planetstack/core/acl.py - xos - Gitiles

 from fnmatch import fnmatch

 class AccessControlList:
     def __init__(self, aclText=None):
         self.rules = []
         if aclText:
             self.import_text(aclText)

     def import_text(self, aclText):
         # allow either newline or ';' to separate rules
         aclText = aclText.replace("\n", ";")
         for line in aclText.split(";"):
             line = line.strip()
             if line.startswith("#"):
                 continue

             if line=="":
                 continue

             parts = line.split()

             if len(parts)==2 and (parts[1]=="all"):
                 # "allow all" has no pattern
                 parts = (parts[0], parts[1], "")

             if len(parts)!=3:
                 raise ACLValidationError(line)

             (action, object, pattern) = parts

             if action not in ["allow", "deny"]:
                 raise ACLValidationError(line)

             if object not in ["site", "user", "all"]:
                 raise ACLValidationError(line)

             self.rules.append( (action, object, pattern) )

     def __str__(self):
         lines = []
         for rule in self.rules:
             lines.append( " ".join(rule) )
         return ";\n".join(lines)

     def test(self, user):
         for rule in self.rules:
             if self.match_rule(rule, user):
                 return rule[0]
         return "deny"

     def match_rule(self, rule, user):
         (action, object, pattern) = rule

         if (object == "site"):
             if fnmatch(user.site.name, pattern):
                 return True
         elif (object == "user"):
             if fnmatch(user.email, pattern):
                 return True
         elif (object == "all"):
             return True

         return False


 if __name__ == '__main__':
     class fakesite:
         def __init__(self, siteName):
             self.name = siteName

     class fakeuser:
         def __init__(self, email, siteName):
             self.email = email
             self.site = fakesite(siteName)

     u_scott = fakeuser("scott@onlab.us", "ON.Lab")
     u_bill = fakeuser("bill@onlab.us", "ON.Lab")
     u_andy = fakeuser("acb@cs.princeton.edu", "Princeton")
     u_john = fakeuser("jhh@cs.arizona.edu", "Arizona")
     u_hacker = fakeuser("somehacker@foo.com", "Not A Real Site")

     # check the "deny all" rule
     acl = AccessControlList("deny all")
     assert(acl.test(u_scott) == "deny")

     # a blank ACL results in "deny all"
     acl = AccessControlList("")
     assert(acl.test(u_scott) == "deny")

     # check the "allow all" rule
     acl = AccessControlList("allow all")
     assert(acl.test(u_scott) == "allow")

     # allow only one site
     acl = AccessControlList("allow site ON.Lab")
     assert(acl.test(u_scott) == "allow")
     assert(acl.test(u_andy) == "deny")

     # some complicated ACL
     acl = AccessControlList("""allow site Princeton
                  allow user *@cs.arizona.edu
                  deny site Arizona
                  deny user scott@onlab.us
                  allow site ON.Lab""")

     assert(acl.test(u_scott) == "deny")
     assert(acl.test(u_bill) == "allow")
     assert(acl.test(u_andy) == "allow")
     assert(acl.test(u_john) == "allow")
     assert(acl.test(u_hacker) == "deny")

     print acl
	from fnmatch import fnmatch

	class AccessControlList:
	def __init__(self, aclText=None):
	self.rules = []
	if aclText:
	self.import_text(aclText)

	def import_text(self, aclText):
	# allow either newline or ';' to separate rules
	aclText = aclText.replace("\n", ";")
	for line in aclText.split(";"):
	line = line.strip()
	if line.startswith("#"):
	continue

	if line=="":
	continue

	parts = line.split()

	if len(parts)==2 and (parts[1]=="all"):
	# "allow all" has no pattern
	parts = (parts[0], parts[1], "")

	if len(parts)!=3:
	raise ACLValidationError(line)

	(action, object, pattern) = parts

	if action not in ["allow", "deny"]:
	raise ACLValidationError(line)

	if object not in ["site", "user", "all"]:
	raise ACLValidationError(line)

	self.rules.append( (action, object, pattern) )

	def __str__(self):
	lines = []
	for rule in self.rules:
	lines.append( " ".join(rule) )
	return ";\n".join(lines)

	def test(self, user):
	for rule in self.rules:
	if self.match_rule(rule, user):
	return rule[0]
	return "deny"

	def match_rule(self, rule, user):
	(action, object, pattern) = rule

	if (object == "site"):
	if fnmatch(user.site.name, pattern):
	return True
	elif (object == "user"):
	if fnmatch(user.email, pattern):
	return True
	elif (object == "all"):
	return True

	return False


	if __name__ == '__main__':
	class fakesite:
	def __init__(self, siteName):
	self.name = siteName

	class fakeuser:
	def __init__(self, email, siteName):
	self.email = email
	self.site = fakesite(siteName)

	u_scott = fakeuser("scott@onlab.us", "ON.Lab")
	u_bill = fakeuser("bill@onlab.us", "ON.Lab")
	u_andy = fakeuser("acb@cs.princeton.edu", "Princeton")
	u_john = fakeuser("jhh@cs.arizona.edu", "Arizona")
	u_hacker = fakeuser("somehacker@foo.com", "Not A Real Site")

	# check the "deny all" rule
	acl = AccessControlList("deny all")
	assert(acl.test(u_scott) == "deny")

	# a blank ACL results in "deny all"
	acl = AccessControlList("")
	assert(acl.test(u_scott) == "deny")

	# check the "allow all" rule
	acl = AccessControlList("allow all")
	assert(acl.test(u_scott) == "allow")

	# allow only one site
	acl = AccessControlList("allow site ON.Lab")
	assert(acl.test(u_scott) == "allow")
	assert(acl.test(u_andy) == "deny")

	# some complicated ACL
	acl = AccessControlList("""allow site Princeton
	allow user *@cs.arizona.edu
	deny site Arizona
	deny user scott@onlab.us
	allow site ON.Lab""")

	assert(acl.test(u_scott) == "deny")
	assert(acl.test(u_bill) == "allow")
	assert(acl.test(u_andy) == "allow")
	assert(acl.test(u_john) == "allow")
	assert(acl.test(u_hacker) == "deny")

	print acl