def _user_filter_extended(Policies, userObj):
"""
check for extended user search expressions
cases are:
*@domain#key + *@domain#key==val
res:#key + res:#key==val
:param Policies: the input policies
:param userObj: the user as User class Object
:return: tuple of matched and empty policies
"""
matched_policies = {}
empty_policies = {}
for polname, pol in Policies.items():
extended_user_def = pol.get("user").split(',')
for user_def in extended_user_def:
user_def = user_def.strip()
res = None
# check if there is an attribute filter in defintion
if '#' in user_def:
attr_comp = AttributeCompare()
res = attr_comp.compare(userObj, user_def)
# if no attribute filter we support as well domain filter
elif "@" in user_def:
domain_comp = UserDomainCompare()
res = domain_comp.compare(userObj, user_def)
# if there is an : in the user, we compare the resolver
elif ":" in user_def:
domain_comp = UserDomainCompare()
res = domain_comp.compare(userObj, user_def)
# any other filter is returned as ignored
else:
log.debug("adding %s (no resolvers) to empty_policies",
polname)
empty_policies[polname] = pol
continue
if res is True:
log.debug("adding %s to matched_policies", polname)
matched_policies[polname] = pol
elif res is False:
log.debug("policy %s faild to matched policies", polname)
return matched_policies, empty_policies
def _user_filter_extended(Policies, userObj):
"""
check for extended user search expressions
cases are:
*@domain#key + *@domain#key==val
res:#key + res:#key==val
:param Policies: the input policies
:param userObj: the user as User class Object
:return: tuple of matched and empty policies
"""
matched_policies = {}
empty_policies = {}
for polname, pol in Policies.items():
extended_user_def = pol.get("user").split(',')
for user_def in extended_user_def:
user_def = user_def.strip()
res = None
# check if there is an attribute filter in defintion
if '#' in user_def:
attr_comp = AttributeCompare()
res = attr_comp.compare(userObj, user_def)
# if no attribute filter we support as well domain filter
elif "@" in user_def:
domain_comp = UserDomainCompare()
res = domain_comp.compare(userObj, user_def)
# if there is an : in the user, we compare the resolver
elif ":" in user_def:
domain_comp = UserDomainCompare()
res = domain_comp.compare(userObj, user_def)
# any other filter is returned as ignored
else:
log.debug("adding %s (no resolvers) to empty_policies",
polname)
empty_policies[polname] = pol
continue
if res is True:
log.debug("adding %s to matched_policies", polname)
matched_policies[polname] = pol
elif res is False:
log.debug("policy %s faild to matched policies", polname)
return matched_policies, empty_policies
def _filter_admin_user(policy_users, userObj):
"""
filter the policies, where the logged in user matches one of the
extended policy user filters.
Remark: currently without user attribute comparison, as the definition
and the testing here is not completed
:param policy_users: list of policy user definitions
:param userObj: the logged in user as object
:return: boolean, true if user matched policy user definition
"""
res = False
for policy_user in policy_users:
user_def = policy_user.strip()
res = None
# check if there is an attribute filter in defintion
# !! currently unspecified and untested - so commented out!!
# if '#' in user_def:
# attr_comp = AttributeCompare()
# domUserObj = userObj
# u_d, _sep, av = user_def.rpartition('#')
# # if we have a domain match, we try the compare
# # literal, but the attrbute requires the existance!
# if '@' in u_d:
# if '@' in param['user']:
# login, _sep, realm = param['user'].rpartition('@')
# domUserObj = User(login=login, realm=realm)
# res = attr_comp.compare(userObj, user_def)
# if no attribute filter -try domain match
if "@" in user_def:
domUserObj = userObj
# in case of domain match, we do string compare
# to use the same comparator, we have to establish the realm
# as last part of the login (if there)
if '@' in userObj.login:
login, _sep, realm = userObj.login.rpartition('@')
domUserObj = User(login=login, realm=realm)
domain_comp = UserDomainCompare()
res = domain_comp.compare(domUserObj, user_def)
# or try resolver filter, BUT with existance check
elif ':' in user_def:
domain_comp = UserDomainCompare()
res = domain_comp.exists(userObj, user_def)
# any other filter is returned as ignored
else:
continue
if res is True:
break
return res
def user_list_compare(policy_conditions, login):
"""
check if login name matches list of user policy conditions
:param policy_condition: the condition described in the policy
:param login: the to be compared user - either User obj or string
:return: booleans
"""
conditions = [x.strip() for x in policy_conditions.split(',')]
if isinstance(login, User):
user = login
elif isinstance(login, str) or isinstance(login, unicode):
if '@' in login:
usr, _sep, realm = login.rpartition('@')
user = User(usr, realm)
else:
user = User(login)
else:
raise Exception("unsupported type of login")
matched = False
domain_comp = UserDomainCompare()
attr_comp = AttributeCompare()
for condition in conditions:
if not condition:
continue
its_a_not_condition = False
# we preserve the kind of match:
# in case of a 'non condition' match, we must return immeaditly
# and return a False to break out of the loop of conditions
if condition[0] in ['-', '!']:
condition = condition[1:]
its_a_not_condition = True
if '#' in condition:
if ((isinstance(login, str) or isinstance(login, unicode)) and
'@' in login):
usr, _sep, realm = login.rpartition('@')
if realm in getRealms():
c_user = User(usr, realm)
else:
c_user = User(login)
else:
c_user = user
identified = attr_comp.compare(c_user, condition)
elif '@' in condition: # domain condition requires a domain compare
#
# we support fake users, where login is of type string
# and who have an '@' in it - we rely on that real users
# are identified up front and then login will of type User
if ((isinstance(login, str) or isinstance(login, unicode)) and
'@' in login):
u_login, _, r_login = login.rpartition('@')
c_user = User(u_login, r_login)
else:
c_user = user
identified = domain_comp.compare(c_user, condition)
elif ':' in condition: # resolver condition - by user exists check
#
# special treatment of literal user definition with an @ in login:
# we can split last part and check if it is an existing realm. If
# not we treat the user login as literal only
if ((isinstance(login, str) or isinstance(login, unicode)) and
'@' in login):
usr, _sep, realm = login.rpartition('@')
if realm in getRealms():
c_user = User(usr, realm)
else:
c_user = User(login)
else:
c_user = user
identified = domain_comp.exists(c_user, condition)
else: # simple user condition with string compare and wild cards
identified = domain_comp.compare(user, condition)
if identified:
matched = True
if its_a_not_condition: # early exit on a not condition
return False
return matched
def user_list_compare(policy_conditions, login):
"""
check if login name matches list of user policy conditions
:param policy_condition: the condition described in the policy
:param login: the to be compared user - either User obj or string
:return: booleans
"""
conditions = [x.strip() for x in policy_conditions.split(',')]
if isinstance(login, User):
user = login
elif isinstance(login, str) or isinstance(login, unicode):
if '@' in login:
usr, _sep, realm = login.rpartition('@')
user = User(usr, realm)
else:
user = User(login)
else:
raise Exception("unsupported type of login")
matched = False
domain_comp = UserDomainCompare()
attr_comp = AttributeCompare()
for condition in conditions:
if not condition:
continue
its_a_not_condition = False
# we preserve the kind of match:
# in case of a 'non condition' match, we must return immeaditly
# and return a False to break out of the loop of conditions
if condition[0] in ['-', '!']:
condition = condition[1:]
its_a_not_condition = True
if '#' in condition:
if ((isinstance(login, str) or isinstance(login, unicode)) and
'@' in login):
usr, _sep, realm = login.rpartition('@')
if realm in getRealms():
c_user = User(usr, realm)
else:
c_user = User(login)
else:
c_user = user
identified = attr_comp.compare(c_user, condition)
elif '@' in condition: # domain condition requires a domain compare
#
# we support fake users, where login is of type string
# and who have an '@' in it - we rely on that real users
# are identified up front and then login will of type User
if ((isinstance(login, str) or isinstance(login, unicode)) and
'@' in login):
u_login, _, r_login = login.rpartition('@')
c_user = User(u_login, r_login)
else:
c_user = user
identified = domain_comp.compare(c_user, condition)
elif ':' in condition: # resolver condition - by user exists check
#
# special treatment of literal user definition with an @ in login:
# we can split last part and check if it is an existing realm. If
# not we treat the user login as literal only
if ((isinstance(login, str) or isinstance(login, unicode)) and
'@' in login):
usr, _sep, realm = login.rpartition('@')
if realm in getRealms():
c_user = User(usr, realm)
else:
c_user = User(login)
else:
c_user = user
identified = domain_comp.exists(c_user, condition)
else: # simple user condition with string compare and wild cards
identified = domain_comp.compare(user, condition)
if identified:
matched = True
if its_a_not_condition: # early exit on a not condition
return False
return matched
def _filter_admin_user(policy_users, userObj):
"""
filter the policies, where the logged in user matches one of the
extended policy user filters.
Remark: currently without user attribute comparison, as the definition
and the testing here is not completed
:param policy_users: list of policy user definitions
:param userObj: the logged in user as object
:return: boolean, true if user matched policy user definition
"""
res = False
for policy_user in policy_users:
user_def = policy_user.strip()
res = None
# check if there is an attribute filter in defintion
# !! currently unspecified and untested - so commented out!!
# if '#' in user_def:
# attr_comp = AttributeCompare()
# domUserObj = userObj
# u_d, _sep, av = user_def.rpartition('#')
# # if we have a domain match, we try the compare
# # literal, but the attrbute requires the existance!
# if '@' in u_d:
# if '@' in param['user']:
# login, _sep, realm = param['user'].rpartition('@')
# domUserObj = User(login=login, realm=realm)
# res = attr_comp.compare(userObj, user_def)
# if no attribute filter -try domain match
if "@" in user_def:
domUserObj = userObj
# in case of domain match, we do string compare
# to use the same comparator, we have to establish the realm
# as last part of the login (if there)
if '@' in userObj.login:
login, _sep, realm = userObj.login.rpartition('@')
domUserObj = User(login=login, realm=realm)
domain_comp = UserDomainCompare()
res = domain_comp.compare(domUserObj, user_def)
# or try resolver filter, BUT with existance check
elif ':' in user_def:
domain_comp = UserDomainCompare()
res = domain_comp.exists(userObj, user_def)
# any other filter is returned as ignored
else:
continue
if res is True:
break
return res