def has_client_policy( client, scope=None, action=None, realm=None, user=None, find_resolver=True, userObj=None, active_only=True, ): """ This function returns the dictionary of policies for the given client. 1. First it searches for all policies matching (scope, action, realm) and checks, whether the given client is contained in the policy field client. If no policy for the given client is found it takes the policy without a client 2. Then it strips down the returnable policies to those, that only contain the username - UNLESS - none of the above policies contains a username 3. then we try to find resolvers in the username (OPTIONAL) 4. if nothing matched so far, we try the extended policy check The difference to the get_policy is, that it restores the already installed filters for an existance check """ policy_eval = PolicyEvaluator(get_policies()) param = {} if realm: param["realm"] = realm if scope: param["scope"] = scope if action: param["action"] = action if active_only: policy_eval.filter_for_active(state=True) if client: param["client"] = client if userObj: param["user"] = userObj elif user: param["user"] = user policies = policy_eval.has_policy(param) return policies
def _getAuthorization(scope, action): """ This internal function returns the Authrorizaition within some the scope=system(or audit, monitoring, tools). for the currently authenticated administrativ user. This does not take into account the REALMS! arguments: action - this is the action scope = system/audit/monitoring/tools read write returns: a dictionary with the following keys: active (if policies are used) admin (the name of the authenticated admin user) auth (True if admin is authorized for this action) """ active = True auth = False policy_elve = PolicyEvaluator(get_policies()) p_at_all = policy_elve.has_policy({"scope": scope}) if len(p_at_all) == 0: LOG.info( "No policies in scope %s found. Checking " "of scope %s be disabled.", scope, scope, ) active = False auth = True # TODO: We may change this later to other authentication schemes LOG.debug("[getAuthorization] now getting the admin user name") admin_user = _getAuthenticatedUser() LOG.debug("Evaluating policies for the user: %r", admin_user) param = {"user": admin_user, "scope": scope, "action": action} policies = policy_elve.set_filters(param).evaluate(policy_set=p_at_all) LOG.debug("Found the following policies: %r", policies) if len(list(policies.keys())) > 0: auth = True return {"active": active, "auth": auth, "admin": admin_user}
def new_getAuthorization(scope, action): """ This internal function returns the Authrorizaition within some the scope=system(or audit, monitoring, tools). for the currently authenticated administrativ user. This does not take into account the REALMS! arguments: action - this is the action scope = system/audit/monitoring/tools read write returns: a dictionary with the following keys: active (if policies are used) admin (the name of the authenticated admin user) auth (True if admin is authorized for this action) """ active = True auth = False policy_elve = PolicyEvaluator(get_policies()) p_at_all = policy_elve.has_policy({'scope': scope}) if len(p_at_all) == 0: LOG.info("No policies in scope %s found. Checking " "of scope %s be disabled.", scope, scope) active = False auth = True # TODO: We may change this later to other authentication schemes LOG.debug("[getAuthorization] now getting the admin user name") admin_user = _getAuthenticatedUser() LOG.debug("Evaluating policies for the user: %s", admin_user['login']) param = {'user': admin_user['login'], 'scope': scope, 'action': action} policies = policy_elve.set_filters(param).evaluate(policy_set=p_at_all) LOG.debug("Found the following policies: %r", policies) if len(policies.keys()) > 0: auth = True return {'active': active, 'auth': auth, 'admin': admin_user['login']}
def new_has_client_policy(client, scope=None, action=None, realm=None, user=None, find_resolver=True, userObj=None, active_only=True): ''' This function returns the dictionary of policies for the given client. 1. First it searches for all policies matching (scope, action, realm) and checks, whether the given client is contained in the policy field client. If no policy for the given client is found it takes the policy without a client 2. Then it strips down the returnable policies to those, that only contain the username - UNLESS - none of the above policies contains a username 3. then we try to find resolvers in the username (OPTIONAL) 4. if nothing matched so far, we try the extended policy check The difference to the get_policy is, that it restores the already installed filters for an existance check ''' policy_eval = PolicyEvaluator(get_policies()) param = {} if realm: param['realm'] = realm if scope: param['scope'] = scope if action: param['action'] = action if active_only: policy_eval.filter_for_active(state=True) if client: param['client'] = client if userObj: param['user'] = userObj elif user: param['user'] = user policies = policy_eval.has_policy(param) return policies