""" .. module: lemur.auth.permissions :platform: Unix :synopsis: This module defines all the permission used within Lemur :copyright: (c) 2018 by Netflix Inc., see AUTHORS for more :license: Apache, see LICENSE for more details. .. moduleauthor:: Kevin Glisson """ from functools import partial from collections import namedtuple from flask import current_app from flask_principal import Permission, RoleNeed # Permissions operator_permission = Permission(RoleNeed("operator")) admin_permission = Permission(RoleNeed("admin")) CertificateOwner = namedtuple("certificate", ["method", "value"]) CertificateOwnerNeed = partial(CertificateOwner, "role") class SensitiveDomainPermission(Permission): def __init__(self): needs = [RoleNeed("admin")] sensitive_domain_roles = current_app.config.get("SENSITIVE_DOMAIN_ROLES", []) if sensitive_domain_roles: for role in sensitive_domain_roles: needs.append(RoleNeed(role)) super(SensitiveDomainPermission, self).__init__(*needs) class CertificatePermission(Permission): def __init__(self, owner, roles): needs = [RoleNeed("admin"), RoleNeed(owner), RoleNeed("creator")] for r in roles: needs.append(CertificateOwnerNeed(str(r))) # Backwards compatibility with mixed-case role names if str(r) != str(r).lower(): needs.append(CertificateOwnerNeed(str(r).lower())) super(CertificatePermission, self).__init__(*needs) class ApiKeyCreatorPermission(Permission): def __init__(self): super(ApiKeyCreatorPermission, self).__init__(RoleNeed("admin")) RoleMember = namedtuple("role", ["method", "value"]) RoleMemberNeed = partial(RoleMember, "member") class RoleMemberPermission(Permission): def __init__(self, role_id): needs = [RoleNeed("admin"), RoleMemberNeed(role_id)] super(RoleMemberPermission, self).__init__(*needs) AuthorityCreator = namedtuple("authority", ["method", "value"]) AuthorityCreatorNeed = partial(AuthorityCreator, "authorityUse") AuthorityOwner = namedtuple("authority", ["method", "value"]) AuthorityOwnerNeed = partial(AuthorityOwner, "role") class AuthorityPermission(Permission): def __init__(self, authority_id, roles): needs = [RoleNeed("admin"), AuthorityCreatorNeed(str(authority_id))] for r in roles: needs.append(AuthorityOwnerNeed(str(r))) super(AuthorityPermission, self).__init__(*needs)