Commit 30a25503 authored by Ziirish's avatar Ziirish

Allow to exclude patterns as well (fix #305)

parent ed2a646a
Pipeline #1688 passed with stages
in 17 minutes and 1 second
......@@ -49,6 +49,27 @@ def _extract_key(data, key, name, default=[], fallback='clients'):
return extract.get(fallback, default)
def _glob_match(globs, string, extended=True):
def __eval_glob(glob):
if extended:
reg = fnmatch.translate(glob)
return re.match(reg, string)
return glob == string
if not isinstance(globs, list):
if __eval_glob(globs):
return [globs]
return []
ret = []
for glob in globs:
if __eval_glob(glob):
if extended:
ret.append(glob)
else:
ret.append(string)
break
return ret
class BUImetaGrant(object):
def _merge_data(self, d1, d2):
......@@ -549,7 +570,7 @@ class BUIgrantHandler(BUImetaGrant, BUIacl):
for odr in order:
if odr == 'exclude' and (
any(x in excludes for x in client_match) or
client in excludes):
_glob_match(excludes, client, self.opt('extended'))):
return False
elif any(x in y
for x in server_match
......@@ -565,7 +586,7 @@ class BUIgrantHandler(BUImetaGrant, BUIacl):
for odr in order:
if odr == 'exclude' and (
any(x in excludes for x in client_match) or
client in excludes):
_glob_match(excludes, client, self.opt('extended'))):
return False
elif client_match is not False and \
(any(x in adv2 for x in client_match) or
......@@ -580,7 +601,7 @@ class BUIgrantHandler(BUImetaGrant, BUIacl):
for odr in order:
if odr == 'exclude' and client_match and (
any(x in excludes for x in client_match) or
client in excludes):
_glob_match(excludes, client, self.opt('extended'))):
return False
return client_match is not False or is_admin
......
......@@ -788,8 +788,10 @@ keyword.
Since *v0.7.0*, you can also define an additional ``order`` keyword in order
to specify in which order the ACL engine should evaluate the rules (should we
match ``ro`` first or ``rw``). The default evaluation order is ``rw`` then ``ro``.
to specify in which order the ACL engine should evaluate the rules.
The default being ``exclude``, then ``rw`` then ``ro``.
Note: any omitted value will be appended to your list (ie. ``"order": ["ro", "rw"]``
will be interpreted as ``["ro", "rw", "exclude"]``).
Example:
::
......@@ -802,7 +804,7 @@ whereas without the ``order`` keywoard, ``client.specific.test`` would have
matched the ``rw`` rule first and thus would be considered as ``rw``.
There is also a new ``exclude`` keyword that supports excluding clients from
the matching rules.
the matching rules. Of course, ``exclude`` also supports *globs* patterns.
Here is an example:
......
......@@ -63,6 +63,11 @@ v0.7.0
server in a single place with the ability to process hundreds of requests
asynchronously.
- **New** - The ``ACL`` engine now allows you to specify the evaluation *order*
through a new ``order`` keyword. You can also explicitly exclude clients
from any rule with the ``exclude`` keyword. See the
`BASIC ACL <advanced_usage.html#basic-acl>`__ documentation for details.
v0.6.0
------
......
......@@ -352,6 +352,17 @@ rotate = 5
#+group2 = user5
## As a result, user5 will be granted the following rights:
## '{"ro": {"agents": ["*", "agent1"], "www*": ["desk*"]}, "rw": {"clients": ["dev*"], "www*": ["desk1"]}}
## You can also explicitly exclude some clients from a rule:
## '{"agents": {"agent1": {"rw": ["client.*"], "exclude": ["client.win*"]}}}'
## With the above rule, every client named "client.something" will be considered
## "rw" on "agent1" except those starting with "client.win".
## Finally, you can specify per rule evaluation order. The default being:
## 1) exclude rules 2) rw 3) ro
## With the default evaluation order, the following rule:
## '{"agents": {"agent1": {"rw": ["client.*"], "ro": ["client.specific.*"]}}}'
## will consider "client.specific.test" as "rw", whereas with the following
## '{"order": ["ro", "rw"], "agents": {"agent1": {"rw": ["client.*"], "ro": ["client.specific.*"]}}}'
## "client.specific.test" will match "ro" first and hence won't be considered "rw"
## If you set backend to 'multi', add at least one section like this per
## bui-agent
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment