1 | # Licensed to the StackStorm, Inc ('StackStorm') under one or more |
||
0 ignored issues
–
show
There seems to be a cyclic import (st2common.models.db.action -> st2common.models.db.liveaction -> st2common.util.action_db -> st2common.persistence.action).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
There seems to be a cyclic import (st2common.models.api.base -> st2common.util.schema -> st2common.util.action_db -> st2common.persistence.action -> st2common.persistence.base -> st2common.transport.reactor -> st2common.models.api.trace).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
There seems to be a cyclic import (st2common.models.api.base -> st2common.util.schema -> st2common.util.action_db -> st2common.persistence.action -> st2common.persistence.executionstate -> st2common.transport -> st2common.transport.reactor -> st2common.models.api.trace).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
There seems to be a cyclic import (st2common.models.api.base -> st2common.util.schema -> st2common.util.action_db -> st2common.persistence.liveaction -> st2common.transport -> st2common.transport.reactor -> st2common.models.api.trace).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
There seems to be a cyclic import (st2common.models.api.base -> st2common.util.schema -> st2common.util.action_db -> st2common.persistence.action -> st2common.persistence.actionalias -> st2common.persistence.base -> st2common.transport.reactor -> st2common.models.api.trace).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
There seems to be a cyclic import (st2common.models.db.liveaction -> st2common.util.action_db -> st2common.persistence.action -> st2common.persistence.liveaction).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
There seems to be a cyclic import (st2common.models.api.base -> st2common.util.schema -> st2common.util.action_db -> st2common.persistence.liveaction -> st2common.persistence.base -> st2common.transport.reactor -> st2common.models.api.trace).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
There seems to be a cyclic import (st2common.models.api.base -> st2common.util.schema -> st2common.util.action_db -> st2common.persistence.action -> st2common.persistence.runner -> st2common.persistence.base -> st2common.transport.reactor -> st2common.models.api.trace).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
There seems to be a cyclic import (st2common.models.api.base -> st2common.util.schema -> st2common.util.action_db -> st2common.persistence.action -> st2common.persistence.liveaction -> st2common.transport -> st2common.transport.reactor -> st2common.models.api.trace).
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.
Loading history...
|
|||
2 | # contributor license agreements. See the NOTICE file distributed with |
||
3 | # this work for additional information regarding copyright ownership. |
||
4 | # The ASF licenses this file to You under the Apache License, Version 2.0 |
||
5 | # (the "License"); you may not use this file except in compliance with |
||
6 | # the License. You may obtain a copy of the License at |
||
7 | # |
||
8 | # http://www.apache.org/licenses/LICENSE-2.0 |
||
9 | # |
||
10 | # Unless required by applicable law or agreed to in writing, software |
||
11 | # distributed under the License is distributed on an "AS IS" BASIS, |
||
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||
13 | # See the License for the specific language governing permissions and |
||
14 | # limitations under the License. |
||
15 | |||
16 | from __future__ import absolute_import |
||
17 | import six |
||
18 | import itertools |
||
19 | |||
20 | from st2common.util.enum import Enum |
||
21 | from st2common.constants.types import ResourceType as SystemResourceType |
||
22 | |||
23 | __all__ = [ |
||
24 | 'SystemRole', |
||
25 | 'PermissionType', |
||
26 | 'ResourceType', |
||
27 | |||
28 | 'RESOURCE_TYPE_TO_PERMISSION_TYPES_MAP', |
||
29 | 'PERMISION_TYPE_TO_DESCRIPTION_MAP', |
||
30 | |||
31 | 'ALL_PERMISSION_TYPES', |
||
32 | 'GLOBAL_PERMISSION_TYPES', |
||
33 | 'GLOBAL_PACK_PERMISSION_TYPES', |
||
34 | 'LIST_PERMISSION_TYPES', |
||
35 | |||
36 | 'get_resource_permission_types_with_descriptions' |
||
37 | ] |
||
38 | |||
39 | |||
40 | class PermissionType(Enum): |
||
41 | """ |
||
42 | Available permission types. |
||
43 | """ |
||
44 | |||
45 | # Note: There is no create endpoint for runner types right now |
||
46 | RUNNER_LIST = 'runner_type_list' |
||
47 | RUNNER_VIEW = 'runner_type_view' |
||
48 | RUNNER_MODIFY = 'runner_type_modify' |
||
49 | RUNNER_ALL = 'runner_type_all' |
||
50 | |||
51 | PACK_LIST = 'pack_list' |
||
52 | PACK_VIEW = 'pack_view' |
||
53 | PACK_CREATE = 'pack_create' |
||
54 | PACK_MODIFY = 'pack_modify' |
||
55 | PACK_DELETE = 'pack_delete' |
||
56 | |||
57 | # Pack-management specific permissions |
||
58 | # Note: Right now those permissions are global and apply to all the packs. |
||
59 | # In the future we plan to support globs. |
||
60 | PACK_INSTALL = 'pack_install' |
||
61 | PACK_UNINSTALL = 'pack_uninstall' |
||
62 | PACK_REGISTER = 'pack_register' |
||
63 | PACK_CONFIG = 'pack_config' |
||
64 | PACK_SEARCH = 'pack_search' |
||
65 | PACK_VIEWS_INDEX_HEALTH = 'pack_views_index_health' |
||
66 | |||
67 | PACK_ALL = 'pack_all' |
||
68 | |||
69 | # Note: Right now we only have read endpoints + update for sensors types |
||
70 | SENSOR_LIST = 'sensor_type_list' |
||
71 | SENSOR_VIEW = 'sensor_type_view' |
||
72 | SENSOR_MODIFY = 'sensor_type_modify' |
||
73 | SENSOR_ALL = 'sensor_type_all' |
||
74 | |||
75 | ACTION_LIST = 'action_list' |
||
76 | ACTION_VIEW = 'action_view' |
||
77 | ACTION_CREATE = 'action_create' |
||
78 | ACTION_MODIFY = 'action_modify' |
||
79 | ACTION_DELETE = 'action_delete' |
||
80 | ACTION_EXECUTE = 'action_execute' |
||
81 | ACTION_ALL = 'action_all' |
||
82 | |||
83 | ACTION_ALIAS_LIST = 'action_alias_list' |
||
84 | ACTION_ALIAS_VIEW = 'action_alias_view' |
||
85 | ACTION_ALIAS_CREATE = 'action_alias_create' |
||
86 | ACTION_ALIAS_MODIFY = 'action_alias_modify' |
||
87 | ACTION_ALIAS_MATCH = 'action_alias_match' |
||
88 | ACTION_ALIAS_HELP = 'action_alias_help' |
||
89 | ACTION_ALIAS_DELETE = 'action_alias_delete' |
||
90 | ACTION_ALIAS_ALL = 'action_alias_all' |
||
91 | |||
92 | # Note: Execution create is granted with "action_execute" |
||
93 | EXECUTION_LIST = 'execution_list' |
||
94 | EXECUTION_VIEW = 'execution_view' |
||
95 | EXECUTION_RE_RUN = 'execution_rerun' |
||
96 | EXECUTION_STOP = 'execution_stop' |
||
97 | EXECUTION_ALL = 'execution_all' |
||
98 | EXECUTION_VIEWS_FILTERS_LIST = 'execution_views_filters_list' |
||
99 | |||
100 | RULE_LIST = 'rule_list' |
||
101 | RULE_VIEW = 'rule_view' |
||
102 | RULE_CREATE = 'rule_create' |
||
103 | RULE_MODIFY = 'rule_modify' |
||
104 | RULE_DELETE = 'rule_delete' |
||
105 | RULE_ALL = 'rule_all' |
||
106 | |||
107 | RULE_ENFORCEMENT_LIST = 'rule_enforcement_list' |
||
108 | RULE_ENFORCEMENT_VIEW = 'rule_enforcement_view' |
||
109 | |||
110 | # TODO - Maybe "datastore_item" / key_value_item ? |
||
111 | KEY_VALUE_VIEW = 'key_value_pair_view' |
||
112 | KEY_VALUE_SET = 'key_value_pair_set' |
||
113 | KEY_VALUE_DELETE = 'key_value_pair_delete' |
||
114 | |||
115 | WEBHOOK_LIST = 'webhook_list' |
||
116 | WEBHOOK_VIEW = 'webhook_view' |
||
117 | WEBHOOK_CREATE = 'webhook_create' |
||
118 | WEBHOOK_SEND = 'webhook_send' |
||
119 | WEBHOOK_DELETE = 'webhook_delete' |
||
120 | WEBHOOK_ALL = 'webhook_all' |
||
121 | |||
122 | TIMER_LIST = 'timer_list' |
||
123 | TIMER_VIEW = 'timer_view' |
||
124 | TIMER_ALL = 'timer_all' |
||
125 | |||
126 | API_KEY_LIST = 'api_key_list' |
||
127 | API_KEY_VIEW = 'api_key_view' |
||
128 | API_KEY_CREATE = 'api_key_create' |
||
129 | API_KEY_MODIFY = 'api_key_modify' |
||
130 | API_KEY_DELETE = 'api_key_delete' |
||
131 | API_KEY_ALL = 'api_key_all' |
||
132 | |||
133 | TRACE_LIST = 'trace_list' |
||
134 | TRACE_VIEW = 'trace_view' |
||
135 | TRACE_ALL = 'trace_all' |
||
136 | |||
137 | # Note: Trigger permissions types are also used for Timer API endpoint since timer is just |
||
138 | # a special type of a trigger |
||
139 | TRIGGER_LIST = 'trigger_list' |
||
140 | TRIGGER_VIEW = 'trigger_view' |
||
141 | TRIGGER_ALL = 'trigger_all' |
||
142 | |||
143 | POLICY_TYPE_LIST = 'policy_type_list' |
||
144 | POLICY_TYPE_VIEW = 'policy_type_view' |
||
145 | POLICY_TYPE_ALL = 'policy_type_all' |
||
146 | |||
147 | POLICY_LIST = 'policy_list' |
||
148 | POLICY_VIEW = 'policy_view' |
||
149 | POLICY_CREATE = 'policy_create' |
||
150 | POLICY_MODIFY = 'policy_modify' |
||
151 | POLICY_DELETE = 'policy_delete' |
||
152 | POLICY_ALL = 'policy_all' |
||
153 | |||
154 | STREAM_VIEW = 'stream_view' |
||
155 | |||
156 | INQUIRY_LIST = 'inquiry_list' |
||
157 | INQUIRY_VIEW = 'inquiry_view' |
||
158 | INQUIRY_RESPOND = 'inquiry_respond' |
||
159 | INQUIRY_ALL = 'inquiry_all' |
||
160 | |||
161 | @classmethod |
||
162 | def get_valid_permissions_for_resource_type(cls, resource_type): |
||
163 | """ |
||
164 | Return valid permissions for the provided resource type. |
||
165 | |||
166 | :rtype: ``list`` |
||
167 | """ |
||
168 | valid_permissions = RESOURCE_TYPE_TO_PERMISSION_TYPES_MAP[resource_type] |
||
169 | return valid_permissions |
||
170 | |||
171 | @classmethod |
||
172 | def get_resource_type(cls, permission_type): |
||
173 | """ |
||
174 | Retrieve resource type from the provided permission type. |
||
175 | |||
176 | :rtype: ``str`` |
||
177 | """ |
||
178 | # Special case for: |
||
179 | # * PACK_VIEWS_INDEX_HEALTH |
||
180 | # * EXECUTION_VIEWS_FILTERS_LIST |
||
181 | if permission_type == PermissionType.PACK_VIEWS_INDEX_HEALTH: |
||
182 | return ResourceType.PACK |
||
183 | elif permission_type == PermissionType.EXECUTION_VIEWS_FILTERS_LIST: |
||
184 | return ResourceType.EXECUTION |
||
185 | |||
186 | split = permission_type.split('_') |
||
187 | assert len(split) >= 2 |
||
188 | |||
189 | return '_'.join(split[:-1]) |
||
190 | |||
191 | @classmethod |
||
192 | def get_permission_name(cls, permission_type): |
||
193 | """ |
||
194 | Retrieve permission name from the provided permission type. |
||
195 | |||
196 | :rtype: ``str`` |
||
197 | """ |
||
198 | split = permission_type.split('_') |
||
199 | assert len(split) >= 2 |
||
200 | |||
201 | # Special case for PACK_VIEWS_INDEX_HEALTH |
||
202 | if permission_type == PermissionType.PACK_VIEWS_INDEX_HEALTH: |
||
203 | split = permission_type.split('_', 1) |
||
204 | return split[1] |
||
205 | |||
206 | return split[-1] |
||
207 | |||
208 | @classmethod |
||
209 | def get_permission_description(cls, permission_type): |
||
210 | """ |
||
211 | Retrieve a description for the provided permission_type. |
||
212 | |||
213 | :rtype: ``str`` |
||
214 | """ |
||
215 | description = PERMISION_TYPE_TO_DESCRIPTION_MAP[permission_type] |
||
216 | return description |
||
217 | |||
218 | @classmethod |
||
219 | def get_permission_type(cls, resource_type, permission_name): |
||
220 | """ |
||
221 | Retrieve permission type enum value for the provided resource type and permission name. |
||
222 | |||
223 | :rtype: ``str`` |
||
224 | """ |
||
225 | # Special case for sensor type (sensor_type -> sensor) |
||
226 | if resource_type == ResourceType.SENSOR: |
||
227 | resource_type = 'sensor' |
||
228 | |||
229 | permission_enum = '%s_%s' % (resource_type.upper(), permission_name.upper()) |
||
230 | result = getattr(cls, permission_enum, None) |
||
231 | |||
232 | if not result: |
||
233 | raise ValueError('Unsupported permission type for type "%s" and name "%s"' % |
||
234 | (resource_type, permission_name)) |
||
235 | |||
236 | return result |
||
237 | |||
238 | |||
239 | class ResourceType(Enum): |
||
240 | """ |
||
241 | Resource types on which permissions can be granted. |
||
242 | """ |
||
243 | RUNNER = SystemResourceType.RUNNER_TYPE |
||
244 | |||
245 | PACK = SystemResourceType.PACK |
||
246 | SENSOR = SystemResourceType.SENSOR_TYPE |
||
247 | ACTION = SystemResourceType.ACTION |
||
248 | ACTION_ALIAS = SystemResourceType.ACTION_ALIAS |
||
249 | RULE = SystemResourceType.RULE |
||
250 | RULE_ENFORCEMENT = SystemResourceType.RULE_ENFORCEMENT |
||
251 | POLICY_TYPE = SystemResourceType.POLICY_TYPE |
||
252 | POLICY = SystemResourceType.POLICY |
||
253 | |||
254 | EXECUTION = SystemResourceType.EXECUTION |
||
255 | KEY_VALUE_PAIR = SystemResourceType.KEY_VALUE_PAIR |
||
256 | WEBHOOK = SystemResourceType.WEBHOOK |
||
257 | TIMER = SystemResourceType.TIMER |
||
258 | API_KEY = SystemResourceType.API_KEY |
||
259 | TRACE = SystemResourceType.TRACE |
||
260 | TRIGGER = SystemResourceType.TRIGGER |
||
261 | STREAM = SystemResourceType.STREAM |
||
262 | INQUIRY = SystemResourceType.INQUIRY |
||
263 | |||
264 | |||
265 | class SystemRole(Enum): |
||
266 | """ |
||
267 | Default system roles which can't be manipulated (modified or removed). |
||
268 | """ |
||
269 | SYSTEM_ADMIN = 'system_admin' # Special role which can't be revoked. |
||
270 | ADMIN = 'admin' |
||
271 | OBSERVER = 'observer' |
||
272 | |||
273 | |||
274 | # Maps a list of available permission types for each resource |
||
275 | RESOURCE_TYPE_TO_PERMISSION_TYPES_MAP = { |
||
276 | ResourceType.RUNNER: [ |
||
277 | PermissionType.RUNNER_LIST, |
||
278 | PermissionType.RUNNER_VIEW, |
||
279 | PermissionType.RUNNER_MODIFY, |
||
280 | PermissionType.RUNNER_ALL, |
||
281 | ], |
||
282 | ResourceType.PACK: [ |
||
283 | PermissionType.PACK_LIST, |
||
284 | PermissionType.PACK_VIEW, |
||
285 | PermissionType.PACK_CREATE, |
||
286 | PermissionType.PACK_MODIFY, |
||
287 | PermissionType.PACK_DELETE, |
||
288 | PermissionType.PACK_INSTALL, |
||
289 | PermissionType.PACK_UNINSTALL, |
||
290 | PermissionType.PACK_REGISTER, |
||
291 | PermissionType.PACK_CONFIG, |
||
292 | PermissionType.PACK_SEARCH, |
||
293 | PermissionType.PACK_VIEWS_INDEX_HEALTH, |
||
294 | PermissionType.PACK_ALL, |
||
295 | |||
296 | PermissionType.SENSOR_VIEW, |
||
297 | PermissionType.SENSOR_MODIFY, |
||
298 | PermissionType.SENSOR_ALL, |
||
299 | |||
300 | PermissionType.ACTION_VIEW, |
||
301 | PermissionType.ACTION_CREATE, |
||
302 | PermissionType.ACTION_MODIFY, |
||
303 | PermissionType.ACTION_DELETE, |
||
304 | PermissionType.ACTION_EXECUTE, |
||
305 | PermissionType.ACTION_ALL, |
||
306 | |||
307 | PermissionType.ACTION_ALIAS_VIEW, |
||
308 | PermissionType.ACTION_ALIAS_CREATE, |
||
309 | PermissionType.ACTION_ALIAS_MODIFY, |
||
310 | PermissionType.ACTION_ALIAS_DELETE, |
||
311 | PermissionType.ACTION_ALIAS_ALL, |
||
312 | |||
313 | PermissionType.RULE_VIEW, |
||
314 | PermissionType.RULE_CREATE, |
||
315 | PermissionType.RULE_MODIFY, |
||
316 | PermissionType.RULE_DELETE, |
||
317 | PermissionType.RULE_ALL |
||
318 | ], |
||
319 | ResourceType.SENSOR: [ |
||
320 | PermissionType.SENSOR_LIST, |
||
321 | PermissionType.SENSOR_VIEW, |
||
322 | PermissionType.SENSOR_MODIFY, |
||
323 | PermissionType.SENSOR_ALL |
||
324 | ], |
||
325 | ResourceType.ACTION: [ |
||
326 | PermissionType.ACTION_LIST, |
||
327 | PermissionType.ACTION_VIEW, |
||
328 | PermissionType.ACTION_CREATE, |
||
329 | PermissionType.ACTION_MODIFY, |
||
330 | PermissionType.ACTION_DELETE, |
||
331 | PermissionType.ACTION_EXECUTE, |
||
332 | PermissionType.ACTION_ALL |
||
333 | ], |
||
334 | ResourceType.ACTION_ALIAS: [ |
||
335 | PermissionType.ACTION_ALIAS_LIST, |
||
336 | PermissionType.ACTION_ALIAS_VIEW, |
||
337 | PermissionType.ACTION_ALIAS_CREATE, |
||
338 | PermissionType.ACTION_ALIAS_MODIFY, |
||
339 | PermissionType.ACTION_ALIAS_MATCH, |
||
340 | PermissionType.ACTION_ALIAS_HELP, |
||
341 | PermissionType.ACTION_ALIAS_DELETE, |
||
342 | PermissionType.ACTION_ALIAS_ALL |
||
343 | ], |
||
344 | ResourceType.RULE: [ |
||
345 | PermissionType.RULE_LIST, |
||
346 | PermissionType.RULE_VIEW, |
||
347 | PermissionType.RULE_CREATE, |
||
348 | PermissionType.RULE_MODIFY, |
||
349 | PermissionType.RULE_DELETE, |
||
350 | PermissionType.RULE_ALL |
||
351 | ], |
||
352 | ResourceType.RULE_ENFORCEMENT: [ |
||
353 | PermissionType.RULE_ENFORCEMENT_LIST, |
||
354 | PermissionType.RULE_ENFORCEMENT_VIEW, |
||
355 | ], |
||
356 | ResourceType.EXECUTION: [ |
||
357 | PermissionType.EXECUTION_LIST, |
||
358 | PermissionType.EXECUTION_VIEW, |
||
359 | PermissionType.EXECUTION_RE_RUN, |
||
360 | PermissionType.EXECUTION_STOP, |
||
361 | PermissionType.EXECUTION_ALL, |
||
362 | PermissionType.EXECUTION_VIEWS_FILTERS_LIST, |
||
363 | ], |
||
364 | ResourceType.KEY_VALUE_PAIR: [ |
||
365 | PermissionType.KEY_VALUE_VIEW, |
||
366 | PermissionType.KEY_VALUE_SET, |
||
367 | PermissionType.KEY_VALUE_DELETE |
||
368 | ], |
||
369 | ResourceType.WEBHOOK: [ |
||
370 | PermissionType.WEBHOOK_LIST, |
||
371 | PermissionType.WEBHOOK_VIEW, |
||
372 | PermissionType.WEBHOOK_CREATE, |
||
373 | PermissionType.WEBHOOK_SEND, |
||
374 | PermissionType.WEBHOOK_DELETE, |
||
375 | PermissionType.WEBHOOK_ALL |
||
376 | ], |
||
377 | ResourceType.TIMER: [ |
||
378 | PermissionType.TIMER_LIST, |
||
379 | PermissionType.TIMER_VIEW, |
||
380 | PermissionType.TIMER_ALL |
||
381 | ], |
||
382 | ResourceType.API_KEY: [ |
||
383 | PermissionType.API_KEY_LIST, |
||
384 | PermissionType.API_KEY_VIEW, |
||
385 | PermissionType.API_KEY_CREATE, |
||
386 | PermissionType.API_KEY_MODIFY, |
||
387 | PermissionType.API_KEY_DELETE, |
||
388 | PermissionType.API_KEY_ALL |
||
389 | ], |
||
390 | ResourceType.TRACE: [ |
||
391 | PermissionType.TRACE_LIST, |
||
392 | PermissionType.TRACE_VIEW, |
||
393 | PermissionType.TRACE_ALL |
||
394 | ], |
||
395 | ResourceType.TRIGGER: [ |
||
396 | PermissionType.TRIGGER_LIST, |
||
397 | PermissionType.TRIGGER_VIEW, |
||
398 | PermissionType.TRIGGER_ALL |
||
399 | ], |
||
400 | ResourceType.POLICY_TYPE: [ |
||
401 | PermissionType.POLICY_TYPE_LIST, |
||
402 | PermissionType.POLICY_TYPE_VIEW, |
||
403 | PermissionType.POLICY_TYPE_ALL, |
||
404 | ], |
||
405 | ResourceType.POLICY: [ |
||
406 | PermissionType.POLICY_LIST, |
||
407 | PermissionType.POLICY_VIEW, |
||
408 | PermissionType.POLICY_CREATE, |
||
409 | PermissionType.POLICY_MODIFY, |
||
410 | PermissionType.POLICY_DELETE, |
||
411 | PermissionType.POLICY_ALL, |
||
412 | ], |
||
413 | ResourceType.INQUIRY: [ |
||
414 | PermissionType.INQUIRY_LIST, |
||
415 | PermissionType.INQUIRY_VIEW, |
||
416 | PermissionType.INQUIRY_RESPOND, |
||
417 | PermissionType.INQUIRY_ALL, |
||
418 | ] |
||
419 | } |
||
420 | |||
421 | ALL_PERMISSION_TYPES = list(RESOURCE_TYPE_TO_PERMISSION_TYPES_MAP.values()) |
||
422 | ALL_PERMISSION_TYPES = list(itertools.chain(*ALL_PERMISSION_TYPES)) |
||
423 | LIST_PERMISSION_TYPES = [permission_type for permission_type in ALL_PERMISSION_TYPES if |
||
424 | permission_type.endswith('_list')] |
||
425 | |||
426 | # List of global permissions (ones which don't apply to a specific resource) |
||
427 | GLOBAL_PERMISSION_TYPES = [ |
||
428 | # Pack global permission types |
||
429 | PermissionType.PACK_INSTALL, |
||
430 | PermissionType.PACK_UNINSTALL, |
||
431 | PermissionType.PACK_CREATE, |
||
432 | PermissionType.PACK_REGISTER, |
||
433 | PermissionType.PACK_CONFIG, |
||
434 | PermissionType.PACK_SEARCH, |
||
435 | PermissionType.PACK_VIEWS_INDEX_HEALTH, |
||
436 | |||
437 | # Action alias global permission types |
||
438 | PermissionType.ACTION_ALIAS_MATCH, |
||
439 | PermissionType.ACTION_ALIAS_HELP, |
||
440 | |||
441 | # API key global permission types |
||
442 | PermissionType.API_KEY_CREATE, |
||
443 | |||
444 | # Policy global permission types |
||
445 | PermissionType.POLICY_CREATE, |
||
446 | |||
447 | # Execution |
||
448 | PermissionType.EXECUTION_VIEWS_FILTERS_LIST, |
||
449 | |||
450 | # Stream |
||
451 | PermissionType.STREAM_VIEW, |
||
452 | |||
453 | # Inquiry |
||
454 | PermissionType.INQUIRY_LIST, |
||
455 | PermissionType.INQUIRY_RESPOND, |
||
456 | PermissionType.INQUIRY_VIEW |
||
457 | |||
458 | ] + LIST_PERMISSION_TYPES |
||
459 | |||
460 | GLOBAL_PACK_PERMISSION_TYPES = [permission_type for permission_type in GLOBAL_PERMISSION_TYPES if |
||
461 | permission_type.startswith('pack_')] |
||
462 | |||
463 | |||
464 | # Maps a permission type to the corresponding description |
||
465 | PERMISION_TYPE_TO_DESCRIPTION_MAP = { |
||
466 | PermissionType.PACK_LIST: 'Ability to list (view all) packs.', |
||
467 | PermissionType.PACK_VIEW: 'Ability to view a pack.', |
||
468 | PermissionType.PACK_CREATE: 'Ability to create a new pack.', |
||
469 | PermissionType.PACK_MODIFY: 'Ability to modify (update) an existing pack.', |
||
470 | PermissionType.PACK_DELETE: 'Ability to delete an existing pack.', |
||
471 | PermissionType.PACK_INSTALL: 'Ability to install packs.', |
||
472 | PermissionType.PACK_UNINSTALL: 'Ability to uninstall packs.', |
||
473 | PermissionType.PACK_REGISTER: 'Ability to register packs and corresponding resources.', |
||
474 | PermissionType.PACK_CONFIG: 'Ability to configure a pack.', |
||
475 | PermissionType.PACK_SEARCH: 'Ability to query registry and search packs.', |
||
476 | PermissionType.PACK_VIEWS_INDEX_HEALTH: 'Ability to query health of pack registries.', |
||
477 | PermissionType.PACK_ALL: ('Ability to perform all the supported operations on a particular ' |
||
478 | 'pack.'), |
||
479 | |||
480 | PermissionType.SENSOR_LIST: 'Ability to list (view all) sensors.', |
||
481 | PermissionType.SENSOR_VIEW: 'Ability to view a sensor', |
||
482 | PermissionType.SENSOR_MODIFY: ('Ability to modify (update) an existing sensor. Also implies ' |
||
483 | '"sensor_type_view" permission.'), |
||
484 | PermissionType.SENSOR_ALL: ('Ability to perform all the supported operations on a particular ' |
||
485 | 'sensor.'), |
||
486 | |||
487 | PermissionType.ACTION_LIST: 'Ability to list (view all) actions.', |
||
488 | PermissionType.ACTION_VIEW: 'Ability to view an action.', |
||
489 | PermissionType.ACTION_CREATE: ('Ability to create a new action. Also implies "action_view" ' |
||
490 | 'permission.'), |
||
491 | PermissionType.ACTION_MODIFY: ('Ability to modify (update) an existing action. Also implies ' |
||
492 | '"action_view" permission.'), |
||
493 | PermissionType.ACTION_DELETE: ('Ability to delete an existing action. Also implies ' |
||
494 | '"action_view" permission.'), |
||
495 | PermissionType.ACTION_EXECUTE: ('Ability to execute (run) an action. Also implies ' |
||
496 | '"action_view" permission.'), |
||
497 | PermissionType.ACTION_ALL: ('Ability to perform all the supported operations on a particular ' |
||
498 | 'action.'), |
||
499 | |||
500 | PermissionType.ACTION_ALIAS_LIST: 'Ability to list (view all) action aliases.', |
||
501 | PermissionType.ACTION_ALIAS_VIEW: 'Ability to view an action alias.', |
||
502 | PermissionType.ACTION_ALIAS_CREATE: ('Ability to create a new action alias. Also implies' |
||
503 | ' "action_alias_view" permission.'), |
||
504 | PermissionType.ACTION_ALIAS_MODIFY: ('Ability to modify (update) an existing action alias. ' |
||
505 | 'Also implies "action_alias_view" permission.'), |
||
506 | PermissionType.ACTION_ALIAS_MATCH: ('Ability to use action alias match API endpoint.'), |
||
507 | PermissionType.ACTION_ALIAS_HELP: ('Ability to use action alias help API endpoint.'), |
||
508 | PermissionType.ACTION_ALIAS_DELETE: ('Ability to delete an existing action alias. Also ' |
||
509 | 'implies "action_alias_view" permission.'), |
||
510 | PermissionType.ACTION_ALIAS_ALL: ('Ability to perform all the supported operations on a ' |
||
511 | 'particular action alias.'), |
||
512 | |||
513 | PermissionType.EXECUTION_LIST: 'Ability to list (view all) executions.', |
||
514 | PermissionType.EXECUTION_VIEW: 'Ability to view an execution.', |
||
515 | PermissionType.EXECUTION_RE_RUN: 'Ability to create a new action.', |
||
516 | PermissionType.EXECUTION_STOP: 'Ability to stop (cancel) a running execution.', |
||
517 | PermissionType.EXECUTION_ALL: ('Ability to perform all the supported operations on a ' |
||
518 | 'particular execution.'), |
||
519 | PermissionType.EXECUTION_VIEWS_FILTERS_LIST: ('Ability view all the distinct execution ' |
||
520 | 'filters.'), |
||
521 | |||
522 | PermissionType.RULE_LIST: 'Ability to list (view all) rules.', |
||
523 | PermissionType.RULE_VIEW: 'Ability to view a rule.', |
||
524 | PermissionType.RULE_CREATE: ('Ability to create a new rule. Also implies "rule_view" ' |
||
525 | 'permission'), |
||
526 | PermissionType.RULE_MODIFY: ('Ability to modify (update) an existing rule. Also implies ' |
||
527 | '"rule_view" permission.'), |
||
528 | PermissionType.RULE_DELETE: ('Ability to delete an existing rule. Also implies "rule_view" ' |
||
529 | 'permission.'), |
||
530 | PermissionType.RULE_ALL: ('Ability to perform all the supported operations on a particular ' |
||
531 | 'rule.'), |
||
532 | |||
533 | PermissionType.RULE_ENFORCEMENT_LIST: 'Ability to list (view all) rule enforcements.', |
||
534 | PermissionType.RULE_ENFORCEMENT_VIEW: 'Ability to view a rule enforcement.', |
||
535 | |||
536 | PermissionType.RUNNER_LIST: 'Ability to list (view all) runners.', |
||
537 | PermissionType.RUNNER_VIEW: 'Ability to view a runner.', |
||
538 | PermissionType.RUNNER_MODIFY: ('Ability to modify (update) an existing runner. Also implies ' |
||
539 | '"runner_type_view" permission.'), |
||
540 | PermissionType.RUNNER_ALL: ('Ability to perform all the supported operations on a particular ' |
||
541 | 'runner.'), |
||
542 | |||
543 | PermissionType.WEBHOOK_LIST: 'Ability to list (view all) webhooks.', |
||
544 | PermissionType.WEBHOOK_VIEW: ('Ability to view a webhook.'), |
||
545 | PermissionType.WEBHOOK_CREATE: ('Ability to create a new webhook.'), |
||
546 | PermissionType.WEBHOOK_SEND: ('Ability to send / POST data to an existing webhook.'), |
||
547 | PermissionType.WEBHOOK_DELETE: ('Ability to delete an existing webhook.'), |
||
548 | PermissionType.WEBHOOK_ALL: ('Ability to perform all the supported operations on a particular ' |
||
549 | 'webhook.'), |
||
550 | |||
551 | PermissionType.TIMER_LIST: 'Ability to list (view all) timers.', |
||
552 | PermissionType.TIMER_VIEW: ('Ability to view a timer.'), |
||
553 | PermissionType.TIMER_ALL: ('Ability to perform all the supported operations on timers'), |
||
554 | |||
555 | PermissionType.API_KEY_LIST: 'Ability to list (view all) API keys.', |
||
556 | PermissionType.API_KEY_VIEW: ('Ability to view an API Key.'), |
||
557 | PermissionType.API_KEY_CREATE: ('Ability to create a new API Key.'), |
||
558 | PermissionType.API_KEY_MODIFY: ('Ability to modify (update) an existing API key. Also implies ' |
||
559 | '"api_key_view" permission.'), |
||
560 | PermissionType.API_KEY_DELETE: ('Ability to delete an existing API Keys.'), |
||
561 | PermissionType.API_KEY_ALL: ('Ability to perform all the supported operations on an API Key.'), |
||
562 | |||
563 | PermissionType.KEY_VALUE_VIEW: ('Ability to view Key-Value Pairs.'), |
||
564 | PermissionType.KEY_VALUE_SET: ('Ability to set a Key-Value Pair.'), |
||
565 | PermissionType.KEY_VALUE_DELETE: ('Ability to delete an existing Key-Value Pair.'), |
||
566 | |||
567 | PermissionType.TRACE_LIST: ('Ability to list (view all) traces.'), |
||
568 | PermissionType.TRACE_VIEW: ('Ability to view a trace.'), |
||
569 | PermissionType.TRACE_ALL: ('Ability to perform all the supported operations on traces.'), |
||
570 | |||
571 | PermissionType.TRIGGER_LIST: ('Ability to list (view all) triggers.'), |
||
572 | PermissionType.TRIGGER_VIEW: ('Ability to view a trigger.'), |
||
573 | PermissionType.TRIGGER_ALL: ('Ability to perform all the supported operations on triggers.'), |
||
574 | |||
575 | PermissionType.POLICY_TYPE_LIST: ('Ability to list (view all) policy types.'), |
||
576 | PermissionType.POLICY_TYPE_VIEW: ('Ability to view a policy types.'), |
||
577 | PermissionType.POLICY_TYPE_ALL: ('Ability to perform all the supported operations on policy' |
||
578 | ' types.'), |
||
579 | |||
580 | PermissionType.POLICY_LIST: 'Ability to list (view all) policies.', |
||
581 | PermissionType.POLICY_VIEW: ('Ability to view a policy.'), |
||
582 | PermissionType.POLICY_CREATE: ('Ability to create a new policy.'), |
||
583 | PermissionType.POLICY_MODIFY: ('Ability to modify an existing policy.'), |
||
584 | PermissionType.POLICY_DELETE: ('Ability to delete an existing policy.'), |
||
585 | PermissionType.POLICY_ALL: ('Ability to perform all the supported operations on a particular ' |
||
586 | 'policy.'), |
||
587 | |||
588 | PermissionType.STREAM_VIEW: ('Ability to view / listen to the events on the stream API ' |
||
589 | 'endpoint.'), |
||
590 | |||
591 | PermissionType.INQUIRY_LIST: 'Ability to list existing Inquiries', |
||
592 | PermissionType.INQUIRY_VIEW: 'Ability to view an existing Inquiry. Also implies ' |
||
593 | '"inquiry_respond" permission.', |
||
594 | PermissionType.INQUIRY_RESPOND: 'Ability to respond to an existing Inquiry (in general - user ' |
||
595 | 'still needs access per specific inquiry parameters). Also ' |
||
596 | 'implies "inquiry_view" permission.', |
||
597 | PermissionType.INQUIRY_ALL: ('Ability to perform all supported operations on a particular ' |
||
598 | 'Inquiry.') |
||
599 | } |
||
600 | |||
601 | |||
602 | def get_resource_permission_types_with_descriptions(): |
||
603 | """ |
||
604 | Return available permission types for each resource types with corresponding descriptions. |
||
605 | |||
606 | :rtype: ``dict` |
||
607 | """ |
||
608 | result = {} |
||
609 | |||
610 | for resource_type, permission_types in six.iteritems(RESOURCE_TYPE_TO_PERMISSION_TYPES_MAP): |
||
611 | result[resource_type] = {} |
||
612 | for permission_type in permission_types: |
||
613 | result[resource_type][permission_type] = \ |
||
614 | PERMISION_TYPE_TO_DESCRIPTION_MAP[permission_type] |
||
615 | |||
616 | return result |
||
617 |
Cyclic imports may cause partly loaded modules to be returned. This might lead to unexpected runtime behavior which is hard to debug.