tactic-python/access_manager.py at main · ASTperfTest/tactic-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
###########################################################
#
# Copyright (c) 2005, Southpaw Technology
#                     All Rights Reserved
#
# PROPRIETARY INFORMATION.  This software is proprietary to
# Southpaw Technology, and is not to be reproduced, transmitted,
# or disclosed in any way without written permission.
#
#
#

__all__ = ['AccessManager', 'Sudo']

import types

from pyasm.common import Base, Xml, Environment, Common
from pyasm.search import Search


class AccessException(Exception):
    pass


class Sudo(object):

    def __init__(my):
        #print "Setting admin"
        my.security = Environment.get_security()

        # if not already logged in, login as a safe user (guest)
        if not my.security.is_logged_in():
            #my.security.login_as_guest()
            pass

        my.access_manager = my.security.get_access_manager()
        my.access_manager.set_admin(True)

    def __del__(my):
        #print "Removing admin"
        # remove if I m not in admin group
        if not my.security.is_in_group('admin'):
            my.access_manager.set_admin(False)

    def exit(my):
        #print "Removing admin"
        # remove if I m not in admin group
        if not my.security.is_in_group('admin'):
            my.access_manager.set_admin(False)


class AccessManager(Base):

    def __init__(my):
        my.is_admin_flag = False
        my.groups = {}
        my.summary = {}
        my.project_codes = None


    def get_access_summary(my):
        return my.summary


    def set_admin(my, flag):
        my.is_admin_flag = flag

    def is_admin(my):
        return my.is_admin_flag


    # access level definitions
    (DENY, VIEW, EDIT, INSERT, RETIRE, DELETE) = range(6)

    def _get_access_enum(my, access_level_attr):
        '''converts text access levels to their corresponding enum'''
        if access_level_attr == "false":
            access_level = AccessManager.DENY
        elif access_level_attr == "true":
            access_level = AccessManager.VIEW

        elif access_level_attr == "deny":
            access_level = AccessManager.DENY
        elif access_level_attr == "view":
            access_level = AccessManager.VIEW
        elif access_level_attr == "edit":
            access_level = AccessManager.EDIT
        elif access_level_attr == "insert":
            access_level = AccessManager.INSERT
        elif access_level_attr == "retire":
            access_level = AccessManager.RETIRE
        elif access_level_attr == "delete":
            access_level = AccessManager.DELETE

        # allow is the highest and you can do anything
        elif access_level_attr == "allow":
            access_level = AccessManager.DELETE

        elif access_level_attr == None:
            access_level = None

        else:
            raise Exception("[%s] is not a valid access_level_attr" % access_level_attr)

        return access_level


    def add_xml_rules(my, xml):
        '''xml should be an XML object with the data in the form of
        <rules>
          <group type='sobject' default='<default>'>
            <rule key='<key>' access='<access>'/>
          </group>
        </rules>
        '''

        if isinstance(xml, basestring):
            xmlx = Xml()
            xmlx.read_string(xml)
            xml = xmlx


        my.xml = xml

        # parse shorthand rules
        rule_nodes = xml.get_nodes("rules/rule")
        if not rule_nodes:
            return


        if my.project_codes == None:
            search = Search('sthpw/project')
            projects = search.get_sobjects()
            my.project_codes = [x.get_code() for x in projects]
            my.project_codes.append('*')

        for rule_node in rule_nodes:
            # initiate the project_code here for each loop
            project_code = '*'
            group_type = Xml.get_attribute( rule_node, "group" )
            if not group_type:
                # category is the preferred name over group now
                # TODO: phase out the use of group completely
                group_type = Xml.get_attribute( rule_node, "category" )

            # get an existing rule set or create a new one
            if my.groups.has_key(group_type):
                rules = my.groups[group_type]
            else:
                rules = {}
                my.groups[group_type] = rules

            # set the default, if specified
            group_default = xml.get_attribute( rule_node, "default" )
            if group_default:
                rules['__DEFAULT__'] = group_default
                continue


            # generate the rule key
            #rule_key = xml.get_attribute(rule_node, 'key')
            attrs = xml.get_attributes(rule_node)
            attrs2 = {}
            count = 0
            for name, value in attrs.items():
                if name in ['access', 'group', 'category', 'project']:
                    continue
                # have to turn everything into strings
                attrs2[str(name)] = str(value)
                count += 1


            if count == 1 and attrs2.has_key('key'):
                # backwards compatibility
                rule_key = attrs2['key']
            else:
                #rule_key = str(attrs2)
                rule_key = str(Common.get_dict_list(attrs2))

            rule_project =  xml.get_attribute(rule_node, 'project')
            if rule_project:
                project_code = rule_project
                # special treatment for search_filter to enable
                # project-specific search
                if group_type=='search_filter':
                    attrs2['project'] = rule_project

            # if there is a value, then combine it with the key
            rule_value = xml.get_attribute(rule_node, 'value')
            if rule_value:
                rule_key = "%s||%s" % (rule_key, rule_value)

            # add a project code qualifier
            rule_keys = []
            if project_code == '*' and group_type != 'search_filter':
                for code in my.project_codes:
                    key = "%s?project=%s" % (rule_key, code)
                    rule_keys.append(key)
            else:
                key= "%s?project=%s" % (rule_key, project_code)

                #key = str(key) # may need to stringify unicode string
                rule_keys.append(key)

            rule_access = xml.get_attribute(rule_node, 'access')

            #if rule_access == "":
            #    raise AccessException("Cannot have empty 'access':\n%s" \
            #        % xml.to_string(rule_node) )

            # if no key is specified, it is considered a DEFAULT
            if not rule_keys and not rule_value:
                rule_keys = ['__DEFAULT__']
            for rule_key in rule_keys:
                # check if rule_access exists first, which doesn't for search_filter,
                # but it has to go into the rules regardless
                # if the rule already exists, take the highest one
                if rule_access and rules.has_key(rule_key):
                    curr_access, cur_attrs = rules[rule_key]

                    try:
                        access_enum = my._get_access_enum(rule_access)
                        if my._get_access_enum(curr_access) > access_enum:
                            continue
                    except:
                        if group_type == "builtin":
                            continue
                        else:
                            raise


                rules[rule_key] = rule_access, attrs2


        #for rule, values in rules.items():
        #    print "rule: ", rule, values[0]


        # FIXME: this one doesn't support the multi-attr structure
        # convert this to a python data structure
        group_nodes = xml.get_nodes("rules/group")
        for group_node in group_nodes:

            group_type = Xml.get_attribute( group_node, "type" )

            # get an existing rule set or create a new one
            if my.groups.has_key(group_type):
                rules = my.groups[group_type]
            else:
                rules = {}
                my.groups[group_type] = rules

            # set the default, if specified
            group_default = xml.get_attribute( group_node, "default" )
            if group_default != "":
                rules['__DEFAULT__'] = group_default


            # get all of the rule nodes
            rule_nodes = Xml.get_children(group_node)
            for rule_node in rule_nodes:
                project_code='*'

                if Xml.get_node_name(rule_node) != 'rule':
                    continue

                rule_key = xml.get_attribute(rule_node, 'key')
                rule_access = xml.get_attribute(rule_node, 'access')

                rule_project =  xml.get_attribute(rule_node, 'project')
                if rule_project:
                    project_code = rule_project
                if rule_access == "":
                    raise AccessException("Cannot have empty 'access':\n%s" \
                        % xml.to_string(rule_node) )

                rule_keys = []
                attrs2 = {'key': rule_key}

                # add a project code qualifier
                if project_code == '*' and group_type != 'search_filter':
                    for code in my.project_codes:
                        key = "%s?project=%s" % (rule_key, code)
                        rule_keys.append(key)
                else:
                    key= "%s?project=%s" % (rule_key, project_code)
                    rule_keys.append(key)

                for rule_key in rule_keys:
                    rules[rule_key] = rule_access, attrs2


    def get_access(my, type, key, default=None):

        # if a list of keys is provided, then go through each key
        if isinstance(key, list):
            for item in key:
                user_access = my.get_access(type, item)
                if user_access != None:
                    return user_access

            return None


        # qualify the key with a project_code
        project_code = "*"
        if isinstance(key, dict):
            # this avoids get_access() behavior changes on calling it twice
            key2 = key.copy()
            rule_project = key.get('project')
            if rule_project:
                project_code = rule_project
                key2.pop('project')
            key = Common.get_dict_list(key2)
        # special case for projects
        elif type == "project":
            project_code = key
            key = [('code','plugins')]

        key = "%s?project=%s" % (key, project_code)
        #print "key: ", key

        # Fix added below to remove any unicode string markers from 'key' string ... sometimes the values
        # of the 'key' dictionary that is passed in contains values that are unicode strings, and sometimes
        # values that are ascii.
        #
        # FIXME: however might not necessarily be the best fix here, so this should be re-assessed at
        #        some point to see if a better fix can be put in place

        # boris: Since we took out str() in Common.get_dict_list(), we have to re-introduce this back, but with , instead of : since it's a tuple
        key = key.replace("', u'", "', '")

        # if there are no rules, just return the default
        rules = my.groups.get(type)
        if not rules:
            return default


        result = None
        value = rules.get(key)
        if value:
            result, dct = value

        # DEPRECATED
        if not result:
            result = rules.get('__DEFAULT__')

        if not result:
            result = default

        return result


    def compare_access(my, user_access, required_access):
        required_access = my._get_access_enum(required_access)
        user_access = my._get_access_enum(user_access)

        if user_access >= required_access:
            return True
        else:
            return False


    def check_access(my, group, key, required_access, value=None, is_match=False, default="edit"):
        '''checks the access level of the user for a give group of access
        and a key'''
        if my.is_admin():
            return True

        # if a list of keys is provided, then go through each key
        if isinstance(key, list):
            for item in key:
                user_access = my.get_access(group, item)
                if user_access != None:
                    break
        else:
            if value:
                key = "%s||%s" % (key, value)
            user_access = my.get_access(group, key)


        # this means that there are now rules defined for this
        if user_access == None:
            user_access = default

        # ignore value checks in the summary (way too many)
        if not value:
            if not isinstance(key, basestring):
                key = str(key)
            my.summary[key] = "%s | %s" % (required_access, user_access)

        # convert access to integers
        required_access = my._get_access_enum(required_access)
        user_access = my._get_access_enum(user_access)


        if is_match:
            if user_access == required_access:
                return True
            else:
                return False

        if user_access >= required_access:
            return True
        else:
            return False


    def alter_search(my, search):
        if my.is_admin_flag:
            return True

        group = "search_filter"
        search_type = search.get_base_search_type()

        my.alter_search_type_search(search)

        # qualify the key with a project_code
        #project_code = "*"
        #key = "%s?project=%s" % (key, project_code)

        rules = my.groups.get(group)
        if not rules:
            return


        from pyasm.biz import ExpressionParser
        parser = ExpressionParser()
        current_project = None

        for rule in rules.values():
            access, dct = rule
            """
            # FIXME: hacky: break the encoding done earlier
            parts = rule.split("||")
            data = parts[0]
            data = data.replace("?project=*", "")
            rule = eval(data)
            """
            rule = dct
            rule_search_type = rule.get('search_type')
            if not rule_search_type:
                print "No [search_type] defined in security rule"
                continue

            # search types must match
            if rule_search_type != search_type:
                continue

            column = rule.get('column')
            value = rule.get('value')
            project = rule.get('project')

            # to avoid infinite recursion, get the project here
            if not current_project:
                from pyasm.biz import Project
                current_project = Project.get_project_code()

            if project and project not in ['*', current_project]:
                continue
            # If a relationship is set, then use that
            # FIXME: this is not very clear how to procede.
            related = rule.get('related')
            #if search_type == 'MMS/job':
            #    related = "@SOBJECT(MMS/request)"

            sudo = Sudo()
            if related:

                sobjects = parser.eval(related)
                search.add_relationship_filters(sobjects)
                del sudo
                return


            # interpret the value
            # since the expression runs float(), we want to avoid that a number 5 being converted to 5.0
            # if we can't find @ or $
            if value.find('@') != -1 or value.find('$') != -1:
                values = parser.eval(value, list=True)
            else:
                values = [value]

            op = rule.get('op')


            # TODO: made this work with search.add_op_filters() with the expression parser instead of this
            # simpler implementation
            if len(values) == 1:
                if not op:
                    op = '='
                quoted = True
                # special case for NULL
                if values[0] == 'NULL':
                    quoted = False
                if op in ['not in', '!=']:
                    search.add_op('begin')
                    search.add_filter(column, values[0], op=op, quoted=quoted)
                    search.add_filter(column, None)
                    search.add_op('or')
                else:
                    search.add_filter(column, values[0], op=op, quoted=quoted)
            elif len(values) > 1:
                if not op:
                    op = 'in'
                if op in ['not in', '!=']:
                    search.add_op('begin')
                    search.add_filter(column, values, op=op)
                    search.add_filter(column, None)
                    search.add_op('or')
                else:
                    search.add_filters(column, values, op=op)

            del sudo
            #print search.get_statement()


    def alter_search_type_search(my, search):
        # special provision for various search types, particularly in
        # the sthpw database
        if my.is_admin():
            return

        return
        """
        # Ignore this problem for now ...
        search_type = search.get_base_search_type()
        if search_type == 'sthpw/transaction_log':
            search.add_filter("namespace", "project")

        # normal users can only see those search types of the current
        # project
        # FIXME: is this too restrictive???
        if search_type in ['sthpw/note', 'sthpw/snapshot', 'sthpw/task']:
            from pyasm.biz import Project
            project_code = Project.get_project_code()
            search.add_filter("project_code", project_code)
        """


    def to_string(my):
        rule = ''
        rule += "<rules>\n"
        for group, data in my.groups.items():
            for key, access in data.items():
                rule += "  <rule group='%s' key='%s' access='%s'/>\n" % (group, key,access)

        #group, key, access

        rule += "</rules>\n"

        return rule


    #
    # static methods
    #

    def get_by_group(group):
        access_manager = AccessManager()

        access_rules_xml = group.get_xml_value("access_rules")
        access_manager.add_xml_rules(access_rules_xml)

        # get all of the security rules
        #security_rules = AccessRule.get_by_groups(my._groups)
        #for rule in security_rules:
        #    access_rules_xml = rule.get_xml_value("rule")
        #    my._access_manager.add_xml_rules(access_rules_xml)

        return access_manager
    get_by_group = staticmethod(get_by_group)