76 lines
2.5 KiB
Python
76 lines
2.5 KiB
Python
"""
|
|
.. module: lemur.auth.permissions
|
|
:platform: Unix
|
|
:synopsis: This module defines all the permission used within Lemur
|
|
:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
|
|
:license: Apache, see LICENSE for more details.
|
|
.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
|
|
"""
|
|
from functools import partial
|
|
from collections import namedtuple
|
|
|
|
from flask import current_app
|
|
from flask_principal import Permission, RoleNeed
|
|
|
|
# Permissions
|
|
operator_permission = Permission(RoleNeed("operator"))
|
|
admin_permission = Permission(RoleNeed("admin"))
|
|
|
|
CertificateOwner = namedtuple("certificate", ["method", "value"])
|
|
CertificateOwnerNeed = partial(CertificateOwner, "role")
|
|
|
|
|
|
class SensitiveDomainPermission(Permission):
|
|
def __init__(self):
|
|
needs = [RoleNeed("admin")]
|
|
sensitive_domain_roles = current_app.config.get("SENSITIVE_DOMAIN_ROLES", [])
|
|
|
|
if sensitive_domain_roles:
|
|
for role in sensitive_domain_roles:
|
|
needs.append(RoleNeed(role))
|
|
|
|
super(SensitiveDomainPermission, self).__init__(*needs)
|
|
|
|
|
|
class CertificatePermission(Permission):
|
|
def __init__(self, owner, roles):
|
|
needs = [RoleNeed("admin"), RoleNeed(owner), RoleNeed("creator")]
|
|
for r in roles:
|
|
needs.append(CertificateOwnerNeed(str(r)))
|
|
# Backwards compatibility with mixed-case role names
|
|
if str(r) != str(r).lower():
|
|
needs.append(CertificateOwnerNeed(str(r).lower()))
|
|
|
|
super(CertificatePermission, self).__init__(*needs)
|
|
|
|
|
|
class ApiKeyCreatorPermission(Permission):
|
|
def __init__(self):
|
|
super(ApiKeyCreatorPermission, self).__init__(RoleNeed("admin"))
|
|
|
|
|
|
RoleMember = namedtuple("role", ["method", "value"])
|
|
RoleMemberNeed = partial(RoleMember, "member")
|
|
|
|
|
|
class RoleMemberPermission(Permission):
|
|
def __init__(self, role_id):
|
|
needs = [RoleNeed("admin"), RoleMemberNeed(role_id)]
|
|
super(RoleMemberPermission, self).__init__(*needs)
|
|
|
|
|
|
AuthorityCreator = namedtuple("authority", ["method", "value"])
|
|
AuthorityCreatorNeed = partial(AuthorityCreator, "authorityUse")
|
|
|
|
AuthorityOwner = namedtuple("authority", ["method", "value"])
|
|
AuthorityOwnerNeed = partial(AuthorityOwner, "role")
|
|
|
|
|
|
class AuthorityPermission(Permission):
|
|
def __init__(self, authority_id, roles):
|
|
needs = [RoleNeed("admin"), AuthorityCreatorNeed(str(authority_id))]
|
|
for r in roles:
|
|
needs.append(AuthorityOwnerNeed(str(r)))
|
|
|
|
super(AuthorityPermission, self).__init__(*needs)
|