349e5600df
- If a document has a storage policy of encrypted - Redacts (sha256) the data section. - Redacts (sha256) the substition paths. - Uses the same /documents endpoint, adds a new query parameter ?cleartext-secrets=true to show the non-redacted values. Change-Id: I42808901b97c667a1148c00fbb7717a0847c9981
103 lines
3.6 KiB
Python
103 lines
3.6 KiB
Python
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from oslo_policy import policy
|
|
|
|
from deckhand.policies import base
|
|
|
|
|
|
document_policies = [
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'create_cleartext_documents',
|
|
base.RULE_ADMIN_API,
|
|
"""Create a batch of documents specified in the request body, whereby
|
|
a new revision is created. Also, roll back a revision to a previous one in the
|
|
revision history, whereby the target revision's documents are re-created for
|
|
the new revision.""",
|
|
[
|
|
{
|
|
'method': 'PUT',
|
|
'path': '/api/v1.0/buckets/{bucket_name}/documents'
|
|
},
|
|
{
|
|
'method': 'POST',
|
|
'path': '/api/v1.0/rollback/{target_revision_id}'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'create_encrypted_documents',
|
|
base.RULE_ADMIN_API,
|
|
"""Create a batch of documents specified in the request body, whereby
|
|
a new revision is created. Also, roll back a revision to a previous one in the
|
|
history, whereby the target revision's documents are re-created for the new
|
|
revision.
|
|
|
|
Only enforced after ``create_cleartext_documents`` passes.
|
|
|
|
Conditionally enforced for the endpoints below if the any of the documents in
|
|
the request body have a ``metadata.storagePolicy`` of "encrypted".""",
|
|
[
|
|
{
|
|
'method': 'PUT',
|
|
'path': '/api/v1.0/buckets/{bucket_name}/documents'
|
|
},
|
|
{
|
|
'method': 'POST',
|
|
'path': '/api/v1.0/rollback/{target_revision_id}'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'list_cleartext_documents',
|
|
base.RULE_ADMIN_API,
|
|
"""List cleartext documents for a revision (with no layering or
|
|
substitution applied) as well as fully layered and substituted concrete
|
|
documents.""",
|
|
[
|
|
{
|
|
'method': 'GET',
|
|
'path': 'api/v1.0/revisions/{revision_id}/documents'
|
|
},
|
|
{
|
|
'method': 'GET',
|
|
'path': 'api/v1.0/revisions/{revision_id}/rendered-documents'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'list_encrypted_documents',
|
|
base.RULE_ADMIN_API,
|
|
"""List encrypted documents for a revision (with no layering or
|
|
substitution applied) as well as fully layered and substituted concrete
|
|
documents.
|
|
|
|
Only enforced after ``list_cleartext_documents`` passes.
|
|
|
|
Conditionally enforced for the endpoints below if any of the documents in the
|
|
request body have a ``metadata.storagePolicy`` of "encrypted". If policy
|
|
enforcement fails, encrypted documents are excluded from the response.""",
|
|
[
|
|
{
|
|
'method': 'GET',
|
|
'path': 'api/v1.0/revisions/{revision_id}/documents'
|
|
},
|
|
{
|
|
'method': 'GET',
|
|
'path': 'api/v1.0/revisions/{revision_id}/rendered-documents'
|
|
}
|
|
]),
|
|
]
|
|
|
|
|
|
def list_rules():
|
|
return document_policies
|