def validate_perm_obj(perm):
if perm is None:
raise FortressError(msg='Perm object is None',
id=global_ids.PERM_OBJECT_NULL)
elif perm.obj_name is None:
raise FortressError(msg='Perm object name is None',
id=global_ids.PERM_OBJECT_NM_NULL)
def __validate_perm(perm):
if perm is None:
raise FortressError('Perm is None')
elif perm.obj_name is None:
raise FortressError('Perm object name is None')
elif perm.op_name is None:
raise FortressError('Perm op name is None')
def validate_perm(perm):
if perm is None:
raise FortressError(msg='Permission is None',
id=global_ids.PERM_OPERATION_NULL)
elif perm.obj_name is None:
raise FortressError(msg='Permission object name is None',
id=global_ids.PERM_OBJECT_NM_NULL)
elif perm.op_name is None:
raise FortressError(msg='Permission operation name is None',
id=global_ids.PERM_OPERATION_NM_NULL)
def create_session(user, is_trusted):
"""
Perform user authentication User.password and role activations.
This method must be called once per user prior to calling other methods within this module.
The successful result is Session that contains target user's RBAC User.roles.
This API will...
* authenticate user password if trusted == false.
* evaluate temporal Constraint(s) on User and UserRoles.
* process selective role activations into User RBAC Session User.roles.
* return a Session containing Session.user, Session.user.roles
required parameters:
user.uid - maps to INetOrgPerson uid
is_trusted - boolean, if 'True', authentication is skipped (password not checked)
"""
__validate_user(user)
session = Session()
if is_trusted is False:
# failure throws exception:
userdao.authenticate(user)
session.is_authenticated = True
entity = userdao.read(user)
result = __validate_constraint(entity.constraint)
if result is not SUCCESS:
raise FortressError(
'create_session constraint validation failed uid:' + entity.uid,
result)
__validate_role_constraints(entity)
session.user = entity
return session
def add_active_role(session, role):
"""
This function adds a role as an active role of a session whose owner is a given user.
required parameters:
session - as returned from create_session api
role.name - maps to existing role
"""
__validate(session)
if any(s.lower() == role.lower() for s in session.user.roles):
raise FortressError(
'add_active_role uid=' + session.user.uid +
', previously activated role=' + role,
global_ids.ROLE_ALREADY_ACTIVATED_ERROR)
user = userdao.read(session.user)
for role_constraint in user.role_constraints:
if role.lower() == role_constraint.name.lower():
__activate_role(session.user, role_constraint)
__validate_role_constraints(session.user)
def drop_active_role(session, role):
"""
This function deletes a role from the active role set of a session owned by a given user.
The function is valid if and only if the user is a member of the USERS data set, the session object contains a valid Fortress session,
the session is owned by the user, and the role is an active role of that session.
required parameters:
session - as returned from create_session api
role.name - maps to existing role
"""
__validate(session)
found = False
for role_constraint in session.user.role_constraints:
if role.lower() == role_constraint.name.lower():
__deactivate_role(session.user, role_constraint)
found = True
if not found:
raise FortressError(
'drop_active_role uid=' + session.user.uid +
', has not activated role=' + role,
global_ids.ROLE_NOT_ACTIVATED_ERROR)
__validate_role_constraints(session.user)
def validate_role(role):
if role is None:
raise FortressError(msg='Role is None', id=global_ids.ROLE_NULL)
elif role.name is None:
raise FortressError(msg='Role name is None',
id=global_ids.ROLE_NM_NULL)
def validate_user(user):
if user is None:
raise FortressError(msg='User is None', id=global_ids.USER_NULL)
elif user.uid is None:
raise FortressError(msg='User uid is None', id=global_ids.USER_ID_NULL)
def __validate_user(user):
if user is None:
raise FortressError('User is None')
elif user.uid is None:
raise FortressError('User uid is None')
def __validate_roles(user):
if user.roles is None:
raise FortressError('User roles is None')
elif len(user.roles) < 1:
raise FortressError('User roles is Empty')
def __validate(session):
if session is None:
raise FortressError('Session is None')
elif session.user is None:
raise FortressError('Session has no user')