mirror of https://github.com/OpenKMIP/PyKMIP.git
296 lines
16 KiB
Python
296 lines
16 KiB
Python
# Copyright (c) 2016 The Johns Hopkins University/Applied Physics Laboratory
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import json
|
|
import six
|
|
|
|
from kmip.core import enums
|
|
|
|
|
|
def parse_policy(policy):
|
|
result = {}
|
|
|
|
for object_type, operation_policies in six.iteritems(policy):
|
|
processed_operation_policies = {}
|
|
|
|
for operation, permission in six.iteritems(operation_policies):
|
|
try:
|
|
enum_operation = enums.Operation[operation]
|
|
except Exception:
|
|
raise ValueError(
|
|
"'{0}' is not a valid Operation value.".format(
|
|
operation
|
|
)
|
|
)
|
|
try:
|
|
enum_policy = enums.Policy[permission]
|
|
except Exception:
|
|
raise ValueError(
|
|
"'{0}' is not a valid Policy value.".format(
|
|
permission
|
|
)
|
|
)
|
|
|
|
processed_operation_policies[enum_operation] = enum_policy
|
|
|
|
try:
|
|
enum_type = enums.ObjectType[object_type]
|
|
except Exception:
|
|
raise ValueError(
|
|
"'{0}' is not a valid ObjectType value.".format(
|
|
object_type
|
|
)
|
|
)
|
|
|
|
result[enum_type] = processed_operation_policies
|
|
|
|
return result
|
|
|
|
|
|
def read_policy_from_file(path):
|
|
policy_blob = {}
|
|
|
|
with open(path, 'r') as f:
|
|
try:
|
|
policy_blob = json.loads(f.read())
|
|
except Exception as e:
|
|
raise ValueError(
|
|
"Loading the policy file '{}' generated a JSON error: "
|
|
"{}".format(path, e)
|
|
)
|
|
|
|
policy_sections = {'groups', 'default'}
|
|
object_types = set([t.name for t in enums.ObjectType])
|
|
result = {}
|
|
|
|
for name, object_policy in policy_blob.items():
|
|
if len(object_policy.keys()) == 0:
|
|
continue
|
|
|
|
# Use subset checking to determine what type of policy we have
|
|
sections = set([s for s in six.iterkeys(object_policy)])
|
|
if sections <= policy_sections:
|
|
parsed_policies = dict()
|
|
|
|
default_policy = object_policy.get('default')
|
|
if default_policy:
|
|
parsed_policies['default'] = parse_policy(default_policy)
|
|
|
|
group_policies = object_policy.get('groups')
|
|
if group_policies:
|
|
parsed_group_policies = dict()
|
|
for group_name, group_policy in six.iteritems(group_policies):
|
|
parsed_group_policies[group_name] = parse_policy(
|
|
group_policy
|
|
)
|
|
parsed_policies['groups'] = parsed_group_policies
|
|
|
|
result[name] = parsed_policies
|
|
elif sections <= object_types:
|
|
policy = parse_policy(object_policy)
|
|
result[name] = {'default': policy}
|
|
else:
|
|
invalid_sections = sections - policy_sections - object_types
|
|
raise ValueError(
|
|
"Policy '{}' contains an invalid section named: "
|
|
"{}".format(name, invalid_sections.pop())
|
|
)
|
|
|
|
return result
|
|
|
|
|
|
policies = {
|
|
'default': {
|
|
'default': {
|
|
enums.ObjectType.CERTIFICATE: {
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.CHECK: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
|
|
},
|
|
enums.ObjectType.SYMMETRIC_KEY: {
|
|
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
|
|
},
|
|
enums.ObjectType.PUBLIC_KEY: {
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.CHECK: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
|
|
},
|
|
enums.ObjectType.PRIVATE_KEY: {
|
|
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
|
|
},
|
|
enums.ObjectType.SPLIT_KEY: {
|
|
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
|
|
},
|
|
enums.ObjectType.TEMPLATE: {
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER
|
|
},
|
|
enums.ObjectType.SECRET_DATA: {
|
|
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
|
|
},
|
|
enums.ObjectType.OPAQUE_DATA: {
|
|
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
|
|
},
|
|
enums.ObjectType.PGP_KEY: {
|
|
enums.Operation.REKEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REKEY_KEY_PAIR: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DERIVE_KEY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.CHECK: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.OBTAIN_LEASE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.GET_USAGE_ALLOCATION: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ACTIVATE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.REVOKE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.DESTROY: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.ARCHIVE: enums.Policy.ALLOW_OWNER,
|
|
enums.Operation.RECOVER: enums.Policy.ALLOW_OWNER
|
|
}
|
|
}
|
|
},
|
|
'public': {
|
|
'default': {
|
|
enums.ObjectType.TEMPLATE: {
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET_ATTRIBUTES: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.GET_ATTRIBUTE_LIST: enums.Policy.ALLOW_ALL,
|
|
enums.Operation.ADD_ATTRIBUTE: enums.Policy.DISALLOW_ALL,
|
|
enums.Operation.MODIFY_ATTRIBUTE: enums.Policy.DISALLOW_ALL,
|
|
enums.Operation.DELETE_ATTRIBUTE: enums.Policy.DISALLOW_ALL,
|
|
enums.Operation.DESTROY: enums.Policy.DISALLOW_ALL
|
|
}
|
|
}
|
|
}
|
|
}
|