1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
'''
Created on Jun 24, 2010
@author: leifj
'''
from django.db import models
import re
from pprint import pprint
from django.contrib.auth.models import User
from django.core.exceptions import ObjectDoesNotExist
class Attribute(models.Model):
name = models.CharField(unique=True,max_length=255)
description = models.TextField(blank=True)
timecreated = models.DateTimeField(auto_now_add=True)
lastupdated = models.DateTimeField(auto_now=True)
def __unicode__(self):
return self.name;
class Name(models.Model):
'''
A name-space/authorization/right/group/collaboration/thing
'''
type = models.ForeignKey(Attribute, blank=True, null=True,related_name='names')
value = models.CharField(max_length=255)
parent = models.ForeignKey('self', blank=True, null=True,related_name='children')
acl = models.TextField(blank=True) # fully-qualified-name '#' rights
short = models.CharField(max_length=64,blank=True)
creator = models.ForeignKey(User,blank=True, null=True)
description = models.TextField(blank=True)
timecreated = models.DateTimeField(auto_now_add=True)
lastupdated = models.DateTimeField(auto_now=True)
def shortname(self):
if self.short:
return self.short
else:
return self.__unicode__()
def relative_name(self):
if self.type:
return "%s=%s" % (self.type.name,self.value)
else:
return self.value
def __unicode__(self):
n = self
str = ""
while n:
sep = ""
av = n.relative_name()
if n.parent:
if av.find("=") == -1:
sep = ':'
else:
sep = ';'
str = sep+av+str
n = n.parent
return str
def remove(self,recursive=False):
if recursive:
for c in self.children.all():
c.remove(recursive)
self.delete()
def copy_acl(self):
return self.acl
def link(self,dst,type,data):
if not self.has_link(dst,NameLink.part_of,data):
link = NameLink(src=self,dst=dst,type=type,data=data)
link.save()
def unlink(self,dst,type,data):
try:
link = NameLink.objects.get(src=self,dst=dst,type=type,data=data)
link.delete()
except ObjectDoesNotExist:
pass
def has_link(self,dst,type,data):
return NameLink.objects.filter(src=self,dst=dst,type=type,data=data).count() > 0
def setacl(self,name,perm):
link = NameLink.objects.get_or_create(src=self,dst=name,type=NameLink.access_control)
save = False
for p in perm:
if not link.data.find(p):
link.data = link.data+p
save = True
if save:
link.save()
def rmacl(self,name,perm):
try:
link = NameLink.objects.get(src=self,dst=name,type=NameLink.access_control)
save = False
for p in perm:
link.data = link.data.replace(p,'')
save = True
if save:
if link.data:
link.save()
else:
link.delete()
except ObjectDoesNotExist:
pass
def lsacl(self):
return NameLink.objects.filter(src=self,type=NameLink.access_control)
def add_partof(self,part):
self.link(part,NameLink.part_of,None)
def has_permission(self,user,perm):
pprint("has_permission %s %s %s" % (self,user,perm))
# TODO: reverse order of test for production system - will spead-up superuser-test and it is cheap
#pprint(NameLink.objects.filter(src=self,type=NameLink.access_control,data=perm,dst__memberships__user=user))
# user is superuser or acl is on implicit group or user is member of acl group
if NameLink.objects.filter(src=self,dst=anyuser,type=NameLink.access_control,data__contains=perm).count() > 0:
return True
if NameLink.objects.filter(src=self,type=NameLink.access_control,data__contains=perm,dst__memberships__user=user).count() > 0:
return True
if user.is_superuser:
return False
return False #user.is_superuser
def permitted_children(self,user,perm):
return filter(lambda s: s.has_permission(user,perm),self.children.all())
class NameLink(models.Model):
src = models.ForeignKey(Name,related_name='sources')
dst = models.ForeignKey(Name,related_name='destinations')
type = models.IntegerField()
data = models.CharField(max_length=255,blank=True,null=True)
timecreated = models.DateTimeField(auto_now_add=True)
lastupdated = models.DateTimeField(auto_now=True)
access_control = 0
part_of = 1
def __unicode__(self):
return "%s -> %s [%s %s]" % (self.src,self.dst,self.type,self.data)
def roots():
return Name.objects.filter(parent=None)
def _traverse(name,callable,user,depth):
if not name:
return [_traverse(s,callable,user,depth - 1) for s in roots()]
else:
t = callable(name,depth)
if depth > 0:
children = [_traverse(s,callable,user,depth - 1) for s in name.permitted_children(user,'l')]
if children:
t['children'] = children
return t
def traverse(name,callable,user,depth,includeroot=False):
if not name:
return [_traverse(s,callable,user,depth - 1) for s in roots()]
else:
if includeroot:
t = callable(name,depth)
if depth > 0:
children = [_traverse(s,callable,user,depth - 1) for s in name.permitted_children(user,'l')]
if children:
t['children'] = children
return t
else:
return [_traverse(s,callable,user,depth - 1) for s in name.permitted_children(user,'l')]
# TODO - remove system user dependency
def walkto(root,nameparts,autocreate=False,autoacl='l'):
name = None
for n in nameparts:
(a,eq,v) = n.partition('=')
if v:
attribute = Attribute.objects.get(name=a)
try:
name = Name.objects.get(parent=root,type=attribute.id,value=v)
except ObjectDoesNotExist,e:
if autocreate:
name = Name(parent=root,creator=None,type=attribute.id,value=v,acl=autoacl)
name.save()
else:
raise e
else:
try:
name = Name.objects.get(parent=root,type=None,value=a)
except ObjectDoesNotExist,e:
if autocreate:
name = Name(parent=root,creator=None,type=None,value=a,acl=autoacl)
name.save()
else:
raise e
root = name
return name
def lookup(name,autocreate=False,autoacl='l'):
return walkto(None,nameparts=re.compile('[;:]').split(name),autocreate=autocreate,autoacl=autoacl)
def attribute(a):
Attribute.objects.get_or_create(name=a)
#sysuser = User.objects.get_or_create(username='system',first_name='COIP System',last_name='User',password="(not used)")
anyuser = lookup("system:anyuser",True)
|