.__user_manager = UserManager()
self.__access_control = AccessControl()
ret = self.__init_offline_analysis_result()
final_ret = ret and final_ret
self.__init = final_ret
return final_ret
def test_all_allow_deny_(self):
ac = AccessControl(config_all_allow)
is_allowed, reason = ac.check('user5', 'part_a', 'POST')
self.assertEqual(is_allowed, False)
self.assertEqual(reason, '[rules.r2] "reader" is not allowed to do "POST" on "res2"')
def test_first_match_deny_(self):
ac = AccessControl(config_first_match)
is_allowed, reason = ac.check('user3', 'part_c', 'PUT')
self.assertEqual(is_allowed, False)
self.assertEqual(reason, '[rules.r2] "reader" is not allowed to do "PUT" on "res2"')
from employee import Employee
from access_control import AccessControl
EMPLOYEES = {
1: Employee(1, 'Bob', '4 Jul 1994', 80000.00),
2: Employee(2, 'Carol', '28 May 1992', 85000.00),
3: Employee(3, 'Ted', '18 Feb 1988', 55000.00),
4: Employee(4, 'Alice', '25 Nov 1987', 40000.00),
101: Employee(101, 'Morgan the Manager', '14 Mar 1975', 100000.00)
}
ACCESSCONTROLS = {101: AccessControl(101, True)}
def test_any_allow_allow_(self):
ac = AccessControl(config_any_allow)
is_allowed, reason = ac.check('user1', 'part_a', 'POST')
self.assertEqual(is_allowed, True)
self.assertEqual(reason, '[rules.r1] "admin" is allowed to do "*" on "res1"')
# e.g. /admin/org1/auth
return app.session_interface.tenant_path_prefix().rstrip(
"/") + "/" + AUTH_PATH.lstrip("/")
# create controllers (including their routes)
UsersController(app, handler)
GroupsController(app, handler)
RolesController(app, handler)
ResourcesController(app, handler)
PermissionsController(app, handler)
if app.config.get('QWC_GROUP_REGISTRATION_ENABLED'):
RegistrableGroupsController(app, handler)
RegistrationRequestsController(app, handler, i18n, mail)
access_control = AccessControl(handler, app.logger)
plugins_loaded = False
@app.before_first_request
def load_plugins():
global plugins_loaded
if not plugins_loaded:
plugins_loaded = True
app.config['PLUGINS'] = []
for plugin in handler().config().get("plugins", []):
app.logger.info("Loading plugin '%s'" % plugin)
try:
mod = importlib.import_module("plugins." + plugin)
mod.load_plugin(app, handler)
from employee import Employee
from access_control import AccessControl
EMPLOYEES = {
1: Employee(1, 'Bob', '4 Jul 1994', 80000.00),
2: Employee(2, 'Carol', '28 May 1992', 85000.00),
3: Employee(3, 'Ted', '18 Feb 1988', 55000.00),
4: Employee(4, 'Alice', '25 Nov 1987', 40000.00),
101: Employee(101, 'Morgan the Manager', '14 Mar 1975', 100000.00)
}
ACCESSCONTROL = {
101: AccessControl(101, True)
}
break
return lookup
# create controllers (including their routes)
UsersController(app, config_models)
GroupsController(app, config_models)
RolesController(app, config_models)
ResourcesController(app, config_models)
PermissionsController(app, config_models)
if app.config.get('QWC_GROUP_REGISTRATION_ENABLED'):
RegistrableGroupsController(app, config_models)
RegistrationRequestsController(app, config_models, i18n, mail)
acccess_control = AccessControl(config_models, app.logger)
@app.before_request
@jwt_optional
def assert_admin_role():
identity = get_jwt_identity()
app.logger.debug("Access with identity %s" % identity)
if not acccess_control.is_admin(identity):
app.logger.info("Access denied for user %s" % identity)
if app.debug:
pass # Allow access in debug mode
else:
if identity:
# Already logged in, but not with admin role
return redirect('/auth/logout?url=%s' % request.url)
def test_any_allow_deny_(self):
ac = AccessControl(config_any_allow)
is_allowed, reason = ac.check('user5', 'part_c', 'POST')
self.assertEqual(is_allowed, False)
self.assertEqual(reason, 'All matched rules denied')
def test_all_allow_allow_(self):
ac = AccessControl(config_all_allow)
is_allowed, reason = ac.check('user1', 'part_a', 'PUT')
self.assertEqual(is_allowed, True)
self.assertEqual(reason, 'All matched rules allowed')
def test_first_match_allow_(self):
ac = AccessControl(config_first_match)
is_allowed, reason = ac.check('user1', 'part_b', 'GET')
self.assertEqual(is_allowed, True)
self.assertEqual(reason, '[rules.r1] "admin" is allowed to do "any action" on "res1"')
def test_rule_mismatch_(self):
ac = AccessControl(config_first_match)
is_allowed, reason = ac.check('user1', 'part_c', 'GET')
self.assertEqual(is_allowed, True)
self.assertEqual(reason, 'No matched rule found, use mismatch_decision: True')