# # # # rbac (role based access control utilities) # # # # # # # get_has_profile_permission() # This returns true if the profile_name can be accessed by the given # access_item. # # # subroutine(get_has_profile_permission( string profile_name, node access_item), ( bool has_profile_permission = false; if (@access_item{"all_profiles"}) then ( has_profile_permission = true; ) else if (access_item?{"profiles"}) then ( # Check individual profiles node item; node allowed_profiles = access_item{"profiles"}; foreach item allowed_profiles ( if (@item eq profile_name) then ( has_profile_permission = true; last; ); ); ); # Return has_profile_permission; )); # # # # get_has_netwok_api_action_permission() # This returns true if the action can be accessed by one of the roles # in the given access_item. # # # subroutine(get_has_netwok_api_action_permission( string action_name, node roles, node access_item), ( bool has_netwok_api_action_permission = false; if (access_item?{"roles"}) then ( node item; node access_item_roles = access_item{"roles"}; string role_name; foreach item access_item_roles ( role_name = @item; if (?(roles . "." . role_name . ".features.network_api." . action_name . ".view")) then ( has_netwok_api_action_permission = true; last; ); ); ); debug_message("#### has_netwok_api_action_permission: " . has_netwok_api_action_permission . "\n"); # Return has_netwok_api_action_permission; )); # # # # get_user_has_network_api_access_permission() # # This checks if the authenticated user has permission to access # the given action and profile through the network api according the # given access rights defined in users and roles. Note, this subroutine # assumes that the user is authenticated. # # Parameters: # licensing_tier: The licensing tier, enterprise uses roles_enterprise.cfg, all other use roles_standard.cfg # username: The username, not the user node name # action_name: The action node name # profile_name: The profile node name or empty string for non-profile specific actions subroutine(get_user_has_network_api_access_permission( string licensing_tier, string username, string action_name, string profile_name), ( debug_message("\n#### get_user_has_network_api_access_permission() \n"); bool is_root_admin = false; bool is_network_api_access_permission = false; if (licensing_tier eq "enterprise" or licensing_tier eq "pro") then ( # # Get user and check if this is the root admin # node user; node the_user; foreach user "users" ( if (@user{"username"} eq username) then ( is_root_admin = (node_name(user) eq "root_admin"); the_user = user; last; ); ); if (is_root_admin) then ( # Root admin has access to everything is_network_api_access_permission = true; ) else ( # Check the non-root-admin user for access permission node netwok_api_list = "templates.admin_pages.roles.feature_map.network_api"; if (netwok_api_list?{action_name} and the_user?{"access"} and (num_subnodes(the_user{"access"}) > 0)) then ( # requires_profile=true means that we must check permissions # for the given profile. bool requires_profile = @netwok_api_list{action_name}{"requires_profile"}; node roles = if (licensing_tier eq "enterprise") then ("roles_enterprise") else ("roles_standard"); node user_access = the_user{"access"}; node access_item; bool user_has_profile_permission; foreach access_item user_access ( user_has_profile_permission = !requires_profile or get_has_profile_permission(profile_name, access_item); debug_message("#### user_has_profile_permission: " . user_has_profile_permission . "\n"); if (user_has_profile_permission and get_has_netwok_api_action_permission(action_name, roles, access_item)) then ( is_network_api_access_permission = true; last; ); ); ); ); ); debug_message("#### is_root_admin: " . is_root_admin . "\n"); debug_message("#### is_network_api_access_permission: " . is_network_api_access_permission . "\n"); # Return is_network_api_access_permission; ));