Ignore:
Timestamp:
Nov 30, 2010 7:20:16 PM (13 years ago)
Author:
Ted Faber <faber@…>
Branches:
axis_example, compt_changes, info-ops, master
Children:
c324ad3
Parents:
4692a16
Message:

Looks like internal works now.

Had to add default entries to the access list to accomodate that, and discovered that ABAC requires strings - not unicode.

Moved lookup_access into the aceess class as most should be able to use it directly now.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • fedd/federation/access.py

    r4692a16 rdee164e  
    132132
    133133
    134     def read_access(self, fn, access_obj=None):
     134    def read_access(self, fn, access_obj=None, default=[]):
    135135        """
    136136        Read an access DB of the form
     
    188188            if a.attr in priorities:
    189189                a.priority = priorities[a.attr]
     190
     191        # default access mappings
     192        for a, v in default:
     193            self.access.append(
     194                    access_base.access_attribute(attr=a, value=v, pri=0))
     195
     196
    190197
    191198    def write_state(self):
     
    226233                self.log.warning(("[read_state]: No saved state: " + \
    227234                        "Unpickling failed: %s") % e)
     235
     236    def lookup_access(self, req, fid, filter=None, compare=None):
     237        """
     238        Check all the attributes that this controller knows how to map and see
     239        if the requester is allowed to use any of them.  If so return one.
     240        Filter defined the objects to check - it's a function that returns true
     241        for the objects to check - and cmp defines the order to check them in
     242        as the cmp field of sorted().  If filter is None, all possibilities are
     243        checked.  If cmp is None, the choices are sorted by priority.
     244        """
     245
     246        # Import request credentials into this (clone later??)
     247        if self.auth.import_credentials(
     248                data_list=req.get('abac_credential', [])):
     249            self.auth.save()
     250
     251        # NB: in the default case (the else), the comparison order is reversed
     252        # so numerically larger priorities are checked first.
     253        if compare: c = compare
     254        else: c = lambda(a, b): cmp(b,a)
     255
     256        if filter: f = filter
     257        else: f = lambda(x): True
     258
     259        check = sorted([ a for a in self.access if f(a)], cmp=c)
     260
     261        # Check every attribute that we know how to map and take the first
     262        # success.
     263        for attr in check:
     264            if self.auth.check_attribute(fid, attr.attr):
     265                self.log.debug("Access succeeded for %s %s" % (attr.attr, fid))
     266                # XXX: needs to deal with dynamics
     267                return copy.copy(attr.value), (False, False, False), \
     268                        [ fid ]
     269            else:
     270                self.log.debug("Access failed for %s %s" % (attr.attr, fid))
     271        else:
     272            raise service_error(service_error.access, "Access denied")
     273
    228274
    229275
Note: See TracChangeset for help on using the changeset viewer.