|
1 # Copyright 2008 LShift Ltd |
|
2 # Author(s): |
|
3 # Paul Crowley <paul@lshift.net> |
|
4 # |
|
5 # This software may be used and distributed according to the terms |
|
6 # of the GNU General Public License, incorporated herein by reference. |
|
7 |
|
8 import sys |
|
9 import re |
|
10 |
|
11 allowedchars = "A-Za-z0-9_-" |
|
12 |
|
13 goodpathre = re.compile("([%s]+/)*[%s]+$" % (allowedchars, allowedchars)) |
|
14 def goodpath(path): |
|
15 return goodpathre.match(path) is not None |
|
16 |
|
17 goodglobre = re.compile("[*/%s]+$" % allowedchars) |
|
18 |
|
19 def goodglob(pattern): |
|
20 return goodglobre.match(pattern) is not None |
|
21 |
|
22 # Don't put anything except *A-Za-z0-9_- in rule globs or |
|
23 # it will match nothing. No regexp metachars, not even . |
|
24 # We may fix this later. |
|
25 def globmatcher(pattern): |
|
26 if not goodglob(pattern): |
|
27 #fail("Bad glob pattern in auth config: %s" % pattern) |
|
28 # FIXME: report it somehow |
|
29 return lambda x: False |
|
30 # Substitution cunning so ** can be different from * |
|
31 pattern = pattern.replace("*", "[]") |
|
32 pattern = pattern.replace("[][]", "[/%s]*" % allowedchars) |
|
33 pattern = pattern.replace("[]", "[%s]*" % allowedchars) |
|
34 rex = re.compile(pattern + "$") |
|
35 # None matches everything |
|
36 return lambda x: x is None or rex.match(x) is not None |
|
37 |
|
38 def rule(pairs): |
|
39 matchers = [(k, globmatcher(v)) for k, v in pairs] |
|
40 def c(**kw): |
|
41 for k, m in matchers: |
|
42 if k not in kw or not m(kw[k]): |
|
43 return False |
|
44 return True |
|
45 return c |
|
46 |
|
47 class Ruleset(object): |
|
48 '''Class representing the rules in a rule file''' |
|
49 |
|
50 levels = ["init", "write", "read", "deny"] |
|
51 |
|
52 def __init__(self): |
|
53 # The user called "root" automatically has the highest |
|
54 # privilege |
|
55 self.rules = [(self.levels[0], rule([('user', 'root')]))] |
|
56 self.preset = {} |
|
57 |
|
58 def add(self, action, conditions): |
|
59 self.rules.append((action, conditions)) |
|
60 |
|
61 |
|
62 def set(self, **kw): |
|
63 self.preset.update(kw) |
|
64 |
|
65 def matchrule(self, **kw): |
|
66 d = self.preset.copy() |
|
67 d.update(**kw) |
|
68 for a, c in self.rules: |
|
69 if c(**d): |
|
70 return a |
|
71 return None |
|
72 |
|
73 def allow(self, level, **kw): |
|
74 a = self.matchrule(**kw) |
|
75 return a in self.levels and self.levels.index(a) <= self.levels.index(level) |
|
76 |
|
77 @classmethod |
|
78 def readfile(cls, fn): |
|
79 res = cls() |
|
80 try: |
|
81 f = open(fn) |
|
82 try: |
|
83 for l in f: |
|
84 l = l.strip() |
|
85 if len(l) == 0 or l.startswith("#"): |
|
86 continue |
|
87 l = l.split() |
|
88 res.add(l[0], rule([c.split("=", 1) for c in l[1:]])) |
|
89 finally: |
|
90 f.close() |
|
91 except Exception, e: |
|
92 print >> sys.stderr, "Failure reading rules file:", e |
|
93 return cls() |
|
94 return res |
|
95 |