"Fossies" - the Fresh Open Source Software Archive

Member "barbican-12.0.0/barbican/common/policies/containers.py" (14 Apr 2021, 3940 Bytes) of package /linux/misc/openstack/barbican-12.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 #  Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #  not use this file except in compliance with the License. You may obtain
    3 #  a copy of the License at
    4 #
    5 #       http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #  Unless required by applicable law or agreed to in writing, software
    8 #  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #  License for the specific language governing permissions and limitations
   11 #  under the License.
   12 
   13 from oslo_policy import policy
   14 
   15 
   16 _READER = "role:reader"
   17 _MEMBER = "role:member"
   18 _ADMIN = "role:admin"
   19 _PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
   20 _PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
   21 _CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
   22 _CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
   23 
   24 rules = [
   25     policy.DocumentedRuleDefault(
   26         name='containers:post',
   27         check_str=f"rule:admin_or_creator or {_MEMBER}",
   28         scope_types=['project'],
   29         description='Creates a container.',
   30         operations=[
   31             {
   32                 'path': '/v1/containers',
   33                 'method': 'POST'
   34             }
   35         ]
   36     ),
   37     policy.DocumentedRuleDefault(
   38         name='containers:get',
   39         check_str=f"rule:all_but_audit or {_MEMBER}",
   40         scope_types=['project'],
   41         description='Lists a projects containers.',
   42         operations=[
   43             {
   44                 'path': '/v1/containers',
   45                 'method': 'GET'
   46             }
   47         ]
   48     ),
   49     policy.DocumentedRuleDefault(
   50         name='container:get',
   51         check_str='rule:container_non_private_read or ' +
   52                   'rule:container_project_creator or ' +
   53                   'rule:container_project_admin or ' +
   54                   'rule:container_acl_read or ' +
   55                   f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
   56                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
   57         scope_types=['project'],
   58         description='Retrieves a single container.',
   59         operations=[
   60             {
   61                 'path': '/v1/containers/{container-id}',
   62                 'method': 'GET'
   63             }
   64         ]
   65     ),
   66     policy.DocumentedRuleDefault(
   67         name='container:delete',
   68         check_str='rule:container_project_admin or ' +
   69                   'rule:container_project_creator or ' +
   70                   f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
   71                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
   72         scope_types=['project'],
   73         description='Deletes a container.',
   74         operations=[
   75             {
   76                 'path': '/v1/containers/{uuid}',
   77                 'method': 'DELETE'
   78             }
   79         ]
   80     ),
   81     policy.DocumentedRuleDefault(
   82         name='container_secret:post',
   83         check_str='rule:admin or ' +
   84                   f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
   85                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
   86         scope_types=['project'],
   87         description='Add a secret to an existing container.',
   88         operations=[
   89             {
   90                 'path': '/v1/containers/{container-id}/secrets',
   91                 'method': 'POST'
   92             }
   93         ]
   94     ),
   95     policy.DocumentedRuleDefault(
   96         name='container_secret:delete',
   97         check_str='rule:admin or ' +
   98                   f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
   99                   f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
  100         scope_types=['project'],
  101         description='Remove a secret from a container.',
  102         operations=[
  103             {
  104                 'path': '/v1/containers/{container-id}/secrets/{secret-id}',
  105                 'method': 'DELETE'
  106             }
  107         ]
  108     ),
  109 ]
  110 
  111 
  112 def list_rules():
  113     return rules