freeipa/ipaserver/custodia/httpd/authorizers.py

# Copyright (C) 2015  Custodia Project Contributors - see LICENSE file
from __future__ import absolute_import

import os

from ipaserver.custodia import log
from ipaserver.custodia.plugin import HTTPAuthorizer


class SimplePathAuthz(HTTPAuthorizer):
    # keep SimplePathAuthz an old-style plugin for now.
    # KEMKeysStore and IPAKEMKeys haven't been ported.

    def __init__(self, config):
        super(SimplePathAuthz, self).__init__(config)
        self.paths = []
        if 'paths' in self.config:
            self.paths = self.config['paths'].split()

    def handle(self, request):
        reqpath = path = request.get('path', '')

        # if an authorized path does not end in /
        # check if it matches fullpath for strict match
        for authz in self.paths:
            if authz.endswith('/'):
                continue
            if authz.endswith('.'):
                # special case to match a path ending in /
                authz = authz[:-1]
            if authz == path:
                self.audit_svc_access(log.AUDIT_SVC_AUTHZ_PASS,
                                      request['client_id'], path)
                return True

        while path != '':
            if path in self.paths:
                self.audit_svc_access(log.AUDIT_SVC_AUTHZ_PASS,
                                      request['client_id'], path)
                return True
            if path == '/':
                path = ''
            else:
                path, _head = os.path.split(path)

        self.logger.debug('No path in %s matched %s', self.paths, reqpath)
        return None
Add Custodia 0.6.0 to ipaserver package Incorporate Custodia into IPA. See: https://pagure.io/freeipa/issue/8882 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2021-06-11 01:01:27 -05:00			`# Copyright (C) 2015 Custodia Project Contributors - see LICENSE file`
			`from __future__ import absolute_import`

			`import os`

Remove more unused Custodia code See: https://pagure.io/freeipa/issue/8882 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2021-06-11 01:52:23 -05:00			`from ipaserver.custodia import log`
			`from ipaserver.custodia.plugin import HTTPAuthorizer`
Add Custodia 0.6.0 to ipaserver package Incorporate Custodia into IPA. See: https://pagure.io/freeipa/issue/8882 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2021-06-11 01:01:27 -05:00

			`class SimplePathAuthz(HTTPAuthorizer):`
			`# keep SimplePathAuthz an old-style plugin for now.`
			`# KEMKeysStore and IPAKEMKeys haven't been ported.`

			`def __init__(self, config):`
			`super(SimplePathAuthz, self).__init__(config)`
			`self.paths = []`
			`if 'paths' in self.config:`
			`self.paths = self.config['paths'].split()`

			`def handle(self, request):`
			`reqpath = path = request.get('path', '')`

			`# if an authorized path does not end in /`
			`# check if it matches fullpath for strict match`
pylint: Fix useless-suppression Cleanup up no longer used Pylint's disables where possible. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2022-02-21 06:36:10 -06:00			`for authz in self.paths:`
Add Custodia 0.6.0 to ipaserver package Incorporate Custodia into IPA. See: https://pagure.io/freeipa/issue/8882 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2021-06-11 01:01:27 -05:00			`if authz.endswith('/'):`
			`continue`
			`if authz.endswith('.'):`
			`# special case to match a path ending in /`
			`authz = authz[:-1]`
			`if authz == path:`
			`self.audit_svc_access(log.AUDIT_SVC_AUTHZ_PASS,`
			`request['client_id'], path)`
			`return True`

			`while path != '':`
			`if path in self.paths:`
			`self.audit_svc_access(log.AUDIT_SVC_AUTHZ_PASS,`
			`request['client_id'], path)`
			`return True`
			`if path == '/':`
			`path = ''`
			`else:`
Fix Custodia pylint issues See: https://pagure.io/freeipa/issue/8882 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2021-06-11 01:43:23 -05:00			`path, _head = os.path.split(path)`
Add Custodia 0.6.0 to ipaserver package Incorporate Custodia into IPA. See: https://pagure.io/freeipa/issue/8882 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 2021-06-11 01:01:27 -05:00
			`self.logger.debug('No path in %s matched %s', self.paths, reqpath)`
			`return None`