def is_permitted(self, identifiers, permission_s):
"""
:type identifiers: SimpleRealmCollection
"""
# If a service account or admin account user, use the default handler, not external calls
if ExternalAuthzRealm.__account_type_provider__ and callable(ExternalAuthzRealm.__account_type_provider__) and \
ExternalAuthzRealm.__account_type_provider__(identifiers.primary_identifier) in [AccountTypes.service, AccountTypes.admin]:
logger.debug('Detected admin or service account, using internal authz')
return super().is_permitted(identifiers, permission_s)
result_list = [] # List of tuples (required_perm, is_permitted)
identifier = identifiers.primary_identifier
actions = {}
for required_perm in permission_s:
required_permission = CaseSensitivePermission(wildcard_string=required_perm)
actions[Action(domain=','.join(required_permission.domain), action=','.join(required_permission.action), target=','.join(required_permission.target))] = required_perm
if actions:
try:
resp = self.__client__.authorize(principal=identifier, action_s=list(actions.keys()))
for i in resp.allowed:
result_list.append((actions[i], True))
for i in resp.denied:
result_list.append((actions[i], False))
except Exception as e:
logger.exception('Unexpected error invoking authorization plugin via client: {}'.format(e))
logger.error('Authorization plugin invocation error. Could not perform a proper authz check. Please check configuration and/or authz service status: {}'.format(self.__client__.url))
raise e
return result_list
def is_permitted(self, identifiers, permission_s):
"""
:type identifiers: SimpleRealmCollection
"""
# Fail all if not configured
if not self.enabled or not self.client:
return [(p, False) for p in permission_s]
result_list = [] # List of tuples (required_perm, is_permitted)
identifier = identifiers.primary_identifier
if isinstance(identifier, IdentityContext):
username = identifier.username
else:
username = identifier
actions = {}
for required_perm in permission_s:
required_permission = CaseSensitivePermission(
wildcard_string=required_perm)
actions[Action(
domain=",".join(required_permission.domain),
action=",".join(required_permission.action),
target=",".join(required_permission.target),
)] = required_perm
if actions:
try:
resp = self.client.authorize(principal=username,
action_s=list(actions.keys()))
for i in resp.allowed:
result_list.append((actions[i], True))
for i in resp.denied:
result_list.append((actions[i], False))
except Exception as e:
logger.exception(
"Unexpected error invoking authorization plugin via client: {}"
.format(e))
logger.error(
"Authorization plugin invocation error. Could not perform a proper authz check. Please check configuration and/or authz service status: {}"
.format(self.client.url))
raise e
return result_list