policies/expression: move evaluation code into separate class

2020-02-19 09:49:38 +01:00 · 2020-02-19 09:49:38 +01:00 · 5b79b3fd22
parent d68c72f1fa
commit 5b79b3fd22
3 changed files with 91 additions and 29 deletions
--- a/passbook/policies/expression/evaluator.py
+++ b/passbook/policies/expression/evaluator.py
@ -0,0 +1,77 @@
+"""passbook expression policy evaluator"""
+import re
+from typing import TYPE_CHECKING, Any, Dict
+
+from django.core.exceptions import ValidationError
+from jinja2.exceptions import TemplateSyntaxError, UndefinedError
+from jinja2.nativetypes import NativeEnvironment
+from structlog import get_logger
+
+from passbook.factors.view import AuthenticationView
+from passbook.policies.struct import PolicyRequest, PolicyResult
+
+if TYPE_CHECKING:
+    from passbook.policies.expression.models import ExpressionPolicy
+
+
+class Evaluator:
+    """Validate and evaulate jinja2-based expressions"""
+
+    _env: NativeEnvironment
+
+    def __init__(self):
+        self._env = NativeEnvironment()
+        self._env.filters["regex_match"] = Evaluator.jinja2_regex_match
+        self._env.filters["regex_replace"] = Evaluator.jinja2_regex_replace
+
+    @staticmethod
+    def jinja2_regex_match(value: Any, regex: str) -> bool:
+        """Jinja2 Filter to run re.search"""
+        return re.search(regex, value) is None
+
+    @staticmethod
+    def jinja2_regex_replace(value: Any, regex: str, repl: str) -> str:
+        """Jinja2 Filter to run re.sub"""
+        return re.sub(regex, repl, value)
+
+    def _get_expression_context(
+        self, request: PolicyRequest, **kwargs
+    ) -> Dict[str, Any]:
+        """Return dictionary with additional global variables passed to expression"""
+        kwargs["pb_is_sso_flow"] = request.user.session.get(
+            AuthenticationView.SESSION_IS_SSO_LOGIN, False
+        )
+        kwargs["pb_is_group_member"] = lambda user, group: group.user_set.filter(
+            pk=user.pk
+        ).exists()
+        kwargs["pb_logger"] = get_logger()
+        return kwargs
+
+    def evaluate(self, expression_source: str, request: PolicyRequest) -> PolicyResult:
+        """Parse and evaluate expression.
+        If the Expression evaluates to a list with 2 items, the first is used as passing bool and
+        the second as messages.
+        If the Expression evaluates to a truthy-object, it is used as passing bool."""
+        try:
+            expression = self._env.from_string(expression_source)
+        except TemplateSyntaxError as exc:
+            return PolicyResult(False, str(exc))
+        try:
+            result = expression.render(
+                request=request, **self._get_expression_context(request)
+            )
+            if isinstance(result, list) and len(result) == 2:
+                return PolicyResult(*result)
+            if result:
+                return PolicyResult(result)
+            return PolicyResult(False)
+        except UndefinedError as exc:
+            return PolicyResult(False, str(exc))
+
+    def validate(self, expression: str):
+        """Validate expression's syntax, raise ValidationError if Syntax is invalid"""
+        try:
+            self._env.from_string(expression)
+            return True
+        except TemplateSyntaxError as exc:
+            raise ValidationError("Expression Syntax Error") from exc
--- a/passbook/policies/expression/models.py
+++ b/passbook/policies/expression/models.py
@ -1,17 +1,11 @@
 """passbook expression Policy Models"""
-from django.core.exceptions import ValidationError
 from django.db import models
 from django.utils.translation import gettext as _
-from jinja2.exceptions import TemplateSyntaxError, UndefinedError
-from jinja2.nativetypes import NativeEnvironment
-from structlog import get_logger

 from passbook.core.models import Policy
+from passbook.policies.expression.evaluator import Evaluator
 from passbook.policies.struct import PolicyRequest, PolicyResult

-LOGGER = get_logger()
-NATIVE_ENVIRONMENT = NativeEnvironment()
-

 class ExpressionPolicy(Policy):
    """Jinja2-based Expression policy that allows Admins to write their own logic"""
@ -22,25 +16,10 @@ class ExpressionPolicy(Policy):

    def passes(self, request: PolicyRequest) -> PolicyResult:
        """Evaluate and render expression. Returns PolicyResult(false) on error."""
-        try:
-            expression = NATIVE_ENVIRONMENT.from_string(self.expression)
-        except TemplateSyntaxError as exc:
-            return PolicyResult(False, str(exc))
-        try:
-            result = expression.render(request=request)
-            if isinstance(result, list) and len(result) == 2:
-                return PolicyResult(*result)
-            if result:
-                return PolicyResult(result)
-            return PolicyResult(False)
-        except UndefinedError as exc:
-            return PolicyResult(False, str(exc))
+        return Evaluator().evaluate(self.expression, request)

    def save(self, *args, **kwargs):
-        try:
-            NATIVE_ENVIRONMENT.from_string(self.expression)
-        except TemplateSyntaxError as exc:
-            raise ValidationError("Expression Syntax Error") from exc
+        Evaluator().validate(self.expression)
        return super().save(*args, **kwargs)

    class Meta:
--- a/passbook/policies/expression/templates/policy/expression/form.html
+++ b/passbook/policies/expression/templates/policy/expression/form.html
@ -9,12 +9,18 @@
    <div class="col-sm-10">
        <p>
            Expression using <a href="https://jinja.palletsprojects.com/en/2.11.x/templates/">Jinja</a>. Following variables are available:
-            <ul>
-                <li><code>request.user</code>: Passbook User Object (<a href="https://beryju.github.io/passbook/reference/property-mappings/user-object/">Reference</a>)</li>
-                <li><code>request.http_request</code>: Django HTTP Request Object (<a href="https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects">Reference</a>) </li>
-                <li><code>request.obj</code>: Model the Policy is run against. </li>
-            </ul>
        </p>
+        <ul>
+            <li><code>request.user</code>: Passbook User Object (<a href="https://beryju.github.io/passbook/reference/property-mappings/user-object/">Reference</a>)</li>
+            <li><code>request.http_request</code>: Django HTTP Request Object (<a href="https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects">Reference</a>) </li>
+            <li><code>request.obj</code>: Model the Policy is run against. </li>
+            <li><code>pb_is_sso_flow</code>: Boolean which is true if request was initiated by by Authenticating through an external Provider.</li>
+        </ul>
+        <p>Custom Filters:</p>
+        <ul>
+            <li><code>regex_match(regex)</code>: Checks if value matches <code>regex</code></li>
+            <li><code>regex_replace(regex, repl)</code>: Replace string matched by <code>regex</code> with <code>repl</code></li>
+        </ul>
    </div>
 </div>
 {% endblock %}