policies/expression: move evaluation code into separate class
This commit is contained in:
parent
d68c72f1fa
commit
5b79b3fd22
|
@ -0,0 +1,77 @@
|
||||||
|
"""passbook expression policy evaluator"""
|
||||||
|
import re
|
||||||
|
from typing import TYPE_CHECKING, Any, Dict
|
||||||
|
|
||||||
|
from django.core.exceptions import ValidationError
|
||||||
|
from jinja2.exceptions import TemplateSyntaxError, UndefinedError
|
||||||
|
from jinja2.nativetypes import NativeEnvironment
|
||||||
|
from structlog import get_logger
|
||||||
|
|
||||||
|
from passbook.factors.view import AuthenticationView
|
||||||
|
from passbook.policies.struct import PolicyRequest, PolicyResult
|
||||||
|
|
||||||
|
if TYPE_CHECKING:
|
||||||
|
from passbook.policies.expression.models import ExpressionPolicy
|
||||||
|
|
||||||
|
|
||||||
|
class Evaluator:
|
||||||
|
"""Validate and evaulate jinja2-based expressions"""
|
||||||
|
|
||||||
|
_env: NativeEnvironment
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
self._env = NativeEnvironment()
|
||||||
|
self._env.filters["regex_match"] = Evaluator.jinja2_regex_match
|
||||||
|
self._env.filters["regex_replace"] = Evaluator.jinja2_regex_replace
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def jinja2_regex_match(value: Any, regex: str) -> bool:
|
||||||
|
"""Jinja2 Filter to run re.search"""
|
||||||
|
return re.search(regex, value) is None
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def jinja2_regex_replace(value: Any, regex: str, repl: str) -> str:
|
||||||
|
"""Jinja2 Filter to run re.sub"""
|
||||||
|
return re.sub(regex, repl, value)
|
||||||
|
|
||||||
|
def _get_expression_context(
|
||||||
|
self, request: PolicyRequest, **kwargs
|
||||||
|
) -> Dict[str, Any]:
|
||||||
|
"""Return dictionary with additional global variables passed to expression"""
|
||||||
|
kwargs["pb_is_sso_flow"] = request.user.session.get(
|
||||||
|
AuthenticationView.SESSION_IS_SSO_LOGIN, False
|
||||||
|
)
|
||||||
|
kwargs["pb_is_group_member"] = lambda user, group: group.user_set.filter(
|
||||||
|
pk=user.pk
|
||||||
|
).exists()
|
||||||
|
kwargs["pb_logger"] = get_logger()
|
||||||
|
return kwargs
|
||||||
|
|
||||||
|
def evaluate(self, expression_source: str, request: PolicyRequest) -> PolicyResult:
|
||||||
|
"""Parse and evaluate expression.
|
||||||
|
If the Expression evaluates to a list with 2 items, the first is used as passing bool and
|
||||||
|
the second as messages.
|
||||||
|
If the Expression evaluates to a truthy-object, it is used as passing bool."""
|
||||||
|
try:
|
||||||
|
expression = self._env.from_string(expression_source)
|
||||||
|
except TemplateSyntaxError as exc:
|
||||||
|
return PolicyResult(False, str(exc))
|
||||||
|
try:
|
||||||
|
result = expression.render(
|
||||||
|
request=request, **self._get_expression_context(request)
|
||||||
|
)
|
||||||
|
if isinstance(result, list) and len(result) == 2:
|
||||||
|
return PolicyResult(*result)
|
||||||
|
if result:
|
||||||
|
return PolicyResult(result)
|
||||||
|
return PolicyResult(False)
|
||||||
|
except UndefinedError as exc:
|
||||||
|
return PolicyResult(False, str(exc))
|
||||||
|
|
||||||
|
def validate(self, expression: str):
|
||||||
|
"""Validate expression's syntax, raise ValidationError if Syntax is invalid"""
|
||||||
|
try:
|
||||||
|
self._env.from_string(expression)
|
||||||
|
return True
|
||||||
|
except TemplateSyntaxError as exc:
|
||||||
|
raise ValidationError("Expression Syntax Error") from exc
|
|
@ -1,17 +1,11 @@
|
||||||
"""passbook expression Policy Models"""
|
"""passbook expression Policy Models"""
|
||||||
from django.core.exceptions import ValidationError
|
|
||||||
from django.db import models
|
from django.db import models
|
||||||
from django.utils.translation import gettext as _
|
from django.utils.translation import gettext as _
|
||||||
from jinja2.exceptions import TemplateSyntaxError, UndefinedError
|
|
||||||
from jinja2.nativetypes import NativeEnvironment
|
|
||||||
from structlog import get_logger
|
|
||||||
|
|
||||||
from passbook.core.models import Policy
|
from passbook.core.models import Policy
|
||||||
|
from passbook.policies.expression.evaluator import Evaluator
|
||||||
from passbook.policies.struct import PolicyRequest, PolicyResult
|
from passbook.policies.struct import PolicyRequest, PolicyResult
|
||||||
|
|
||||||
LOGGER = get_logger()
|
|
||||||
NATIVE_ENVIRONMENT = NativeEnvironment()
|
|
||||||
|
|
||||||
|
|
||||||
class ExpressionPolicy(Policy):
|
class ExpressionPolicy(Policy):
|
||||||
"""Jinja2-based Expression policy that allows Admins to write their own logic"""
|
"""Jinja2-based Expression policy that allows Admins to write their own logic"""
|
||||||
|
@ -22,25 +16,10 @@ class ExpressionPolicy(Policy):
|
||||||
|
|
||||||
def passes(self, request: PolicyRequest) -> PolicyResult:
|
def passes(self, request: PolicyRequest) -> PolicyResult:
|
||||||
"""Evaluate and render expression. Returns PolicyResult(false) on error."""
|
"""Evaluate and render expression. Returns PolicyResult(false) on error."""
|
||||||
try:
|
return Evaluator().evaluate(self.expression, request)
|
||||||
expression = NATIVE_ENVIRONMENT.from_string(self.expression)
|
|
||||||
except TemplateSyntaxError as exc:
|
|
||||||
return PolicyResult(False, str(exc))
|
|
||||||
try:
|
|
||||||
result = expression.render(request=request)
|
|
||||||
if isinstance(result, list) and len(result) == 2:
|
|
||||||
return PolicyResult(*result)
|
|
||||||
if result:
|
|
||||||
return PolicyResult(result)
|
|
||||||
return PolicyResult(False)
|
|
||||||
except UndefinedError as exc:
|
|
||||||
return PolicyResult(False, str(exc))
|
|
||||||
|
|
||||||
def save(self, *args, **kwargs):
|
def save(self, *args, **kwargs):
|
||||||
try:
|
Evaluator().validate(self.expression)
|
||||||
NATIVE_ENVIRONMENT.from_string(self.expression)
|
|
||||||
except TemplateSyntaxError as exc:
|
|
||||||
raise ValidationError("Expression Syntax Error") from exc
|
|
||||||
return super().save(*args, **kwargs)
|
return super().save(*args, **kwargs)
|
||||||
|
|
||||||
class Meta:
|
class Meta:
|
||||||
|
|
|
@ -9,12 +9,18 @@
|
||||||
<div class="col-sm-10">
|
<div class="col-sm-10">
|
||||||
<p>
|
<p>
|
||||||
Expression using <a href="https://jinja.palletsprojects.com/en/2.11.x/templates/">Jinja</a>. Following variables are available:
|
Expression using <a href="https://jinja.palletsprojects.com/en/2.11.x/templates/">Jinja</a>. Following variables are available:
|
||||||
<ul>
|
|
||||||
<li><code>request.user</code>: Passbook User Object (<a href="https://beryju.github.io/passbook/reference/property-mappings/user-object/">Reference</a>)</li>
|
|
||||||
<li><code>request.http_request</code>: Django HTTP Request Object (<a href="https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects">Reference</a>) </li>
|
|
||||||
<li><code>request.obj</code>: Model the Policy is run against. </li>
|
|
||||||
</ul>
|
|
||||||
</p>
|
</p>
|
||||||
|
<ul>
|
||||||
|
<li><code>request.user</code>: Passbook User Object (<a href="https://beryju.github.io/passbook/reference/property-mappings/user-object/">Reference</a>)</li>
|
||||||
|
<li><code>request.http_request</code>: Django HTTP Request Object (<a href="https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects">Reference</a>) </li>
|
||||||
|
<li><code>request.obj</code>: Model the Policy is run against. </li>
|
||||||
|
<li><code>pb_is_sso_flow</code>: Boolean which is true if request was initiated by by Authenticating through an external Provider.</li>
|
||||||
|
</ul>
|
||||||
|
<p>Custom Filters:</p>
|
||||||
|
<ul>
|
||||||
|
<li><code>regex_match(regex)</code>: Checks if value matches <code>regex</code></li>
|
||||||
|
<li><code>regex_replace(regex, repl)</code>: Replace string matched by <code>regex</code> with <code>repl</code></li>
|
||||||
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
{% endblock %}
|
{% endblock %}
|
||||||
|
|
Reference in New Issue