def new_getPolicy(param, only_active=True): ''' Function to retrieve the list of policies. attributes: - name: (optional) will only return the policy with the name - user: (optional) will only return the policies for this user - realm: (optional) will only return the policies of this realm - scope: (optional) will only return the policies within this scope - action: (optional) will only return the policies with this action The action can also be something like "otppin" and will return policies containing "otppin = 2" :return: a dictionary with the policies. The name of the policy being the key ''' # # filter the policies with the new engine policy_elve = PolicyEvaluator(get_policies()) # # install the filters policy_elve.set_filters(params=param) # # add the special filter for activ or inactive policies if only_active: policy_elve.filter_for_active(state=True) if (('user' in param and param['user'] is not None) or ('action' in param and param['action'] is not None)): policy_elve.filter_for_time() # # finally we apply the filter new_pols = policy_elve.evaluate() return new_pols
def _getAuthorization(scope, action): """ This internal function returns the Authrorizaition within some the scope=system(or audit, monitoring, tools). for the currently authenticated administrativ user. This does not take into account the REALMS! arguments: action - this is the action scope = system/audit/monitoring/tools read write returns: a dictionary with the following keys: active (if policies are used) admin (the name of the authenticated admin user) auth (True if admin is authorized for this action) """ active = True auth = False policy_elve = PolicyEvaluator(get_policies()) p_at_all = policy_elve.has_policy({"scope": scope}) if len(p_at_all) == 0: LOG.info( "No policies in scope %s found. Checking " "of scope %s be disabled.", scope, scope, ) active = False auth = True # TODO: We may change this later to other authentication schemes LOG.debug("[getAuthorization] now getting the admin user name") admin_user = _getAuthenticatedUser() LOG.debug("Evaluating policies for the user: %r", admin_user) param = {"user": admin_user, "scope": scope, "action": action} policies = policy_elve.set_filters(param).evaluate(policy_set=p_at_all) LOG.debug("Found the following policies: %r", policies) if len(list(policies.keys())) > 0: auth = True return {"active": active, "auth": auth, "admin": admin_user}
def new_getAuthorization(scope, action): """ This internal function returns the Authrorizaition within some the scope=system(or audit, monitoring, tools). for the currently authenticated administrativ user. This does not take into account the REALMS! arguments: action - this is the action scope = system/audit/monitoring/tools read write returns: a dictionary with the following keys: active (if policies are used) admin (the name of the authenticated admin user) auth (True if admin is authorized for this action) """ active = True auth = False policy_elve = PolicyEvaluator(get_policies()) p_at_all = policy_elve.has_policy({'scope': scope}) if len(p_at_all) == 0: LOG.info("No policies in scope %s found. Checking " "of scope %s be disabled.", scope, scope) active = False auth = True # TODO: We may change this later to other authentication schemes LOG.debug("[getAuthorization] now getting the admin user name") admin_user = _getAuthenticatedUser() LOG.debug("Evaluating policies for the user: %s", admin_user['login']) param = {'user': admin_user['login'], 'scope': scope, 'action': action} policies = policy_elve.set_filters(param).evaluate(policy_set=p_at_all) LOG.debug("Found the following policies: %r", policies) if len(policies.keys()) > 0: auth = True return {'active': active, 'auth': auth, 'admin': admin_user['login']}