def _user_filter_for_resolver(Policies, userObj):
"""
check if user matches with a policy user defintion like 'resolver:'
:param Policies: the to be processed policies
:param userObj: the user as User class object
:return: tuple of matched and unmatched policies
"""
matched_policies = {}
empty_policies = {}
ext_resolver_policies = {}
# get the resolver of the user in the realm and search for this
# resolver list in the policies. Therefore we trim the user resolver
# e.g. 'useridresolver.LDAPIdResolver.IdResolver.local'
# to its shortname 'local' and preserve this as set for the intersection
# with the resolver defintion
resolvers_of_user = set()
for resolver in getResolversOfUser(userObj):
reso = resolver.split('.')[-1]
resolvers_of_user.add(reso)
for polname, pol in Policies.items():
resolver_def = set(split_value(pol, attribute="user", marks=True))
# are there any resolver definitions in the policy
if not resolver_def:
log.debug("adding %s (no resolvers) to empty_policies", polname)
empty_policies[polname] = pol
continue
# there might be some resolver prefixed by user like *.reso1:
# thus we extract the resolver as the last part before the last '.'
for reso_def in resolver_def:
sub_resolvers = set()
if '.' in reso_def:
sub_resolvers.add(reso_def.split('.')[-1])
# if we have some, intersect them with the user resolvers
if resolver_def & resolvers_of_user:
log.debug("adding %s to matched_policies", polname)
matched_policies[polname] = pol
# or if we have some sub-resolvers, intersect them
elif sub_resolvers & resolvers_of_user:
ext_resolver_policies[polname] = pol
# if no intersection match, write a short log output
else:
log.debug("policy %s contains only resolvers (%r) other than %r",
polname, resolver_def, resolvers_of_user)
# return the identified Policies and if they are default
return matched_policies, empty_policies, ext_resolver_policies
def _user_filter_for_resolver(Policies, userObj):
"""
check if user matches with a policy user defintion like 'resolver:'
:param Policies: the to be processed policies
:param userObj: the user as User class object
:return: tuple of matched and unmatched policies
"""
matched_policies = {}
empty_policies = {}
ext_resolver_policies = {}
# get the resolver of the user in the realm and search for this
# resolver list in the policies. Therefore we trim the user resolver
# e.g. 'useridresolver.LDAPIdResolver.IdResolver.local'
# to its shortname 'local' and preserve this as set for the intersection
# with the resolver defintion
resolvers_of_user = set()
for resolver in getResolversOfUser(userObj):
reso = resolver.split('.')[-1]
resolvers_of_user.add(reso)
for polname, pol in Policies.items():
resolver_def = set(split_value(pol, attribute="user", marks=True))
# are there any resolver definitions in the policy
if not resolver_def:
log.debug("adding %s (no resolvers) to empty_policies", polname)
empty_policies[polname] = pol
continue
# there might be some resolver prefixed by user like *.reso1:
# thus we extract the resolver as the last part before the last '.'
for reso_def in resolver_def:
sub_resolvers = set()
if '.' in reso_def:
sub_resolvers.add(reso_def.split('.')[-1])
# if we have some, intersect them with the user resolvers
if resolver_def & resolvers_of_user:
log.debug("adding %s to matched_policies", polname)
matched_policies[polname] = pol
# or if we have some sub-resolvers, intersect them
elif sub_resolvers & resolvers_of_user:
ext_resolver_policies[polname] = pol
# if no intersection match, write a short log output
else:
log.debug("policy %s contains only resolvers (%r) other than %r",
polname, resolver_def, resolvers_of_user)
# return the identified Policies and if they are default
return matched_policies, empty_policies, ext_resolver_policies
def legacy_get_client_policy(client,
scope=None,
action=None,
realm=None,
user=None,
find_resolver=True,
userObj=None):
'''
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and
checks, whether the given client is contained in the policy field client.
If no policy for the given client is found it takes the policy without
a client
2. Then it strips down the returnable policies to those, that only contain
the username - UNLESS - none of the above policies contains a username
3. then we try to find resolvers in the username (OPTIONAL)
4. if nothing matched so far, we try the extended policy check
'''
Policies = {}
param = {}
if scope:
param["scope"] = scope
if action:
param["action"] = action
if realm:
param["realm"] = realm
log.debug("[get_client_policy] with params %r, "
"client %r and user %r" % (param, client, user))
Pols = legacy_getPolicy(param)
log.debug("[get_client_policy] got policies %s " % Pols)
# 1. Find a policy with this client
for pol, policy in Pols.items():
log.debug("[get_client_policy] checking policy %s" % pol)
clients_array = split_value(policy, attribute="client")
log.debug("[get_client_policy] the policy %s has these clients: %s. "
"checking against %s." % (pol, clients_array, client))
# accept wildcards for clients
if '*' in clients_array:
Policies[pol] = policy
continue
client_found = False
client_excluded = False
for cl in clients_array:
try:
if cl[0] in ['-', '!']:
if IPAddress(client) in IPNetwork(cl[1:]):
log.debug("[get_client_policy] the client %s is "
"excluded by %s in policy "
"%s" % (client, cl, pol))
client_excluded = True
if IPAddress(client) in IPNetwork(cl):
client_found = True
except Exception as e:
log.warning("[get_client_policy] authorization policy %s with "
"invalid client: %r" % (pol, e))
if client_found and not client_excluded:
Policies[pol] = policy
# No policy for this client was found, but maybe
# there is one without clients
if len(Policies) == 0:
log.debug("[get_client_policy] looking for policy without any client")
for pol, policy in Pols.items():
if len(split_value(policy, attribute="client")) == 0:
Policies[pol] = policy
if not Policies:
return Policies
if user or userObj:
if not userObj:
userObj = User(login=user, realm=realm)
# filter the policies for the user
Policies = _user_filter(Policies, userObj, scope, find_resolver)
return Policies
def _user_filter(Policies, userObj, scope, find_resolver=True):
# 2. Within those policies select the policy with the user.
# if there is a policy with this very user, return only
# these policies, otherwise return all policies
exact_matched_policies = {}
matched_policies = {}
default_policies = {}
ext_policies = {}
user = userObj.login
for polname, pol in Policies.items():
policy_users = split_value(pol, attribute="user")
log.debug("search user %s in users %s of policy %s", user,
policy_users, polname)
# fix for resolver selector:
marks_policy_users = split_value(pol, attribute="user", marks=True)
if not policy_users and not marks_policy_users:
log.debug("adding %s to default_policies", polname)
default_policies[polname] = pol
continue
if marks_policy_users:
find_resolver = True
default_policies[polname] = pol
continue
if '*' not in policy_users and user in policy_users:
log.debug("adding %s to own_policies", polname)
exact_matched_policies[polname] = pol
elif '*' in policy_users:
log.debug("adding %s to own_policies", polname)
matched_policies[polname] = pol
else:
log.debug("policy %s contains only users (%s) other than %s",
polname, policy_users, user)
ext_policies[polname] = pol
if exact_matched_policies:
return exact_matched_policies
if matched_policies:
return matched_policies
if not find_resolver:
return default_policies
# 3. If no user specific policy was found, we now take a look,
# if we find a policy with the matching resolver.
(matched_policies, empty_policies,
ext_resolver_policies) = _user_filter_for_resolver(
default_policies, userObj)
if matched_policies:
return matched_policies
if empty_policies:
return empty_policies
# 4. if nothing matched before and there are extended user filter
# definitions, try these out - but only in scope 'selfservice'
if ext_resolver_policies or ext_policies and scope in ['selfservice']:
ext_policies.update(ext_resolver_policies)
(matched_policies,
default_policies) = _user_filter_extended(ext_policies, userObj)
# we found something so we return it
if matched_policies:
return matched_policies
return {}
def legacy_get_client_policy(client, scope=None, action=None,
realm=None, user=None,
find_resolver=True, userObj=None):
'''
This function returns the dictionary of policies for the given client.
1. First it searches for all policies matching (scope, action, realm) and
checks, whether the given client is contained in the policy field client.
If no policy for the given client is found it takes the policy without
a client
2. Then it strips down the returnable policies to those, that only contain
the username - UNLESS - none of the above policies contains a username
3. then we try to find resolvers in the username (OPTIONAL)
4. if nothing matched so far, we try the extended policy check
'''
Policies = {}
param = {}
if scope:
param["scope"] = scope
if action:
param["action"] = action
if realm:
param["realm"] = realm
log.debug("[get_client_policy] with params %r, "
"client %r and user %r" % (param, client, user))
Pols = legacy_getPolicy(param)
log.debug("[get_client_policy] got policies %s " % Pols)
# 1. Find a policy with this client
for pol, policy in Pols.items():
log.debug("[get_client_policy] checking policy %s" % pol)
clients_array = split_value(policy, attribute="client")
log.debug("[get_client_policy] the policy %s has these clients: %s. "
"checking against %s." % (pol, clients_array, client))
# accept wildcards for clients
if '*' in clients_array:
Policies[pol] = policy
continue
client_found = False
client_excluded = False
for cl in clients_array:
try:
if cl[0] in ['-', '!']:
if IPAddress(client) in IPNetwork(cl[1:]):
log.debug("[get_client_policy] the client %s is "
"excluded by %s in policy "
"%s" % (client, cl, pol))
client_excluded = True
if IPAddress(client) in IPNetwork(cl):
client_found = True
except Exception as e:
log.warning("[get_client_policy] authorization policy %s with "
"invalid client: %r" % (pol, e))
if client_found and not client_excluded:
Policies[pol] = policy
# No policy for this client was found, but maybe
# there is one without clients
if len(Policies) == 0:
log.debug("[get_client_policy] looking for policy without any client")
for pol, policy in Pols.items():
if len(split_value(policy, attribute="client")) == 0:
Policies[pol] = policy
if not Policies:
return Policies
if user or userObj:
if not userObj:
userObj = User(login=user, realm=realm)
# filter the policies for the user
Policies = _user_filter(Policies, userObj, scope, find_resolver)
return Policies
def _user_filter(Policies, userObj, scope, find_resolver=True):
# 2. Within those policies select the policy with the user.
# if there is a policy with this very user, return only
# these policies, otherwise return all policies
exact_matched_policies = {}
matched_policies = {}
default_policies = {}
ext_policies = {}
user = userObj.login
for polname, pol in Policies.items():
policy_users = split_value(pol, attribute="user")
log.debug("search user %s in users %s of policy %s",
user, policy_users, polname)
# fix for resolver selector:
marks_policy_users = split_value(pol, attribute="user",marks=True)
if not policy_users and not marks_policy_users:
log.debug("adding %s to default_policies", polname)
default_policies[polname] = pol
continue
if marks_policy_users:
find_resolver = True
default_policies[polname] = pol
continue
if '*' not in policy_users and user in policy_users:
log.debug("adding %s to own_policies", polname)
exact_matched_policies[polname] = pol
elif '*' in policy_users:
log.debug("adding %s to own_policies", polname)
matched_policies[polname] = pol
else:
log.debug("policy %s contains only users (%s) other than %s",
polname, policy_users, user)
ext_policies[polname] = pol
if exact_matched_policies:
return exact_matched_policies
if matched_policies:
return matched_policies
if not find_resolver:
return default_policies
# 3. If no user specific policy was found, we now take a look,
# if we find a policy with the matching resolver.
(matched_policies,
empty_policies,
ext_resolver_policies) = _user_filter_for_resolver(default_policies,
userObj)
if matched_policies:
return matched_policies
if empty_policies:
return empty_policies
# 4. if nothing matched before and there are extended user filter
# definitions, try these out - but only in scope 'selfservice'
if ext_resolver_policies or ext_policies and scope in ['selfservice']:
ext_policies.update(ext_resolver_policies)
(matched_policies,
default_policies) = _user_filter_extended(ext_policies, userObj)
# we found something so we return it
if matched_policies:
return matched_policies
return {}