lemur/lemur/auth/permissions.py

"""
.. module: lemur.auth.permissions
    :platform: Unix
    :synopsis: This module defines all the permission used within Lemur
    :copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
from functools import partial
from collections import namedtuple

from flask_principal import Permission, RoleNeed

# Permissions
operator_permission = Permission(RoleNeed('operator'))
admin_permission = Permission(RoleNeed('admin'))

CertificateOwner = namedtuple('certificate', ['method', 'value'])
CertificateOwnerNeed = partial(CertificateOwner, 'role')


class SensitiveDomainPermission(Permission):
    def __init__(self):
        super(SensitiveDomainPermission, self).__init__(RoleNeed('admin'))


class CertificatePermission(Permission):
    def __init__(self, owner, roles):
        needs = [RoleNeed('admin'), RoleNeed(owner), RoleNeed('creator')]
        for r in roles:
            needs.append(CertificateOwnerNeed(str(r)))

        super(CertificatePermission, self).__init__(*needs)


class ApiKeyCreatorPermission(Permission):
    def __init__(self):
        super(ApiKeyCreatorPermission, self).__init__(RoleNeed('admin'))


RoleMember = namedtuple('role', ['method', 'value'])
RoleMemberNeed = partial(RoleMember, 'member')


class RoleMemberPermission(Permission):
    def __init__(self, role_id):
        needs = [RoleNeed('admin'), RoleMemberNeed(role_id)]
        super(RoleMemberPermission, self).__init__(*needs)


AuthorityCreator = namedtuple('authority', ['method', 'value'])
AuthorityCreatorNeed = partial(AuthorityCreator, 'authorityUse')

AuthorityOwner = namedtuple('authority', ['method', 'value'])
AuthorityOwnerNeed = partial(AuthorityOwner, 'role')


class AuthorityPermission(Permission):
    def __init__(self, authority_id, roles):
        needs = [RoleNeed('admin'), AuthorityCreatorNeed(str(authority_id))]
        for r in roles:
            needs.append(AuthorityOwnerNeed(str(r)))

        super(AuthorityPermission, self).__init__(*needs)
initial commit 2015-06-22 22:47:27 +02:00			`"""`
Making Lemur py3 compatible 2015-08-04 06:07:28 +02:00			`.. module: lemur.auth.permissions`
initial commit 2015-06-22 22:47:27 +02:00			`:platform: Unix`
			`:synopsis: This module defines all the permission used within Lemur`
Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 19:18:16 +02:00			`:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more`
initial commit 2015-06-22 22:47:27 +02:00			`:license: Apache, see LICENSE for more details.`
			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`
			`"""`
			`from functools import partial`
			`from collections import namedtuple`

migrating flask imports (#525) 2016-11-23 06:11:20 +01:00			`from flask_principal import Permission, RoleNeed`
initial commit 2015-06-22 22:47:27 +02:00
			`# Permissions`
			`operator_permission = Permission(RoleNeed('operator'))`
Removing netflix specific role 2015-06-26 03:06:47 +02:00			`admin_permission = Permission(RoleNeed('admin'))`
initial commit 2015-06-22 22:47:27 +02:00
Making roles more apparent for certificates and authorities. (#327) 2016-05-20 21:48:12 +02:00			`CertificateOwner = namedtuple('certificate', ['method', 'value'])`
			`CertificateOwnerNeed = partial(CertificateOwner, 'role')`

initial commit 2015-06-22 22:47:27 +02:00
Adds ability for domains to be marked as sensitive and only be allowed to be issued by an admin closes #5 2015-12-31 00:11:08 +01:00			`class SensitiveDomainPermission(Permission):`
			`def __init__(self):`
			`super(SensitiveDomainPermission, self).__init__(RoleNeed('admin'))`


Making roles more apparent for certificates and authorities. (#327) 2016-05-20 21:48:12 +02:00			`class CertificatePermission(Permission):`
Log fixes (#534) * tying up some loose ends with event logging * Ensuring creators can access 2016-11-28 23:13:16 +01:00			`def __init__(self, owner, roles):`
			`needs = [RoleNeed('admin'), RoleNeed(owner), RoleNeed('creator')]`
Making roles more apparent for certificates and authorities. (#327) 2016-05-20 21:48:12 +02:00			`for r in roles:`
			`needs.append(CertificateOwnerNeed(str(r)))`

			`super(CertificatePermission, self).__init__(*needs)`


add per user api keys to the backend (#995) Adds in per user api keys to the backend of lemur. the basics are: - API Keys are really just JWTs with custom second length TTLs. - API Keys are provided in the exact same ways JWTs are now. - API Keys can be revoked/unrevoked at any time by their creator as well as have their TTL Change at anytime. - Users can create/view/list their own API Keys at will, and an admin role has permission to modify all api keys in the instance. Adds in support for lemur api keys to the frontend of lemur. doing this required a few changes to the backend as well, but it is now all working (maybe not the best way though, review will determine that). - fixes inconsistency in moduleauthor name I inputted during the first commit. - Allows the revoke schema to optionally allow a full api_key object. - Adds `/users/:user_id/api_keys/:api_key` and `/users/:user_id/api_keys` endpoints. - normalizes use of `userId` vs `userId` - makes `put` call respond with a JWT so the frontend can show the token on updating. - adds in the API Key views for clicking "API Keys" on the main nav. - adds in the API Key views for clicking into a users edit page. - adds tests for the API Key backend views I added. 2017-12-04 17:50:31 +01:00			`class ApiKeyCreatorPermission(Permission):`
			`def __init__(self):`
			`super(ApiKeyCreatorPermission, self).__init__(RoleNeed('admin'))`


Fixes an issuer where a member of a role is not able to add new users to said role. (#445) 2016-10-12 02:24:15 +02:00			`RoleMember = namedtuple('role', ['method', 'value'])`
			`RoleMemberNeed = partial(RoleMember, 'member')`
initial commit 2015-06-22 22:47:27 +02:00

Fixes an issuer where a member of a role is not able to add new users to said role. (#445) 2016-10-12 02:24:15 +02:00			`class RoleMemberPermission(Permission):`
initial commit 2015-06-22 22:47:27 +02:00			`def __init__(self, role_id):`
Fixes an issuer where a member of a role is not able to add new users to said role. (#445) 2016-10-12 02:24:15 +02:00			`needs = [RoleNeed('admin'), RoleMemberNeed(role_id)]`
			`super(RoleMemberPermission, self).__init__(*needs)`
initial commit 2015-06-22 22:47:27 +02:00

			`AuthorityCreator = namedtuple('authority', ['method', 'value'])`
			`AuthorityCreatorNeed = partial(AuthorityCreator, 'authorityUse')`

			`AuthorityOwner = namedtuple('authority', ['method', 'value'])`
			`AuthorityOwnerNeed = partial(AuthorityOwner, 'role')`


			`class AuthorityPermission(Permission):`
			`def __init__(self, authority_id, roles):`
Making Lemur py3 compatible 2015-08-04 06:07:28 +02:00			`needs = [RoleNeed('admin'), AuthorityCreatorNeed(str(authority_id))]`
initial commit 2015-06-22 22:47:27 +02:00			`for r in roles:`
Making Lemur py3 compatible 2015-08-04 06:07:28 +02:00			`needs.append(AuthorityOwnerNeed(str(r)))`
initial commit 2015-06-22 22:47:27 +02:00
			`super(AuthorityPermission, self).__init__(*needs)`