def has_client_policy(
client,
scope=None,
action=None,
realm=None,
user=None,
find_resolver=True,
userObj=None,
active_only=True,
):
"""
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and
checks, whether the given client is contained in the policy field client.
If no policy for the given client is found it takes the policy without
a client
2. Then it strips down the returnable policies to those, that only contain
the username - UNLESS - none of the above policies contains a username
3. then we try to find resolvers in the username (OPTIONAL)
4. if nothing matched so far, we try the extended policy check
The difference to the get_policy is, that it restores the already installed
filters for an existance check
"""
policy_eval = PolicyEvaluator(get_policies())
param = {}
if realm:
param["realm"] = realm
if scope:
param["scope"] = scope
if action:
param["action"] = action
if active_only:
policy_eval.filter_for_active(state=True)
if client:
param["client"] = client
if userObj:
param["user"] = userObj
elif user:
param["user"] = user
policies = policy_eval.has_policy(param)
return policies
def _getAuthorization(scope, action):
"""
This internal function returns the Authrorizaition within some
the scope=system(or audit, monitoring, tools). for the currently
authenticated administrativ user.
This does not take into account the REALMS!
arguments:
action - this is the action
scope = system/audit/monitoring/tools
read
write
returns:
a dictionary with the following keys:
active (if policies are used)
admin (the name of the authenticated admin user)
auth (True if admin is authorized for this action)
"""
active = True
auth = False
policy_elve = PolicyEvaluator(get_policies())
p_at_all = policy_elve.has_policy({"scope": scope})
if len(p_at_all) == 0:
LOG.info(
"No policies in scope %s found. Checking "
"of scope %s be disabled.",
scope,
scope,
)
active = False
auth = True
# TODO: We may change this later to other authentication schemes
LOG.debug("[getAuthorization] now getting the admin user name")
admin_user = _getAuthenticatedUser()
LOG.debug("Evaluating policies for the user: %r", admin_user)
param = {"user": admin_user, "scope": scope, "action": action}
policies = policy_elve.set_filters(param).evaluate(policy_set=p_at_all)
LOG.debug("Found the following policies: %r", policies)
if len(list(policies.keys())) > 0:
auth = True
return {"active": active, "auth": auth, "admin": admin_user}
def new_getAuthorization(scope, action):
"""
This internal function returns the Authrorizaition within some
the scope=system(or audit, monitoring, tools). for the currently
authenticated administrativ user.
This does not take into account the REALMS!
arguments:
action - this is the action
scope = system/audit/monitoring/tools
read
write
returns:
a dictionary with the following keys:
active (if policies are used)
admin (the name of the authenticated admin user)
auth (True if admin is authorized for this action)
"""
active = True
auth = False
policy_elve = PolicyEvaluator(get_policies())
p_at_all = policy_elve.has_policy({'scope': scope})
if len(p_at_all) == 0:
LOG.info("No policies in scope %s found. Checking "
"of scope %s be disabled.", scope, scope)
active = False
auth = True
# TODO: We may change this later to other authentication schemes
LOG.debug("[getAuthorization] now getting the admin user name")
admin_user = _getAuthenticatedUser()
LOG.debug("Evaluating policies for the user: %s", admin_user['login'])
param = {'user': admin_user['login'],
'scope': scope,
'action': action}
policies = policy_elve.set_filters(param).evaluate(policy_set=p_at_all)
LOG.debug("Found the following policies: %r", policies)
if len(policies.keys()) > 0:
auth = True
return {'active': active,
'auth': auth,
'admin': admin_user['login']}
def new_has_client_policy(client, scope=None, action=None, realm=None,
user=None, find_resolver=True, userObj=None,
active_only=True):
'''
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and
checks, whether the given client is contained in the policy field client.
If no policy for the given client is found it takes the policy without
a client
2. Then it strips down the returnable policies to those, that only contain
the username - UNLESS - none of the above policies contains a username
3. then we try to find resolvers in the username (OPTIONAL)
4. if nothing matched so far, we try the extended policy check
The difference to the get_policy is, that it restores the already installed
filters for an existance check
'''
policy_eval = PolicyEvaluator(get_policies())
param = {}
if realm:
param['realm'] = realm
if scope:
param['scope'] = scope
if action:
param['action'] = action
if active_only:
policy_eval.filter_for_active(state=True)
if client:
param['client'] = client
if userObj:
param['user'] = userObj
elif user:
param['user'] = user
policies = policy_eval.has_policy(param)
return policies
def test_user_regex_match2(self, mock_domain_comp, mock_domain_exists):
"""evaluate for user3@realmx with resolver 'resolver'
as there is no dedicated user policy, the policies with resolver or
realm will match.
"""
mock_domain_comp.side_effect = fn_mock_domain_comp
mock_domain_exists.side_effect = fn_mock_domain_comp
# define user
user = User(
login="******",
realm="realmx",
resolver_config_identifier="resolver",
)
# define policies
policies = {}
policies.update(create_policy("self1", user="******"))
policies.update(create_policy("self2", user="******"))
policies.update(create_policy("self3", user="******"))
policies.update(create_policy("self4", user="******"))
policies.update(create_policy("self5", user="******"))
policies.update(
create_policy("self6", user="******")
)
policies.update(
create_policy(
"self7", user="******"
)
)
policies.update(
create_policy("self8", user="******")
)
# evaluate the policies wrt. the given user
p_eval = PolicyEvaluator(policies)
p_eval.filter_for_user(user)
matching_policies = p_eval.evaluate()
# compare the results
expected_matches = set(["self6", "self7"])
matching_policies_names = set(matching_policies.keys())
assert matching_policies_names == expected_matches
def test_user_exact_match2(self, mock_domain_comp, mock_domain_exists):
"""evaluate for user2@realm with resolver 'resolver'
dedicated only user2 policies whith fqn should match and not for realm!
"""
mock_domain_comp.side_effect = fn_mock_domain_comp
mock_domain_exists.side_effect = fn_mock_domain_comp
# define user
user = User(
login="******", realm="realm", resolver_config_identifier="resolver"
)
# define policies
policies = {}
policies.update(create_policy("self1", user="******"))
policies.update(create_policy("self2", user="******"))
policies.update(create_policy("self3", user="******"))
policies.update(create_policy("self4", user="******"))
policies.update(create_policy("self5", user="******"))
policies.update(
create_policy("self6", user="******")
)
policies.update(
create_policy(
"self7", user="******"
)
)
policies.update(
create_policy("self8", user="******")
)
# evaluate the policies wrt. the given user
p_eval = PolicyEvaluator(policies)
p_eval.filter_for_user(user)
matching_policies = p_eval.evaluate()
# compare the results
expected_matches = set(["self6", "self8"])
matching_policies_names = set(matching_policies.keys())
assert (
matching_policies_names == expected_matches
), matching_policies_names
def test_user_regex_match2(self, mock_domain_comp, mock_domain_exists):
"""evaluate for user3@realmx with resolver 'resolver'
as there is no dedicated user policy, the policies with resolver or
realm will match.
"""
mock_domain_comp.side_effect = fn_mock_domain_comp
mock_domain_exists.side_effect = fn_mock_domain_comp
# define user
user = User(
login='******',
realm='realmx',
resolver_config_identifier='resolver'
)
# define policies
policies = {}
policies.update(create_policy('self1', user='******'))
policies.update(create_policy('self2', user='******'))
policies.update(create_policy('self3', user='******'))
policies.update(create_policy('self4', user='******'))
policies.update(create_policy('self5', user='******'))
policies.update(create_policy(
'self6', user='******'))
policies.update(create_policy(
'self7', user='******'))
policies.update(create_policy(
'self8', user='******'))
# evaluate the policies wrt. the given user
p_eval = PolicyEvaluator(policies)
p_eval.filter_for_user(user)
matching_policies = p_eval.evaluate()
# compare the results
expected_matches = set(['self6', 'self7'])
matching_policies_names = set(matching_policies.keys())
assert matching_policies_names == expected_matches
def new_getPolicy(param, only_active=True):
'''
Function to retrieve the list of policies.
attributes:
- name: (optional) will only return the policy with the name
- user: (optional) will only return the policies for this user
- realm: (optional) will only return the policies of this realm
- scope: (optional) will only return the policies within this scope
- action: (optional) will only return the policies with this action
The action can also be something like "otppin" and will
return policies containing "otppin = 2"
:return: a dictionary with the policies. The name of the policy being
the key
'''
#
# filter the policies with the new engine
policy_elve = PolicyEvaluator(get_policies())
#
# install the filters
policy_elve.set_filters(params=param)
#
# add the special filter for activ or inactive policies
if only_active:
policy_elve.filter_for_active(state=True)
if (('user' in param and param['user'] is not None)
or ('action' in param and param['action'] is not None)):
policy_elve.filter_for_time()
#
# finally we apply the filter
new_pols = policy_elve.evaluate()
return new_pols
def new_getPolicy(param, only_active=True):
'''
Function to retrieve the list of policies.
attributes:
- name: (optional) will only return the policy with the name
- user: (optional) will only return the policies for this user
- realm: (optional) will only return the policies of this realm
- scope: (optional) will only return the policies within this scope
- action: (optional) will only return the policies with this action
The action can also be something like "otppin" and will
return policies containing "otppin = 2"
:return: a dictionary with the policies. The name of the policy being
the key
'''
#
# filter the policies with the new engine
policy_elve = PolicyEvaluator(get_policies())
#
# install the filters
policy_elve.set_filters(params=param)
#
# add the special filter for activ or inactive policies
if only_active:
policy_elve.filter_for_active(state=True)
if (('user' in param and param['user'] is not None) or
('action' in param and param['action'] is not None)):
policy_elve.filter_for_time()
#
# finally we apply the filter
new_pols = policy_elve.evaluate()
return new_pols
def test_simple_client_match(self):
"""test that only the most precise client policy will match."""
policies = {
"p1": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "*",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p2": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "127.0.0.1",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
}
policy_eval = PolicyEvaluator(policies)
policy_eval.filter_for_realm("myrealm")
policy_eval.filter_for_user("anton")
policy_eval.filter_for_client("127.0.0.1")
res = policy_eval.evaluate(policies)
assert len(list(res.keys())) == 1
assert "p1" not in res
assert "p2" in res
def test_simple_client_match(self):
"""test that only the most precise client policy will match."""
policies = {
'p1': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "*",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p2': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "127.0.0.1",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
}
policy_eval = PolicyEvaluator(policies)
policy_eval.filter_for_realm('myrealm')
policy_eval.filter_for_user('anton')
policy_eval.filter_for_client('127.0.0.1')
res = policy_eval.evaluate(policies)
assert len(list(res.keys())) == 1
assert 'p1' not in res
assert 'p2' in res
def test_multiple_matches(self):
"""test for most precise result over multiple matches.
to get the best matches, we intersect the matching policies
for example:
matching all: p1, p2, p3, p4, p5
user exact: p1, p2, p3
user wild: p4, p5
=> 1 selection: (p1, p2, p3, p4,) & (p1, p2, p3) = (p1, p2, p3)
intersect result with realm:
realm match exact: p1, p2, p4
=> 2. selection: (p1, p2, p3) & (p1, p2, p4) = (p1, p2)
intersect result with client:
client match exact: p3
client match wildcard: p1
=> 3a. selection: (p1, p2) & (p3) = () => try the client wildcards
=> 3b. selection: (p1, p2) & (p1) = p1
"""
policies = {
"p1": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "*",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p2": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "127.0.0.1",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p3": {
"name": "qrtoken_local",
"user": "******",
"realm": "*",
"client": "*",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p4": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "127.0.0.1",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p5": {
"name": "qrtoken_local",
"user": "******",
"realm": "your_realm",
"client": "127.0.0.1",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
}
policy_eval = PolicyEvaluator({})
policy_eval.filter_for_realm("myrealm")
policy_eval.filter_for_user("hugo")
policy_eval.filter_for_client("192.168.178.12")
res = policy_eval.evaluate(policies)
assert len(list(res.keys())) == 1
assert "p1" in res
def new_get_client_policy(client,
scope=None,
action=None,
realm=None,
user=None,
find_resolver=True,
userObj=None,
active_only=True):
'''
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and
checks, whether the given client is contained in the policy field client.
If no policy for the given client is found it takes the policy without
a client
2. Then it strips down the returnable policies to those, that only contain
the username - UNLESS - none of the above policies contains a username
3. then we try to find resolvers in the username (OPTIONAL)
4. if nothing matched so far, we try the extended policy check
'''
policy_eval = PolicyEvaluator(get_policies())
if realm:
policy_eval.filter_for_realm(realm)
if scope:
policy_eval.filter_for_scope(scope)
if action:
policy_eval.filter_for_action(action)
if client:
policy_eval.filter_for_client(client)
policy_eval.filter_for_time()
if active_only:
policy_eval.filter_for_active(state=True)
if userObj:
policy_eval.filter_for_user(userObj)
elif user:
policy_eval.filter_for_user(user)
policies = policy_eval.evaluate(multiple=False)
return policies
def test_multiple_matches(self):
"""test for most precise result over multiple matches.
to get the best matches, we intersect the matching policies
for example:
matching all: p1, p2, p3, p4, p5
user exact: p1, p2, p3
user wild: p4, p5
=> 1 selection: (p1, p2, p3, p4,) & (p1, p2, p3) = (p1, p2, p3)
intersect result with realm:
realm match exact: p1, p2, p4
=> 2. selection: (p1, p2, p3) & (p1, p2, p4) = (p1, p2)
intersect result with client:
client match exact: p3
client match wildcard: p1
=> 3a. selection: (p1, p2) & (p3) = () => try the client wildcards
=> 3b. selection: (p1, p2) & (p1) = p1
"""
policies = {
'p1': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "*",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p2': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "127.0.0.1",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p3': {
'name': 'qrtoken_local',
'user': '******',
'realm': '*',
'client': "*",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p4': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "127.0.0.1",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p5': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'your_realm',
'client': "127.0.0.1",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
}
policy_eval = PolicyEvaluator({})
policy_eval.filter_for_realm('myrealm')
policy_eval.filter_for_user('hugo')
policy_eval.filter_for_client('192.168.178.12')
res = policy_eval.evaluate(policies)
assert len(list(res.keys())) == 1
assert 'p1' in res
def new_get_client_policy(client, scope=None, action=None, realm=None,
user=None, find_resolver=True, userObj=None,
active_only=True):
'''
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and
checks, whether the given client is contained in the policy field client.
If no policy for the given client is found it takes the policy without
a client
2. Then it strips down the returnable policies to those, that only contain
the username - UNLESS - none of the above policies contains a username
3. then we try to find resolvers in the username (OPTIONAL)
4. if nothing matched so far, we try the extended policy check
'''
policy_eval = PolicyEvaluator(get_policies())
if realm:
policy_eval.filter_for_realm(realm)
if scope:
policy_eval.filter_for_scope(scope)
if action:
policy_eval.filter_for_action(action)
if client:
policy_eval.filter_for_client(client)
policy_eval.filter_for_time()
if active_only:
policy_eval.filter_for_active(state=True)
if userObj:
policy_eval.filter_for_user(userObj)
elif user:
policy_eval.filter_for_user(user)
policies = policy_eval.evaluate(multiple=False)
return policies
