class RoleDefinitionFileFormatAPI(BaseAPI):
"""
JSON schema for the role definition file format.
"""
schema = {
'type': 'object',
'properties': {
'name': {
'type': 'string',
'description': 'Role name',
'required': True,
'default': None
},
'description': {
'type': 'string',
'description': 'Role description',
'required': False
},
'enabled': {
'type':
'boolean',
'description':
('Flag indicating if this role is enabled. Note: Disabled roles '
'are simply ignored when loading definitions from disk.'),
'default':
True
},
'permission_grants': {
'type': 'array',
'items': {
'type': 'object',
'properties': {
'resource_uid': {
'type': 'string',
'description':
'UID of a resource to which this grant applies to.',
'required': False,
'default': None
},
'permission_types': {
'type': 'array',
'description':
'A list of permission types to grant',
'uniqueItems': True,
'items': {
'type': 'string',
# Note: We permission aditional validation for based on the
# resource type in other place
'enum': PermissionType.get_valid_values()
},
'default': []
}
}
}
}
},
'additionalProperties': False
}
def validate(self):
# Parent JSON schema validation
cleaned = super(RoleDefinitionFileFormatAPI, self).validate()
# Custom validation
# Validate that only the correct permission types are used
permission_grants = getattr(self, 'permission_grants', [])
for permission_grant in permission_grants:
resource_uid = permission_grant.get('resource_uid', None)
permission_types = permission_grant.get('permission_types', [])
if resource_uid:
# Permission types which apply to a resource
resource_type, _ = parse_uid(uid=resource_uid)
valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
resource_type=resource_type)
for permission_type in permission_types:
if permission_type not in valid_permission_types:
message = (
'Invalid permission type "%s" for resource type "%s"'
% (permission_type, resource_type))
raise ValueError(message)
else:
# Right now we only support single permission type (list) which is global and
# doesn't apply to a resource
for permission_type in permission_types:
if not permission_type.endswith('_list'):
message = (
'Invalid permission type "%s". Only "list" permission types '
'can be used without a resource id' %
(permission_type))
raise ValueError(message)
return cleaned
class RoleDefinitionFileFormatAPI(BaseAPI):
"""
JSON schema for the role definition file format.
"""
schema = {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Role name",
"required": True,
"default": None,
},
"description": {
"type": "string",
"description": "Role description",
"required": False,
},
"enabled": {
"type":
"boolean",
"description":
("Flag indicating if this role is enabled. Note: Disabled roles "
"are simply ignored when loading definitions from disk."),
"default":
True,
},
"permission_grants": {
"type": "array",
"items": {
"type": "object",
"properties": {
"resource_uid": {
"type": "string",
"description":
"UID of a resource to which this grant applies to.",
"required": False,
"default": None,
},
"permission_types": {
"type": "array",
"description":
"A list of permission types to grant",
"uniqueItems": True,
"items": {
"type": "string",
# Note: We permission aditional validation for based on the
# resource type in other place
"enum": PermissionType.get_valid_values(),
},
"default": [],
},
},
},
},
},
"additionalProperties": False,
}
def validate(self):
# Parent JSON schema validation
cleaned = super(RoleDefinitionFileFormatAPI, self).validate()
# Custom validation
# Validate that only the correct permission types are used
permission_grants = getattr(self, "permission_grants", [])
for permission_grant in permission_grants:
resource_uid = permission_grant.get("resource_uid", None)
permission_types = permission_grant.get("permission_types", [])
if resource_uid:
# Permission types which apply to a resource
resource_type, _ = parse_uid(uid=resource_uid)
valid_permission_types = (
PermissionType.get_valid_permissions_for_resource_type(
resource_type=resource_type))
for permission_type in permission_types:
if permission_type not in valid_permission_types:
message = (
'Invalid permission type "%s" for resource type "%s"'
% (
permission_type,
resource_type,
))
raise ValueError(message)
else:
# Right now we only support single permission type (list) which is global and
# doesn't apply to a resource
for permission_type in permission_types:
if permission_type not in GLOBAL_PERMISSION_TYPES:
valid_global_permission_types = ", ".join(
GLOBAL_PERMISSION_TYPES)
message = (
'Invalid permission type "%s". Valid global permission types '
"which can be used without a resource id are: %s" %
(permission_type, valid_global_permission_types))
raise ValueError(message)
return cleaned
