Security Module

Security Proxy Facade

class registry.proxy.wms_proxy.WebMapServiceProxy(**kwargs)

Security proxy facade to secure registered services spatial by there operations and for sets of users.

Attr service

registry.models.service.Service the requested service which was found by the pk.

Attr remote_service

registry.ows_client.request_builder.WebService the request builder to get prepared requests.models.Request objects with the correct uri and query params.

Attr access_denied_img

if sub elements are not accessible for the user, this PIL.Image object represents an overlay with information about the resources, which can not be accessed

Attr bbox

django.contrib.gis.geos.polygon.Polygon the parsed bbox from query params.

get_and_post(request, *args, **kwargs)

Http get/post method with security case decisioning.

Principle constraints:

  • service is found by the given primary key. If not return 404 - Service not found.

  • service is active. If not return 423 - Service is disabled.

  • request query parameter is provided. If not return 400 - Request param is missing

Service is not secured condition:

  • service.is_secured == False OR

  • service.is_spatial_secured == False and service.is_user_principle_entitled == True OR

  • request query parameter not in [‘GetMap’, ‘GetFeatureType’, ‘GetFeature’]

If one condition matches, return the response from the remote service.

Service is secured condition:

  • service.is_spatial_secured ==True and service.is_user_principle_entitled == True

If the condition matches, return the result from get_secured_response()

Default behavior:

return 403 (Forbidden) - User has no permissions to request this service.

Note

all error messages will be send as an owsExceptionReport. See return_http_response() for details.

Returns

the computed response based on some principle decisions.

Return type

dict or requests.models.Request

handle_get_feature_info_with_multithreading()

We use multithreading to send two requests at the same time to speed up the response time.

handle_secured_get_feature_info()

Return the GetFeatureInfo response if the bbox is covered by any allowed area or the response features are contained in any allowed area.

IF not we response with a owsExceptionReport in xml format.

Note

excerpt from ogc specs ogc wms 1.3.0: The server shall return a response according to the requested INFO_FORMAT if the request is valid, or issue a service exception otherwise. The nature of the response is at the discretion of the service provider, but it shall pertain to the feature(s) nearest to (I,J). (see section 7.4.4)

Returns

the GetFeatureInfo response

Return type

request.models.Response or dict if the request is not allowed.

handle_secured_get_map()

Compute the secured get map response if the requested bbox intersects any allowed area.

Example 1: bbox covers allowed area
Request: bbox covers allowed area

Request: bbox covers allowed area

Result: bbox covers allowed area

Result: bbox covers allowed area

Example 2: bbox intersects allowed area
Request: bbox intersects allowed area

Request: bbox intersects allowed area

Result: bbox intersects allowed area

Result: bbox intersects allowed area

return

The cropped map image with status code 200 or an error message with status code 403 (Forbidden) if the bbox doesn’t intersects any allowed area.

rtype

dict

secure_request()

Handler to decide which subroutine for the given request param shall run. :return: the correct handler function for the given request param. :rtype: function

service_cls

alias of registry.models.service.WebMapService

class registry.proxy.wfs_proxy.WebFeatureServiceProxy(**kwargs)

Security proxy facade to secure registered services spatial by there operations and for sets of users.

Attr service

registry.models.service.Service the requested service which was found by the pk.

Attr remote_service

registry.ows_client.request_builder.WebService the request builder to get prepared requests.models.Request objects with the correct uri and query params.

Attr access_denied_img

if sub elements are not accessible for the user, this PIL.Image object represents an overlay with information about the resources, which can not be accessed

Attr bbox

django.contrib.gis.geos.polygon.Polygon the parsed bbox from query params.

secure_request()

Handler to decide which subroutine for the given request param shall run. :return: the correct handler function for the given request param. :rtype: function

service_cls

alias of registry.models.service.WebFeatureService