def get_client_policy(
client,
scope=None,
action=None,
realm=None,
user=None,
find_resolver=True,
userObj=None,
active_only=True,
):
"""
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and
checks, whether the given client is contained in the policy field client.
If no policy for the given client is found it takes the policy without
a client
2. Then it strips down the returnable policies to those, that only contain
the username - UNLESS - none of the above policies contains a username
3. then we try to find resolvers in the username (OPTIONAL)
4. if nothing matched so far, we try the extended policy check
"""
policy_eval = PolicyEvaluator(get_policies())
if realm:
policy_eval.filter_for_realm(realm)
if scope:
policy_eval.filter_for_scope(scope)
if action:
policy_eval.filter_for_action(action)
if client:
policy_eval.filter_for_client(client)
policy_eval.filter_for_time()
if active_only:
policy_eval.filter_for_active(state=True)
if userObj:
policy_eval.filter_for_user(userObj)
elif user:
policy_eval.filter_for_user(user)
policies = policy_eval.evaluate()
return policies
def new_get_client_policy(client, scope=None, action=None, realm=None,
user=None, find_resolver=True, userObj=None,
active_only=True):
'''
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and
checks, whether the given client is contained in the policy field client.
If no policy for the given client is found it takes the policy without
a client
2. Then it strips down the returnable policies to those, that only contain
the username - UNLESS - none of the above policies contains a username
3. then we try to find resolvers in the username (OPTIONAL)
4. if nothing matched so far, we try the extended policy check
'''
policy_eval = PolicyEvaluator(get_policies())
if realm:
policy_eval.filter_for_realm(realm)
if scope:
policy_eval.filter_for_scope(scope)
if action:
policy_eval.filter_for_action(action)
if client:
policy_eval.filter_for_client(client)
policy_eval.filter_for_time()
if active_only:
policy_eval.filter_for_active(state=True)
if userObj:
policy_eval.filter_for_user(userObj)
elif user:
policy_eval.filter_for_user(user)
policies = policy_eval.evaluate(multiple=False)
return policies
def test_simple_client_match(self):
"""test that only the most precise client policy will match."""
policies = {
"p1": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "*",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p2": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "127.0.0.1",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
}
policy_eval = PolicyEvaluator(policies)
policy_eval.filter_for_realm("myrealm")
policy_eval.filter_for_user("anton")
policy_eval.filter_for_client("127.0.0.1")
res = policy_eval.evaluate(policies)
assert len(list(res.keys())) == 1
assert "p1" not in res
assert "p2" in res
def test_simple_client_match(self):
"""test that only the most precise client policy will match."""
policies = {
'p1': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "*",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p2': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "127.0.0.1",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
}
policy_eval = PolicyEvaluator(policies)
policy_eval.filter_for_realm('myrealm')
policy_eval.filter_for_user('anton')
policy_eval.filter_for_client('127.0.0.1')
res = policy_eval.evaluate(policies)
assert len(list(res.keys())) == 1
assert 'p1' not in res
assert 'p2' in res
def test_multiple_matches(self):
"""test for most precise result over multiple matches.
to get the best matches, we intersect the matching policies
for example:
matching all: p1, p2, p3, p4, p5
user exact: p1, p2, p3
user wild: p4, p5
=> 1 selection: (p1, p2, p3, p4,) & (p1, p2, p3) = (p1, p2, p3)
intersect result with realm:
realm match exact: p1, p2, p4
=> 2. selection: (p1, p2, p3) & (p1, p2, p4) = (p1, p2)
intersect result with client:
client match exact: p3
client match wildcard: p1
=> 3a. selection: (p1, p2) & (p3) = () => try the client wildcards
=> 3b. selection: (p1, p2) & (p1) = p1
"""
policies = {
"p1": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "*",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p2": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "127.0.0.1",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p3": {
"name": "qrtoken_local",
"user": "******",
"realm": "*",
"client": "*",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p4": {
"name": "qrtoken_local",
"user": "******",
"realm": "myrealm",
"client": "127.0.0.1",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
"p5": {
"name": "qrtoken_local",
"user": "******",
"realm": "your_realm",
"client": "127.0.0.1",
"time": "*",
"action": "select",
"scope": "authentication",
"active": "True",
},
}
policy_eval = PolicyEvaluator({})
policy_eval.filter_for_realm("myrealm")
policy_eval.filter_for_user("hugo")
policy_eval.filter_for_client("192.168.178.12")
res = policy_eval.evaluate(policies)
assert len(list(res.keys())) == 1
assert "p1" in res
def test_multiple_matches(self):
"""test for most precise result over multiple matches.
to get the best matches, we intersect the matching policies
for example:
matching all: p1, p2, p3, p4, p5
user exact: p1, p2, p3
user wild: p4, p5
=> 1 selection: (p1, p2, p3, p4,) & (p1, p2, p3) = (p1, p2, p3)
intersect result with realm:
realm match exact: p1, p2, p4
=> 2. selection: (p1, p2, p3) & (p1, p2, p4) = (p1, p2)
intersect result with client:
client match exact: p3
client match wildcard: p1
=> 3a. selection: (p1, p2) & (p3) = () => try the client wildcards
=> 3b. selection: (p1, p2) & (p1) = p1
"""
policies = {
'p1': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "*",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p2': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "127.0.0.1",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p3': {
'name': 'qrtoken_local',
'user': '******',
'realm': '*',
'client': "*",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p4': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'myrealm',
'client': "127.0.0.1",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
'p5': {
'name': 'qrtoken_local',
'user': '******',
'realm': 'your_realm',
'client': "127.0.0.1",
'time': "*",
'action': "select",
'scope': 'authentication',
'active': 'True',
},
}
policy_eval = PolicyEvaluator({})
policy_eval.filter_for_realm('myrealm')
policy_eval.filter_for_user('hugo')
policy_eval.filter_for_client('192.168.178.12')
res = policy_eval.evaluate(policies)
assert len(list(res.keys())) == 1
assert 'p1' in res
