"Fossies" - the Fresh Open Source Software Archive

Member "barbican-12.0.0/barbican/common/policies/acls.py" (14 Apr 2021, 5339 Bytes) of package /linux/misc/openstack/barbican-12.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "acls.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 11.0.0_vs_12.0.0.

    1 #  Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #  not use this file except in compliance with the License. You may obtain
    3 #  a copy of the License at
    4 #
    5 #       http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #  Unless required by applicable law or agreed to in writing, software
    8 #  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #  License for the specific language governing permissions and limitations
   11 #  under the License.
   12 
   13 from oslo_policy import policy
   14 
   15 # FIXME(hrybacki): Repetitive check strings: Port to simpler checks
   16 #                  - secret_acls:delete, secret_acls:put_patch
   17 #                  - container_acls:delete container_acls:put_patch
   18 
   19 _MEMBER = 'role:member'
   20 _ADMIN = 'role:admin'
   21 _SECRET_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
   22 _SECRET_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
   23 _SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
   24 _SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
   25 _CONTAINER_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
   26 _CONTAINER_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
   27 _CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
   28 _CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
   29 
   30 rules = [
   31     policy.DocumentedRuleDefault(
   32         name='secret_acls:get',
   33         check_str='(rule:all_but_audit and rule:secret_project_match) or ' +
   34                   f"({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
   35                   f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
   36         scope_types=['project'],
   37         description='Retrieve the ACL settings for a given secret.'
   38                     'If no ACL is defined for that secret, then Default ACL '
   39                     'is returned.',
   40         operations=[
   41             {
   42                 'path': '/v1/secrets/{secret-id}/acl',
   43                 'method': 'GET'
   44             },
   45         ]
   46     ),
   47     policy.DocumentedRuleDefault(
   48         name='secret_acls:delete',
   49         check_str='rule:secret_project_admin or rule:secret_project_creator' +
   50                   f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
   51                   f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
   52         scope_types=['project'],
   53         description='Delete the ACL settings for a given secret.',
   54         operations=[
   55             {
   56                 'path': '/v1/secrets/{secret-id}/acl',
   57                 'method': 'DELETE'
   58             },
   59         ]
   60     ),
   61     policy.DocumentedRuleDefault(
   62         name='secret_acls:put_patch',
   63         check_str='rule:secret_project_admin or rule:secret_project_creator' +
   64                   f" or ({_SECRET_MEMBER} and ({_SECRET_CREATOR} or " +
   65                   f"{_SECRET_IS_NOT_PRIVATE})) or {_SECRET_ADMIN}",
   66         scope_types=['project'],
   67         description='Create new, replaces, or updates existing ACL for a ' +
   68                     'given secret.',
   69         operations=[
   70             {
   71                 'path': '/v1/secrets/{secret-id}/acl',
   72                 'method': 'PUT'
   73             },
   74             {
   75                 'path': '/v1/secrets/{secret-id}/acl',
   76                 'method': 'PATCH'
   77             },
   78         ]
   79     ),
   80     policy.DocumentedRuleDefault(
   81         name='container_acls:get',
   82         check_str='(rule:all_but_audit and rule:container_project_match) or ' +
   83                   f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
   84                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
   85         scope_types=['project'],
   86         description='Retrieve the ACL settings for a given container.',
   87         operations=[
   88             {
   89                 'path': '/v1/containers/{container-id}/acl',
   90                 'method': 'GET'
   91             }
   92         ]
   93     ),
   94     policy.DocumentedRuleDefault(
   95         name='container_acls:delete',
   96         check_str='rule:container_project_admin or ' +
   97                   'rule:container_project_creator or ' +
   98                   f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
   99                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
  100         scope_types=['project'],
  101         description='Delete ACL for a given container. No content is returned '
  102                     'in the case of successful deletion.',
  103         operations=[
  104             {
  105                 'path': '/v1/containers/{container-id}/acl',
  106                 'method': 'DELETE'
  107             }
  108         ]
  109     ),
  110     policy.DocumentedRuleDefault(
  111         name='container_acls:put_patch',
  112         check_str='rule:container_project_admin or ' +
  113                   'rule:container_project_creator or ' +
  114                   f"({_CONTAINER_MEMBER} and ({_CONTAINER_CREATOR} or " +
  115                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_CONTAINER_ADMIN}",
  116         scope_types=['project'],
  117         description='Create new or replaces existing ACL for a given '
  118                     'container.',
  119         operations=[
  120             {
  121                 'path': '/v1/containers/{container-id}/acl',
  122                 'method': 'PUT'
  123             },
  124             {
  125                 'path': '/v1/containers/{container-id}/acl',
  126                 'method': 'PATCH'
  127             }
  128         ]
  129     ),
  130 ]
  131 
  132 
  133 def list_rules():
  134     return rules