2015-06-22 22:47:27 +02:00
|
|
|
"""
|
2015-08-04 06:07:28 +02:00
|
|
|
.. module: lemur.auth.permissions
|
2015-06-22 22:47:27 +02:00
|
|
|
:platform: Unix
|
|
|
|
:synopsis: This module defines all the permission used within Lemur
|
2018-05-29 19:18:16 +02:00
|
|
|
:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
|
2015-06-22 22:47:27 +02:00
|
|
|
:license: Apache, see LICENSE for more details.
|
|
|
|
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
|
|
|
|
"""
|
|
|
|
from functools import partial
|
|
|
|
from collections import namedtuple
|
|
|
|
|
2016-11-23 06:11:20 +01:00
|
|
|
from flask_principal import Permission, RoleNeed
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
# Permissions
|
2019-05-16 16:57:02 +02:00
|
|
|
operator_permission = Permission(RoleNeed("operator"))
|
|
|
|
admin_permission = Permission(RoleNeed("admin"))
|
2015-06-22 22:47:27 +02:00
|
|
|
|
2019-05-16 16:57:02 +02:00
|
|
|
CertificateOwner = namedtuple("certificate", ["method", "value"])
|
|
|
|
CertificateOwnerNeed = partial(CertificateOwner, "role")
|
2016-05-20 21:48:12 +02:00
|
|
|
|
2015-06-22 22:47:27 +02:00
|
|
|
|
2015-12-31 00:11:08 +01:00
|
|
|
class SensitiveDomainPermission(Permission):
|
|
|
|
def __init__(self):
|
2019-05-16 16:57:02 +02:00
|
|
|
super(SensitiveDomainPermission, self).__init__(RoleNeed("admin"))
|
2015-12-31 00:11:08 +01:00
|
|
|
|
|
|
|
|
2016-05-20 21:48:12 +02:00
|
|
|
class CertificatePermission(Permission):
|
2016-11-28 23:13:16 +01:00
|
|
|
def __init__(self, owner, roles):
|
2019-05-16 16:57:02 +02:00
|
|
|
needs = [RoleNeed("admin"), RoleNeed(owner), RoleNeed("creator")]
|
2016-05-20 21:48:12 +02:00
|
|
|
for r in roles:
|
|
|
|
needs.append(CertificateOwnerNeed(str(r)))
|
2018-08-20 17:55:04 +02:00
|
|
|
# Backwards compatibility with mixed-case role names
|
|
|
|
if str(r) != str(r).lower():
|
|
|
|
needs.append(CertificateOwnerNeed(str(r).lower()))
|
2016-05-20 21:48:12 +02:00
|
|
|
|
|
|
|
super(CertificatePermission, self).__init__(*needs)
|
|
|
|
|
|
|
|
|
2017-12-04 17:50:31 +01:00
|
|
|
class ApiKeyCreatorPermission(Permission):
|
|
|
|
def __init__(self):
|
2019-05-16 16:57:02 +02:00
|
|
|
super(ApiKeyCreatorPermission, self).__init__(RoleNeed("admin"))
|
2017-12-04 17:50:31 +01:00
|
|
|
|
|
|
|
|
2019-05-16 16:57:02 +02:00
|
|
|
RoleMember = namedtuple("role", ["method", "value"])
|
|
|
|
RoleMemberNeed = partial(RoleMember, "member")
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
|
2016-10-12 02:24:15 +02:00
|
|
|
class RoleMemberPermission(Permission):
|
2015-06-22 22:47:27 +02:00
|
|
|
def __init__(self, role_id):
|
2019-05-16 16:57:02 +02:00
|
|
|
needs = [RoleNeed("admin"), RoleMemberNeed(role_id)]
|
2016-10-12 02:24:15 +02:00
|
|
|
super(RoleMemberPermission, self).__init__(*needs)
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
|
2019-05-16 16:57:02 +02:00
|
|
|
AuthorityCreator = namedtuple("authority", ["method", "value"])
|
|
|
|
AuthorityCreatorNeed = partial(AuthorityCreator, "authorityUse")
|
2015-06-22 22:47:27 +02:00
|
|
|
|
2019-05-16 16:57:02 +02:00
|
|
|
AuthorityOwner = namedtuple("authority", ["method", "value"])
|
|
|
|
AuthorityOwnerNeed = partial(AuthorityOwner, "role")
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
|
|
|
|
class AuthorityPermission(Permission):
|
|
|
|
def __init__(self, authority_id, roles):
|
2019-05-16 16:57:02 +02:00
|
|
|
needs = [RoleNeed("admin"), AuthorityCreatorNeed(str(authority_id))]
|
2015-06-22 22:47:27 +02:00
|
|
|
for r in roles:
|
2015-08-04 06:07:28 +02:00
|
|
|
needs.append(AuthorityOwnerNeed(str(r)))
|
2015-06-22 22:47:27 +02:00
|
|
|
|
|
|
|
super(AuthorityPermission, self).__init__(*needs)
|