"Fossies" - the Fresh Open Source Software Archive

Member "barbican-12.0.0/barbican/common/policies/secrets.py" (14 Apr 2021, 3984 Bytes) of package /linux/misc/openstack/barbican-12.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "secrets.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 11.0.0_vs_12.0.0.

    1 #  Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #  not use this file except in compliance with the License. You may obtain
    3 #  a copy of the License at
    4 #
    5 #       http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #  Unless required by applicable law or agreed to in writing, software
    8 #  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #  License for the specific language governing permissions and limitations
   11 #  under the License.
   12 
   13 from oslo_policy import policy
   14 
   15 
   16 _READER = "role:reader"
   17 _MEMBER = "role:member"
   18 _ADMIN = "role:admin"
   19 _PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.secret.project_id)s"
   20 _PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.secret.project_id)s"
   21 _SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
   22 _SECRET_IS_NOT_PRIVATE = "True:%(target.secret.read_project_access)s"
   23 
   24 rules = [
   25     policy.DocumentedRuleDefault(
   26         name='secret:decrypt',
   27         check_str='rule:secret_decrypt_non_private_read or ' +
   28                   'rule:secret_project_creator or ' +
   29                   'rule:secret_project_admin or rule:secret_acl_read or ' +
   30                   f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
   31                   f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
   32         scope_types=['project'],
   33         description='Retrieve a secrets payload.',
   34         operations=[
   35             {
   36                 'path': '/v1/secrets/{uuid}/payload',
   37                 'method': 'GET'
   38             }
   39         ]
   40     ),
   41     policy.DocumentedRuleDefault(
   42         name='secret:get',
   43         check_str='rule:secret_non_private_read or ' +
   44                   'rule:secret_project_creator or ' +
   45                   'rule:secret_project_admin or rule:secret_acl_read or ' +
   46                   f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
   47                   f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
   48         scope_types=['project'],
   49         description='Retrieves a secrets metadata.',
   50         operations=[
   51             {
   52                 'path': '/v1/secrets/{secret-id}',
   53                 'method': 'GET"'
   54             }
   55         ]
   56     ),
   57     policy.DocumentedRuleDefault(
   58         name='secret:put',
   59         check_str='rule:admin_or_creator and rule:secret_project_match or ' +
   60                   f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
   61                   f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
   62         scope_types=['project'],
   63         description='Add the payload to an existing metadata-only secret.',
   64         operations=[
   65             {
   66                 'path': '/v1/secrets/{secret-id}',
   67                 'method': 'PUT'
   68             }
   69         ]
   70     ),
   71     policy.DocumentedRuleDefault(
   72         name='secret:delete',
   73         check_str='rule:secret_project_admin or ' +
   74                   'rule:secret_project_creator or ' +
   75                   f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
   76                   f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
   77         scope_types=['project'],
   78         description='Delete a secret by uuid.',
   79         operations=[
   80             {
   81                 'path': '/v1/secrets/{secret-id}',
   82                 'method': 'DELETE'
   83             }
   84         ]
   85     ),
   86     policy.DocumentedRuleDefault(
   87         name='secrets:post',
   88         check_str=f'rule:admin_or_creator or {_MEMBER}',
   89         scope_types=['project'],
   90         description='Creates a Secret entity.',
   91         operations=[
   92             {
   93                 'path': '/v1/secrets',
   94                 'method': 'POST'
   95             }
   96         ]
   97     ),
   98     policy.DocumentedRuleDefault(
   99         name='secrets:get',
  100         check_str=f'rule:all_but_audit or {_MEMBER}',
  101         scope_types=['project'],
  102         description='Lists a projects secrets.',
  103         operations=[
  104             {
  105                 'path': '/v1/secrets',
  106                 'method': 'GET'
  107             }
  108         ]
  109     )
  110 ]
  111 
  112 
  113 def list_rules():
  114     return rules