def __init__(self,
Resource,
rules_path="model_rules.csv",
roles_path="roles.csv"):
self.__acl = RegistryProxy(Registry())
self.__set_roles(roles_path)
self.__acl.add_resource(Resource)
self.__resource = Resource
self.__set_rules(rules_path)
def __init__(self, user):
acl = RegistryProxy(Registry())
self.identity = IdentityContext(acl, lambda: user.get_roles())
role_list = [
getattr(AUTH.ROLE, role) for role in dir(AUTH.ROLE)
if "__" not in role
]
for role in role_list:
acl.add_role(role)
for res in AUTH.RESOURCES:
acl.add_resource(res)
for a in AUTH.ALLOWS:
acl.allow(a[0], a[1][2],
a[2]) # пример: ("админ", "Поиск по коду", "чек")
for d in AUTH.DENYS:
acl.deny(d[0], d[1][2], d[2])
class ACLHandler(object):
def __init__(self, Resource):
self.__acl = RegistryProxy(Registry())
self.__set_roles()
self.__acl.add_resource(Resource)
self.__resource = Resource
self.__set_rules()
@staticmethod
def _read_file(file_name: str) -> list:
with open(file_name, newline="") as f:
_reader = csv.reader(f)
data = list(_reader)
return data
def add_resource(self, Resource):
self.__acl.add_resource(Resource)
self.__resource = Resource
def __set_roles(self, ):
roles = self._read_file(roles_path)[0]
for role in roles:
self.__acl.add_role(str(role))
def __set_rules(self):
rules = self._read_file(rules_path)
_resource_name = str(
self.__resource().__class__.__name__).lower().strip()
for rule in rules:
if str(rule[2]).lower() == _resource_name:
self.__acl.allow(
role=str(rule[0]).strip(),
operation=str(rule[1]).strip(),
resource=self.__resource,
)
def get_identity(self, current_user):
identity = IdentityContext(self.__acl,
lambda: current_user.get_roles())
return identity
def main():
# current context user
current_user = None
# create a access control list
acl = RegistryProxy(Registry())
identity = IdentityContext(acl, lambda: current_user.get_roles())
# registry roles and resources
acl.add_role("staff")
acl.add_role("admin")
acl.add_resource(Message)
# add rules
is_message_owner = lambda acl, role, operation, resource: \
db.query(Message).get(resource.id).owner is current_user
acl.allow("staff", "create", Message)
acl.allow("staff", "edit", Message, assertion=is_message_owner)
acl.allow("admin", "edit", Message)
db = Session()
ModelBase.metadata.create_all(engine)
tonyseek = User(name="tonyseek")
tonyseek.set_roles(["staff"])
tom = User(name="tom")
tom.set_roles(["staff"])
admin = User(name="admin")
admin.set_roles(["admin"])
db.add_all([tonyseek, tom, admin])
db.commit()
@identity.check_permission("create", Message)
def create_message(content):
message = Message(content=content, owner=current_user)
db.add(message)
db.commit()
print "%s has craeted a message: '%s'." % (
current_user.name.capitalize(), content)
def edit_message(content, new_content):
message = db.query(Message).filter_by(content=content).one()
if not identity.check_permission("edit", message):
print "%s tried to edit the message '%s' but he will fail." % (
current_user.name.capitalize(), content)
else:
print "%s will edit the message '%s'." % (
current_user.name.capitalize(), content)
with identity.check_permission("edit", message):
message.content = new_content
db.commit()
print "The message '%s' has been edit by %s," % (content,
current_user.name.capitalize()),
print "the new content is '%s'" % new_content
# tonyseek signed in and create a message
current_user = tonyseek
create_message("Please open the door.")
# tom signed in and edit tonyseek's message
current_user = tom
try:
edit_message("Please open the door.", "Please don't open the door.")
except PermissionDenied:
print "Oh, the operation has been denied."
# tonyseek signed in and edit his message
current_user = tonyseek
edit_message("Please open the door.", "Please don't open the door.")
# admin signed in and edit tonyseek's message
current_user = admin
edit_message("Please don't open the door.", "Please open the window.")
def __init__(self, Resource):
self.__acl = RegistryProxy(Registry())
self.__set_roles()
self.__acl.add_resource(Resource)
self.__resource = Resource
self.__set_rules()
from models import *
from controllers.scan_controller import ScanController
from controllers.audit_controller import AuditController
from controllers.access_controller import AccessController
from rbac.acl import Registry
from rbac.proxy import RegistryProxy
from rbac.context import IdentityContext, PermissionDenied
# create a access control list
acl = RegistryProxy(Registry())
identity = IdentityContext(acl, lambda: User.current_user().get_roles())
# registry roles and resources
acl.add_role("staff")
acl.add_role("audit")
acl.add_role("admin")
acl.add_resource(ScanController)
acl.add_resource(AuditController)
acl.add_resource(AccessController)
# add rules
acl.allow("staff", "use", ScanController)
acl.allow("audit", "use", AuditController)
acl.allow("admin", "use", AccessController)
