class RoleDefinitionFileFormatAPI(BaseAPI): """ JSON schema for the role definition file format. """ schema = { 'type': 'object', 'properties': { 'name': { 'type': 'string', 'description': 'Role name', 'required': True, 'default': None }, 'description': { 'type': 'string', 'description': 'Role description', 'required': False }, 'enabled': { 'type': 'boolean', 'description': ('Flag indicating if this role is enabled. Note: Disabled roles ' 'are simply ignored when loading definitions from disk.'), 'default': True }, 'permission_grants': { 'type': 'array', 'items': { 'type': 'object', 'properties': { 'resource_uid': { 'type': 'string', 'description': 'UID of a resource to which this grant applies to.', 'required': False, 'default': None }, 'permission_types': { 'type': 'array', 'description': 'A list of permission types to grant', 'uniqueItems': True, 'items': { 'type': 'string', # Note: We permission aditional validation for based on the # resource type in other place 'enum': PermissionType.get_valid_values() }, 'default': [] } } } } }, 'additionalProperties': False } def validate(self): # Parent JSON schema validation cleaned = super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, 'permission_grants', []) for permission_grant in permission_grants: resource_uid = permission_grant.get('resource_uid', None) permission_types = permission_grant.get('permission_types', []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ( 'Invalid permission type "%s" for resource type "%s"' % (permission_type, resource_type)) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if not permission_type.endswith('_list'): message = ( 'Invalid permission type "%s". Only "list" permission types ' 'can be used without a resource id' % (permission_type)) raise ValueError(message) return cleaned
class RoleDefinitionFileFormatAPI(BaseAPI): """ JSON schema for the role definition file format. """ schema = { "type": "object", "properties": { "name": { "type": "string", "description": "Role name", "required": True, "default": None, }, "description": { "type": "string", "description": "Role description", "required": False, }, "enabled": { "type": "boolean", "description": ("Flag indicating if this role is enabled. Note: Disabled roles " "are simply ignored when loading definitions from disk."), "default": True, }, "permission_grants": { "type": "array", "items": { "type": "object", "properties": { "resource_uid": { "type": "string", "description": "UID of a resource to which this grant applies to.", "required": False, "default": None, }, "permission_types": { "type": "array", "description": "A list of permission types to grant", "uniqueItems": True, "items": { "type": "string", # Note: We permission aditional validation for based on the # resource type in other place "enum": PermissionType.get_valid_values(), }, "default": [], }, }, }, }, }, "additionalProperties": False, } def validate(self): # Parent JSON schema validation cleaned = super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, "permission_grants", []) for permission_grant in permission_grants: resource_uid = permission_grant.get("resource_uid", None) permission_types = permission_grant.get("permission_types", []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = ( PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type)) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ( 'Invalid permission type "%s" for resource type "%s"' % ( permission_type, resource_type, )) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if permission_type not in GLOBAL_PERMISSION_TYPES: valid_global_permission_types = ", ".join( GLOBAL_PERMISSION_TYPES) message = ( 'Invalid permission type "%s". Valid global permission types ' "which can be used without a resource id are: %s" % (permission_type, valid_global_permission_types)) raise ValueError(message) return cleaned