def get_authz_permissions(self, identifier): """ Returns a dictionary mapping domain to permission parts. Dict is a map of: domain -> list of strings, each of which is a json-encoded dict: { 'domain': '...', 'action': '...', 'target': '...'} Example: { '*': [ '{"domain":"*", "action": "read", "target": "*"}', '{"domain":"*", "action": "write", "target": "something"}'], 'users': [ '{"domain":"*", "action": "read", "target": "*"}', '{"domain":"*", "action": "write", "target": "blah"}'] } Statically set to a single domain (*) and a single perm (*) :param identifier: :return: dict mapping a domain name to a list of permissions """ with session_scope() as db: idp = idp_factory.for_session(db) identity, _ = idp.lookup_user(identifier) if identity: perms = self._build_permissions_for(identity) logger.debug('Using perms: {}'.format(perms)) return perms else: logger.debug("Found no account, so no perms") return {}
def get_authz_permissions(self, identifier): """ Returns a dictionary mapping domain to permission parts. Dict is a map of: domain -> list of strings, each of which is a json-encoded dict: { 'domain': '...', 'action': '...', 'target': '...'} Example: { '*': [ '{"domain":"*", "action": "read", "target": "*"}', '{"domain":"*", "action": "write", "target": "something"}'], 'users': [ '{"domain":"*", "action": "read", "target": "*"}', '{"domain":"*", "action": "write", "target": "blah"}'] } Statically set to a single domain (*) and a single perm (*) :param identifier: :return: dict mapping a domain name to a list of permissions """ with session_scope() as db: if isinstance(identifier, IdentityContext): # If already looked-up, use it identity = identifier else: # Lookup the user identity idp = idp_factory.for_session(db) identity, _ = idp.lookup_user(identifier) if identity: perms = self._build_permissions_for(identity) return perms else: return {}
def _get_account_state(self, account): """ Verify that the namespace is enabled or else the calling identity is a user in the system admin group """ with session_scope() as session: identities = idp_factory.for_session(session) n = identities.lookup_account(account) if n: return n['state'] else: return None
def healthcheck(self): try: with session_scope() as session: mgr = idp_factory.for_session(session) sys_usr = mgr.lookup_user(localconfig.SYSTEM_USERNAME) if sys_usr is not None: logger.debug('Healthcheck for native authz handler returning ok') return True except Exception as e: logger.error('Healthcheck for native authz handler caught exception: {}'.format(e)) return False
def get_authc_info(self, authc_token): """ Function defined in the interface. Returns a dict: { 'account_locked': bool, 'authc_info': { '<str cred type>': { 'credential': <value>, 'failed_attempts': <int> } } 'account_id': <str> } :param authc_token: :return: populated dict defined above or empty structured dict above """ result_account = { 'account_locked': None, 'authc_info': [], 'account_id': None } with session_scope() as db: idp = idp_factory.for_session(db) try: identity, creds = idp.lookup_user(authc_token) except: logger.exception('Error looking up user') identity = None creds = None if identity: result_account['account_locked'] = not ( identity.user_account_state == AccountStates.enabled) if creds: result_account['authc_info'] = { cred.type.value: { 'credential': self.cc.hash(cred.value), 'failed_attempts': [] } for cred in creds } logger.debug('Returning found authc credentials for {}'.format( authc_token)) return result_account else: logger.debug( 'Found no authc info for token: {}'.format(authc_token)) return result_account
def get_authc_info(self, identifier): """ Function defined in the interface. Returns a dict: { 'account_locked': bool, 'authc_info': { '<str cred type>': { 'credential': <value>, 'failed_attempts': <int> } } 'account_id': <str> } :param identifier: :return: populated dict defined above or empty structured dict above """ result_account = { 'account_locked': None, 'authc_info': {}, 'account_id': None, 'anchore_identity': None # Used to transmit more than just username } with session_scope() as db: idp = idp_factory.for_session(db) try: identity, creds = idp.lookup_user(identifier) except: logger.exception('Error looking up user') identity = None creds = None result_account['account_locked'] = False if identity: result_account['anchore_identity'] = identity if creds: result_account['authc_info'] = { cred.type.value: { 'credential': cred.value, 'failed_attempts': [] } for cred in creds } return result_account
def get_authc_info(self, identifier): """ Function defined in the interface. Returns a dict: { 'account_locked': bool, 'authc_info': { '<str cred type>': { 'credential': <value>, 'failed_attempts': <int> } } 'account_id': <str> } This differs from the password-flow lookup in that it uses the users's uuid rather than username since tokens are tied to the uuid to ensure lifecycle tied to a specific instance of a username. :param identifier: the user's uuid as signed/encoded in the token :return: populated dict defined above or empty structured dict above """ result_account = { "account_locked": None, "authc_info": {}, "account_id": None, "anchore_identity": None, } with session_scope() as db: idp = idp_factory.for_session(db) try: identity, creds = idp.lookup_user_by_uuid(identifier) except: logger.exception("Error looking up user") identity = None creds = None result_account["account_locked"] = False if identity: result_account["anchore_identity"] = identity result_account["authc_info"]["jwt"] = { "credential": identity.user_uuid, "failed_attempts": [], } return result_account