def _user_filter_extended(Policies, userObj): """ check for extended user search expressions cases are: *@domain#key + *@domain#key==val res:#key + res:#key==val :param Policies: the input policies :param userObj: the user as User class Object :return: tuple of matched and empty policies """ matched_policies = {} empty_policies = {} for polname, pol in Policies.items(): extended_user_def = pol.get("user").split(',') for user_def in extended_user_def: user_def = user_def.strip() res = None # check if there is an attribute filter in defintion if '#' in user_def: attr_comp = AttributeCompare() res = attr_comp.compare(userObj, user_def) # if no attribute filter we support as well domain filter elif "@" in user_def: domain_comp = UserDomainCompare() res = domain_comp.compare(userObj, user_def) # if there is an : in the user, we compare the resolver elif ":" in user_def: domain_comp = UserDomainCompare() res = domain_comp.compare(userObj, user_def) # any other filter is returned as ignored else: log.debug("adding %s (no resolvers) to empty_policies", polname) empty_policies[polname] = pol continue if res is True: log.debug("adding %s to matched_policies", polname) matched_policies[polname] = pol elif res is False: log.debug("policy %s faild to matched policies", polname) return matched_policies, empty_policies
def _filter_admin_user(policy_users, userObj): """ filter the policies, where the logged in user matches one of the extended policy user filters. Remark: currently without user attribute comparison, as the definition and the testing here is not completed :param policy_users: list of policy user definitions :param userObj: the logged in user as object :return: boolean, true if user matched policy user definition """ res = False for policy_user in policy_users: user_def = policy_user.strip() res = None # check if there is an attribute filter in defintion # !! currently unspecified and untested - so commented out!! # if '#' in user_def: # attr_comp = AttributeCompare() # domUserObj = userObj # u_d, _sep, av = user_def.rpartition('#') # # if we have a domain match, we try the compare # # literal, but the attrbute requires the existance! # if '@' in u_d: # if '@' in param['user']: # login, _sep, realm = param['user'].rpartition('@') # domUserObj = User(login=login, realm=realm) # res = attr_comp.compare(userObj, user_def) # if no attribute filter -try domain match if "@" in user_def: domUserObj = userObj # in case of domain match, we do string compare # to use the same comparator, we have to establish the realm # as last part of the login (if there) if '@' in userObj.login: login, _sep, realm = userObj.login.rpartition('@') domUserObj = User(login=login, realm=realm) domain_comp = UserDomainCompare() res = domain_comp.compare(domUserObj, user_def) # or try resolver filter, BUT with existance check elif ':' in user_def: domain_comp = UserDomainCompare() res = domain_comp.exists(userObj, user_def) # any other filter is returned as ignored else: continue if res is True: break return res
def user_list_compare(policy_conditions, login): """ check if login name matches list of user policy conditions :param policy_condition: the condition described in the policy :param login: the to be compared user - either User obj or string :return: booleans """ conditions = [x.strip() for x in policy_conditions.split(',')] if isinstance(login, User): user = login elif isinstance(login, str) or isinstance(login, unicode): if '@' in login: usr, _sep, realm = login.rpartition('@') user = User(usr, realm) else: user = User(login) else: raise Exception("unsupported type of login") matched = False domain_comp = UserDomainCompare() attr_comp = AttributeCompare() for condition in conditions: if not condition: continue its_a_not_condition = False # we preserve the kind of match: # in case of a 'non condition' match, we must return immeaditly # and return a False to break out of the loop of conditions if condition[0] in ['-', '!']: condition = condition[1:] its_a_not_condition = True if '#' in condition: if ((isinstance(login, str) or isinstance(login, unicode)) and '@' in login): usr, _sep, realm = login.rpartition('@') if realm in getRealms(): c_user = User(usr, realm) else: c_user = User(login) else: c_user = user identified = attr_comp.compare(c_user, condition) elif '@' in condition: # domain condition requires a domain compare # # we support fake users, where login is of type string # and who have an '@' in it - we rely on that real users # are identified up front and then login will of type User if ((isinstance(login, str) or isinstance(login, unicode)) and '@' in login): u_login, _, r_login = login.rpartition('@') c_user = User(u_login, r_login) else: c_user = user identified = domain_comp.compare(c_user, condition) elif ':' in condition: # resolver condition - by user exists check # # special treatment of literal user definition with an @ in login: # we can split last part and check if it is an existing realm. If # not we treat the user login as literal only if ((isinstance(login, str) or isinstance(login, unicode)) and '@' in login): usr, _sep, realm = login.rpartition('@') if realm in getRealms(): c_user = User(usr, realm) else: c_user = User(login) else: c_user = user identified = domain_comp.exists(c_user, condition) else: # simple user condition with string compare and wild cards identified = domain_comp.compare(user, condition) if identified: matched = True if its_a_not_condition: # early exit on a not condition return False return matched