"Fossies" - the Fresh Open Source Software Archive

Member "barbican-12.0.0/barbican/common/policies/consumers.py" (14 Apr 2021, 4388 Bytes) of package /linux/misc/openstack/barbican-12.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "consumers.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 11.0.0_vs_12.0.0.

    1 #  Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #  not use this file except in compliance with the License. You may obtain
    3 #  a copy of the License at
    4 #
    5 #       http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #  Unless required by applicable law or agreed to in writing, software
    8 #  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #  License for the specific language governing permissions and limitations
   11 #  under the License.
   12 
   13 from oslo_policy import policy
   14 
   15 # FIXME(hrybacki): Note that the GET rules have the same check strings.
   16 #                  The POST/DELETE rules also share the check stirngs.
   17 #                  These can probably be turned into constants in base
   18 
   19 
   20 _READER = "role:reader"
   21 _MEMBER = "role:member"
   22 _ADMIN = "role:admin"
   23 _SYSTEM_ADMIN = "role:admin and system_scope:all"
   24 _PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
   25 _PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
   26 _CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
   27 _CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
   28 
   29 rules = [
   30     policy.DocumentedRuleDefault(
   31         name='consumer:get',
   32         check_str='rule:admin or rule:observer or rule:creator or ' +
   33                   'rule:audit or rule:container_non_private_read or ' +
   34                   'rule:container_project_creator or ' +
   35                   'rule:container_project_admin or rule:container_acl_read' +
   36                   f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
   37                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
   38                   f"{_SYSTEM_ADMIN}",
   39         scope_types=['project', 'system'],
   40         description='List a specific consumer for a given container.',
   41         operations=[
   42             {
   43                 'path': '/v1/containers/{container-id}/consumers/' +
   44                         '{consumer-id}',
   45                 'method': 'GET'
   46             }
   47         ]
   48     ),
   49     policy.DocumentedRuleDefault(
   50         name='consumers:get',
   51         check_str='rule:admin or rule:observer or rule:creator or ' +
   52                   'rule:audit or rule:container_non_private_read or ' +
   53                   'rule:container_project_creator or ' +
   54                   'rule:container_project_admin or rule:container_acl_read' +
   55                   f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
   56                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
   57                   f"{_SYSTEM_ADMIN}",
   58         scope_types=['project', 'system'],
   59         description='List a containers consumers.',
   60         operations=[
   61             {
   62                 'path': '/v1/containers/{container-id}/consumers',
   63                 'method': 'GET'
   64             }
   65         ]
   66     ),
   67     policy.DocumentedRuleDefault(
   68         name='consumers:post',
   69         check_str='rule:admin or rule:container_non_private_read or ' +
   70                   'rule:container_project_creator or ' +
   71                   'rule:container_project_admin or rule:container_acl_read' +
   72                   f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
   73                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
   74                   f"{_SYSTEM_ADMIN}",
   75         scope_types=['project', 'system'],
   76         description='Creates a consumer.',
   77         operations=[
   78             {
   79                 'path': '/v1/containers/{container-id}/consumers',
   80                 'method': 'POST'
   81             }
   82         ]
   83     ),
   84     policy.DocumentedRuleDefault(
   85         name='consumers:delete',
   86         check_str='rule:admin or rule:container_non_private_read or ' +
   87                   'rule:container_project_creator or ' +
   88                   'rule:container_project_admin or rule:container_acl_read' +
   89                   f" or ({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
   90                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN} or " +
   91                   f"{_SYSTEM_ADMIN}",
   92         scope_types=['project', 'system'],
   93         description='Deletes a consumer.',
   94         operations=[
   95             {
   96                 'path': '/v1/containers/{container-id}/consumers/' +
   97                         '{consumer-id}',
   98                 'method': 'DELETE'
   99             }
  100         ]
  101     ),
  102 ]
  103 
  104 
  105 def list_rules():
  106     return rules