def test_remove_resource(acl): default_resource_state = dict(acl._resources) acl.add_resource('animal') state_before_cat = dict(acl._resources) acl.add_resource('cat', ['animal']) state_with_cat = dict(acl._resources) assert state_with_cat != state_before_cat # make sure it was added acl.remove_resource(resource_to_remove='cat', parent_of_resource='animal') state_after_removing_cat = dict(acl._resources) assert state_before_cat == state_after_removing_cat # make sure we can remove the more complex resource acl.remove_resource(resource_to_remove='animal') state_after_removing_animal = dict(acl._resources) assert state_after_removing_animal == default_resource_state
def test_short_circuit_skip_allow(acl, context, evaluated_roles): """Once one role is passed, shouldn't other roles should not be checked.""" # track which roles have their assertion function evaluated assertion = _FunctionProxy(lambda *args, **kwargs: args[1] == '3', evaluated_roles, role_idx=1) acl.add_resource('my_resource') roles = [str(i) for i in range(10)] for i, role in enumerate(roles): acl.add_role(role) acl.allow(role, 'view', 'my_resource', assertion=assertion) context.set_roles_loader(lambda: roles) context.has_permission('view', 'my_resource') # since role '3' was allowed, 'allowed' isn't checked on any role assert evaluated_roles == roles[0:4]
def test_role_evaluation_order_preserved(acl, context, evaluated_roles): # decorate acl.is_allowed so we can track role evaluation order setattr(acl, 'is_allowed', _FunctionProxy(acl.is_allowed, evaluated_roles)) # add roles as a list in the expected order (1 through 10) acl.add_resource('my_resource') roles = [str(i) for i in range(10)] for i, role in enumerate(roles): acl.add_role(role) context.set_roles_loader(lambda: roles) # allow only the final role to avoid short-circuiting acl.allow(roles[9], 'view', 'my_resource') context.has_permission('view', 'my_resource') # check that the roles were evaluated in order assert evaluated_roles == roles
def acl(): # create context acl = rbac.acl.Registry() # self.denied_error = rbac.context.PermissionDenied # register roles and resources acl.add_role('staff') acl.add_role('editor', parents=['staff']) acl.add_role('badguy', parents=['staff']) acl.add_resource('article') # add rules acl.allow('staff', 'view', 'article') acl.allow('editor', 'edit', 'article') acl.deny('badguy', None, 'article') return acl
def acl(request): # create acl registry from parametrized factory acl = request.param() # add roles acl.add_role('user') acl.add_role('actived_user', parents=['user']) acl.add_role('writer', parents=['actived_user']) acl.add_role('manager', parents=['actived_user']) acl.add_role('editor', parents=['writer', 'manager']) acl.add_role('super') # add resources acl.add_resource('comment') acl.add_resource('post') acl.add_resource('news', parents=['post']) acl.add_resource('infor', parents=['post']) acl.add_resource('event', parents=['news']) # set super permission acl.allow('super', None, None) return acl
def test_short_circuit_skip_deny(acl, context, evaluated_roles): """ If no remaining role could grant access, don't bother checking """ # track which roles are evaluated setattr(acl, 'is_allowed', _FunctionProxy(acl.is_allowed, evaluated_roles)) acl.add_resource('the dinosaurs') roles = ['tourist', 'scientist', 'intern'] for role in roles: acl.add_role(role) context.set_roles_loader(lambda: roles) # explicitly deny one role and don't allow any permissions to others acl.deny('intern', 'feed', 'the dinosaurs') context.has_permission('feed', 'the dinosaurs') # no roles checked, since all are deny-only assert evaluated_roles == [] acl.allow('scientist', 'study', 'the dinosaurs') context.has_permission('feed', 'the dinosaurs') # since scientist is no longer deny-only, # only the intern check will be skipped assert evaluated_roles == ['tourist', 'scientist']
def add_resource(): resource = input(" Enter the name of new resource ") acl.add_resource(resource) print(f" Sucessfully created new resource {resource}") print(f" Updated resources list is {acl.get_all_resources()}")
def main(): # current context user current_user = None # create a access control list acl = RegistryProxy(Registry()) identity = IdentityContext(acl, lambda: current_user.get_roles()) # registry roles and resources acl.add_role("staff") acl.add_role("admin") acl.add_resource(Message) # add rules is_message_owner = lambda acl, role, operation, resource: \ db.query(Message).get(resource.id).owner is current_user acl.allow("staff", "create", Message) acl.allow("staff", "edit", Message, assertion=is_message_owner) acl.allow("admin", "edit", Message) db = Session() ModelBase.metadata.create_all(engine) tonyseek = User(name="tonyseek") tonyseek.set_roles(["staff"]) tom = User(name="tom") tom.set_roles(["staff"]) admin = User(name="admin") admin.set_roles(["admin"]) db.add_all([tonyseek, tom, admin]) db.commit() @identity.check_permission("create", Message) def create_message(content): message = Message(content=content, owner=current_user) db.add(message) db.commit() print "%s has craeted a message: '%s'." % ( current_user.name.capitalize(), content) def edit_message(content, new_content): message = db.query(Message).filter_by(content=content).one() if not identity.check_permission("edit", message): print "%s tried to edit the message '%s' but he will fail." % ( current_user.name.capitalize(), content) else: print "%s will edit the message '%s'." % ( current_user.name.capitalize(), content) with identity.check_permission("edit", message): message.content = new_content db.commit() print "The message '%s' has been edit by %s," % ( content, current_user.name.capitalize()), print "the new content is '%s'" % new_content # tonyseek signed in and create a message current_user = tonyseek create_message("Please open the door.") # tom signed in and edit tonyseek's message current_user = tom try: edit_message("Please open the door.", "Please don't open the door.") except PermissionDenied: print "Oh, the operation has been denied." # tonyseek signed in and edit his message current_user = tonyseek edit_message("Please open the door.", "Please don't open the door.") # admin signed in and edit tonyseek's message current_user = admin edit_message("Please don't open the door.", "Please open the window.")
#-*- coding:utf-8 -*- import rbac.acl # create access control list acl = rbac.acl.Registry() # add roles acl.add_role("member") acl.add_role("student", ["member"]) acl.add_role("teacher", ["member"]) acl.add_role("junior-student", ["student"]) # add resources acl.add_resource("course") acl.add_resource("senior-course", ["course"]) # set rules acl.allow("member", "view", "course") acl.allow("student", "learn", "course") acl.allow("teacher", "teach", "course") acl.deny("junior-student", "learn", "senior-course") # use acl to check permission if acl.is_allowed("student", "view", "course"): print("Students chould view courses.") else: print("Students chould not view courses.") # use acl to check permission again
#!/usr/bin/env python #-*- coding:utf-8 -*- import rbac.acl # create access control list acl = rbac.acl.Registry() # add roles acl.add_role("member") acl.add_role("student", ["member"]) acl.add_role("teacher", ["member"]) acl.add_role("junior-student", ["student"]) # add resources acl.add_resource("course") acl.add_resource("senior-course", ["course"]) # set rules acl.allow("member", "view", "course") acl.allow("student", "learn", "course") acl.allow("teacher", "teach", "course") acl.deny("junior-student", "learn", "senior-course") # use acl to check permission if acl.is_allowed("student", "view", "course"): print("Students chould view courses.") else: print("Students chould not view courses.") # use acl to check permission again
import rbac.acl # create access control list acl = rbac.acl.Registry() # add Default roles acl.add_role("admin") acl.add_role("developer") # add Default users acl.add_user("admin", ["admin"]) acl.add_user("user1", ["developer"]) # add resources acl.add_resource("resource-1") acl.add_resource("resource-2") # set rules # Admin have all permissions acl.allow("admin", "read", "resource-1") acl.allow("admin", "write", "resource-1") acl.allow("admin", "delete", "resource-1") acl.allow("admin", "read", "resource-2") acl.allow("admin", "write", "resource-2") acl.allow("admin", "delete", "resource-2") # Developer have read, write permission but not delete acl.allow("developer", "read", "resource-1") acl.allow("developer", "write", "resource-1")
def main(): # current context user current_user = None # create a access control list acl = RegistryProxy(Registry()) identity = IdentityContext(acl, lambda: current_user.get_roles()) # registry roles and resources acl.add_role("staff") acl.add_role("admin") acl.add_resource(Message) # add rules is_message_owner = lambda acl, role, operation, resource: db.query(Message).get(resource.id).owner is current_user acl.allow("staff", "create", Message) acl.allow("staff", "edit", Message, assertion=is_message_owner) acl.allow("admin", "edit", Message) db = Session() ModelBase.metadata.create_all(engine) tonyseek = User(name="tonyseek") tonyseek.set_roles(["staff"]) tom = User(name="tom") tom.set_roles(["staff"]) admin = User(name="admin") admin.set_roles(["admin"]) db.add_all([tonyseek, tom, admin]) db.commit() @identity.check_permission("create", Message) def create_message(content): message = Message(content=content, owner=current_user) db.add(message) db.commit() print "%s has craeted a message: '%s'." % (current_user.name.capitalize(), content) def edit_message(content, new_content): message = db.query(Message).filter_by(content=content).one() if not identity.check_permission("edit", message): print "%s tried to edit the message '%s' but he will fail." % (current_user.name.capitalize(), content) else: print "%s will edit the message '%s'." % (current_user.name.capitalize(), content) with identity.check_permission("edit", message): message.content = new_content db.commit() print "The message '%s' has been edit by %s," % (content, current_user.name.capitalize()), print "the new content is '%s'" % new_content # tonyseek signed in and create a message current_user = tonyseek create_message("Please open the door.") # tom signed in and edit tonyseek's message current_user = tom try: edit_message("Please open the door.", "Please don't open the door.") except PermissionDenied: print "Oh, the operation has been denied." # tonyseek signed in and edit his message current_user = tonyseek edit_message("Please open the door.", "Please don't open the door.") # admin signed in and edit tonyseek's message current_user = admin edit_message("Please don't open the door.", "Please open the window.")
import rbac.acl # create access control list acl = rbac.acl.Registry() # add roles acl.add_role("viewer") acl.add_role("user", ["viewer"]) # add resources acl.add_resource("register") acl.add_resource("user_login") acl.add_resource("user_search") acl.add_resource("make_transaction") acl.add_resource("user_profile_view") acl.add_resource("user_profile") acl.add_resource("show_notification") acl.add_resource("delete_account") acl.add_resource("add_notification") acl.add_resource("move_notification") acl.add_resource("logout") # set rules acl.allow("viewer", "access", "register") acl.allow("viewer", "access", "user_login") acl.allow("user", "access", "user_search") acl.allow("user", "access", "make_transaction") acl.allow("user", "access", "user_profile_view") acl.allow("user", "access", "user_profile") acl.allow("user", "access", "show_notification") acl.allow("user", "access", "delete_account") acl.allow("user", "access", "add_notification")
# -*- coding: utf-8 -*- # __author__: musibii # __file__ : test1.py # __time__ : 2020/4/29 11:05 上午 import rbac.acl acl = rbac.acl.Registry() acl.add_role() acl.add_resource(acl) acl.allow() acl.deny() acl.is_allowed()
def get(self, request, action, *args, **kwargs): acl = rbac.acl.Registry() if action == 'generate-roles': print 'Generating roles...' acl.add_role("InternUsers") print "\t Added Role: InternUsers" acl.add_role("Directors",["InternUsers"]) print "\t Added Role: Directors" acl.add_role("Writers",["InternUsers"]) print "\t Added Role: Writers" acl.add_role("Auditors",["InternUsers"]) print "\t Added Role: Auditors" acl.add_role("ExternUsers") print "\t Added Role: ExternUsers" print "\t\t[Done]" #TODO [POM] Agregar usuarios creados a roles como hojas del arbol elif action == 'generate-resources': print 'Generating resources...' acl.add_resource("noticia") print "\t Added Resource: Noticia" noticias = Noticia.objects.all() for noticia in noticias: acl.add_resource("noticia-"+noticia.title, ["noticia"]) print "\t Added Resource: noticia-%s" % noticia.title print "\t\t[Done]" elif action == 'generate-rules': print 'Generating rules...' acl.allow("InternUsers","read","noticia") print "\tInternUsers can read noticia" acl.allow("Writers","write","noticia") print "\tWriters can write noticia" acl.allow("Auditors","update","noticia") print "\tAuditors can update noticia" acl.allow("Auditors","delete","noticia") print "\tAuditors can delete noticia" acl.deny("ExternUsers","write","noticia") print "\tExternUsers can not write noticia" acl.deny("ExternUsers","update","noticia") print "\tExternUsers can not update noticia" acl.deny("ExternUsers","delete","noticia") print "\tExternUsers can not delete noticia" print "\t\t[Done]" #TODO [POM] Permitir a usuarios que compartan la misma revista, que compartan el mismo permiso elif action == 'test-onthefly': print 'Generating roles...' acl.add_role("InternUsers") print "\t Added Role: InternUsers" acl.add_role("Directors",["InternUsers"]) print "\t Added Role: Directors" acl.add_role("Writers",["InternUsers"]) print "\t Added Role: Writers" acl.add_role("Auditors",["InternUsers"]) print "\t Added Role: Auditors" acl.add_role("ExternUsers") print "\t Added Role: ExternUsers" print "\t\t[Done]" print 'Generating resources...' acl.add_resource("noticia") print "\t Added Resource: Noticia" noticias = Noticia.objects.all() for noticia in noticias: acl.add_resource("noticia-"+noticia.title, ["noticia"]) print "\t Added Resource: noticia-%s" % noticia.title print "\t\t[Done]" print 'Generating rules...' acl.allow("InternUsers","read","noticia") print "\tInternUsers can read noticia" acl.allow("Writers","write","noticia") print "\tWriters can write noticia" acl.allow("Auditors","update","noticia") print "\tAuditors can update noticia" acl.allow("Auditors","delete","noticia") print "\tAuditors can delete noticia" acl.deny("ExternUsers","write","noticia") print "\tExternUsers can not write noticia" acl.deny("ExternUsers","update","noticia") print "\tExternUsers can not update noticia" acl.deny("ExternUsers","delete","noticia") print "\tExternUsers can not delete noticia" print "\t\t[Done]" if acl.is_allowed("Auditors","write","noticia"): print "Auditors can write noticia" else: print "Auditors can not write noticia" else: print 'Command unknown.' return super(RoleManager,self).get(self,request,*args,**kwargs)