def main(argv=None): # IGNORE:C0111
'''Command line options.'''
if argv is None:
argv = sys.argv
else:
sys.argv.extend(argv)
parser = argparse.ArgumentParser(
description='Process py-fortress admin and review commands.')
parser.add_argument('entity',
metavar='entity',
choices=[USER, ROLE, PERM, OBJECT],
help='entity name')
parser.add_argument('operation',
metavar='operand',
choices=[
ADD, UPDATE, DELETE, ASSIGN, DEASSIGN, GRANT,
REVOKE, READ, SEARCH
],
help='operation name')
parser.add_argument('-r', '--role', dest='role', help='role name')
parser.add_argument('--phones', nargs="*", default=[])
parser.add_argument('--mobiles', nargs="*", default=[])
parser.add_argument('--emails', nargs="*", default=[])
parser.add_argument('--props', nargs="*", default=[])
add_args(parser, Role())
add_args(parser, User())
add_args(parser, Perm())
add_args(parser, PermObj())
add_args(parser, Constraint())
args = parser.parse_args()
process(args)
def delete_object(perm_obj):
"""
This method will remove permission object to perms container in directory. This method will also remove in associated permissions that are attached to this object.
required parameters:
perm.obj_name - maps to existing perm object.
"""
utils.validate_perm_obj(perm_obj)
try:
permdao.delete_obj(perm_obj)
except RbacError as e:
# if entry has children.
if e.id == global_ids.PERM_OBJECT_DELETE_FAILED_NONLEAF:
logger.warn('admin.delete_object non-leaf, obj_name:' + perm_obj.obj_name)
# remove all of them.
pList = permdao.search(Perm(obj_name=perm_obj.obj_name, op_name='*'))
for perm in pList:
permdao.delete(perm)
logger.warn('admin.delete_object child obj_name:' + perm.obj_name + ', op_name:' + perm.op_name)
# now try to remove this node once again
permdao.delete_obj(perm_obj)
logger.warn('admin.delete_object success after retry, obj_name:' + perm.obj_name)
else:
# can't handle this error so rethrow.
raise RbacError(msg=e.msg, id=e.id)
return
def test_search_perms(self):
"""
Test perm search by obj_name in file
"""
print_ln('test read perms by obj_name')
try:
perm = Perm(obj_name="test*")
p = permdao.read(perm)
print_entity(p, "Perm")
except Exception as e:
self.fail('perm search failed, exception=' + e.msg)
def test_search_perms(self):
"""
Test the perm search by obj_name and op_name in ldap
"""
print_ln('test search perms by objNm')
try:
prm = Perm(obj_name = "TOB*", op_name = "TOP*")
pList = permdao.search(prm)
for idx, entity in enumerate(pList) :
print_entity (entity, "Perm[" + str(idx+1) + "]:", 1)
except Exception as e:
self.fail('perm search failed, exception=' + e.msg)
def process_perm(args):
perm = load_entity(Perm(), args)
print(args.entity + ' ' + args.operation)
if args.operation == ADD:
admin.add_perm(perm)
elif args.operation == UPDATE:
admin.update_perm(perm)
elif args.operation == DELETE:
admin.delete_perm(perm)
elif args.operation == GRANT:
role_nm = args.role
print('role=' + role_nm)
admin.grant(perm, Role(name=role_nm))
elif args.operation == REVOKE:
role_nm = args.role
print('role=' + role_nm)
admin.revoke(perm, Role(name=role_nm))
elif args.operation == READ:
print_entity(review.read_perm(perm),
perm.obj_name + '.' + perm.op_name)
pass
elif args.operation == SEARCH:
role_nm = args.role
userid = args.uid
prms = []
label = ''
if userid:
label = userid
prms = review.user_perms(User(uid=userid))
elif role_nm:
label = role_nm
prms = review.role_perms(Role(name=role_nm))
else:
if perm.obj_name:
perm.obj_name += '*'
else:
perm.obj_name = '*'
if perm.op_name:
perm.op_name += '*'
else:
perm.op_name = '*'
label = perm.obj_name + '.' + perm.op_name
prms = review.find_perms(perm)
if len(prms) > 0:
for idx, prm in enumerate(prms):
print_entity(prm, label + ':' + str(idx))
else:
print_ln('No matching records found matching filter: ' + label)
else:
print('process_perm failed, invalid operation=' + args.operation)
return False
return True
def test_delete_perms(self):
"""
Test the perm delete
"""
print_ln('test delete perms')
try:
pList = permdao.search(Perm(obj_name='py-test*', op_name='*'))
for perm in pList:
entity = permdao.delete(perm)
print_ln("Delete perm obj=" + perm.obj_name + ', op=' + perm.op_name + ', id=' + perm.obj_id)
except Exception as e:
self.fail('perm delete failed, exception=' + e.msg)
def test02_delete_perm(self):
"""
Test the perm delete object method
"""
print_ln('test_delete_perm')
try:
pList = review.find_perms(Perm(obj_name='py-obj*', op_name='*'))
for perm in pList:
entity = admin.delete_perm(perm)
print_ln("Delete Perm obj name=" + entity.obj_name + ', op=' + entity.op_name + ', id=' + entity.obj_id)
except Exception as e:
self.fail('test_delete_perm failed, exception=' + e.msg)
def test01_revoke(self):
"""
Test the revoke method
"""
print_ln('test_revoke')
try:
pList = review.find_perms(Perm(obj_name='py-obj*', op_name='*'))
rles = role_test_data.get_test_roles('py-role', 10)
for perm in pList:
for rle in rles:
admin.revoke(perm, rle)
print_ln("Revoke Perm obj name=" + perm.obj_name + ', op=' + perm.op_name + ', id=' + perm.obj_id + ', Role=' + rle.name)
except Exception as e:
pass
def test03_perm_roles(self):
"""
Test the perm roles method
"""
print_ln('test16_perm_roles')
try:
pList = review.find_perms(Perm(obj_name='py-obj*', op_name='*'))
for perm in pList:
print_ln("Role Perm obj name=" + perm.obj_name + ', op=' +
perm.op_name + ', id=' + perm.obj_id)
rList = review.perm_roles(perm)
for role in rList:
print_ln("Assigned role=" + role, 1)
except Exception as e:
self.fail('test16_perm_roles failed, exception=' + e.msg)
def test06_perm_users(self):
"""
Test the perm users method
"""
print_ln('test_perm_users')
try:
pList = review.find_perms(Perm(obj_name='py-obj*', op_name='*'))
for perm in pList:
print_ln("Perm obj name=" + perm.obj_name + ', op=' +
perm.op_name + ', id=' + perm.obj_id)
uList = review.perm_users(perm)
for user in uList:
print_ln("Assigned user=" + user.uid, 1)
except Exception as e:
self.fail('test_perm_users failed, exception=' + e.msg)
def main(argv=None):
'''Command line options.'''
if argv is None:
argv = sys.argv
else:
sys.argv.extend(argv)
program_name = 'Process py-fortress access commands.'
parser = argparse.ArgumentParser(description=program_name)
parser.add_argument(
'operation',
metavar='operand',
choices=[AUTH, CHCK, ROLES, PERMS, ADD, DELETE, SHOW, DROP],
help='operation name')
parser.add_argument('-r', '--role', dest='role', help='role name')
add_args(parser, User())
add_args(parser, Perm())
args = parser.parse_args()
process(args)
def process(args):
sess = None
result = False
user = load_entity(User(), args)
perm = load_entity(Perm(), args)
print(args.operation)
try:
if args.operation == AUTH:
sess = access.create_session(user, False)
result = True
elif args.operation == CHCK:
sess = un_pickle()
result = access.check_access(sess, perm)
elif args.operation == ROLES:
sess = un_pickle()
roles = access.session_roles(sess)
for idx, role in enumerate(roles):
print_entity(role, role.name + ':' + str(idx))
result = True
elif args.operation == PERMS:
sess = un_pickle()
perms = access.session_perms(sess)
for idx, perm in enumerate(perms):
print_entity(
perm, perm.obj_name + '.' + perm.op_name + ':' + str(idx))
result = True
elif args.operation == SHOW:
sess = un_pickle()
print_entity(sess, 'session')
print_user(sess.user, 'user')
result = True
elif args.operation == ADD:
sess = un_pickle()
if not args.role:
print("error --role required for this op")
return False
print('role=' + args.role)
access.add_active_role(sess, args.role)
result = True
elif args.operation == DROP:
sess = un_pickle()
if not args.role:
print("error --role required for this op")
return False
print('role=' + args.role)
access.drop_active_role(sess, args.role)
result = True
else:
print('process failed, invalid operation=' + args.operation)
if result:
print('success')
else:
print('failed')
pickle_it(sess)
except RbacError as e:
if e.id == global_ids.ACTV_FAILED_DAY:
print('failed day of week, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_DATE:
print('failed for date, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_TIME:
print('failed for time of day, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_TIMEOUT:
print('failed inactivity timeout, id=' + str(e.id) + ', msg=' +
e.msg)
elif e.id == global_ids.ACTV_FAILED_LOCK:
print('failed locked date')
else:
print('RbacError id=' + str(e.id) + ', ' + e.msg)
def __unload(dn, attrs):
entity = Perm()
entity.dn = dn
attrs = CIDict(attrs)
entity.internal_id = ldaphelper.get_attr_val(
attrs.get(global_ids.INTERNAL_ID, []))
entity.obj_id = ldaphelper.get_attr_val(attrs.get(OBJ_ID, []))
entity.obj_name = ldaphelper.get_attr_val(attrs.get(OBJ_NM, []))
entity.op_name = ldaphelper.get_attr_val(attrs.get(OP_NM, []))
entity.abstract_name = ldaphelper.get_attr_val(attrs.get(PERM_NAME, []))
entity.type = ldaphelper.get_attr_val(attrs.get(TYPE, []))
entity.description = ldaphelper.get_one_attr_val(
attrs.get(global_ids.DESC, []))
# Get the multi-occurring attrs:
entity.users = ldaphelper.get_list(attrs.get(USERS, []))
entity.roles = ldaphelper.get_list(attrs.get(ROLES, []))
entity.props = ldaphelper.get_list(attrs.get(global_ids.PROPS, []))
return entity