# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_policy import policy
from deckhand.policies import base
document_policies = [
policy.DocumentedRuleDefault(
base.POLICY_ROOT % 'create_cleartext_documents',
base.RULE_ADMIN_API,
"""Create a batch of documents specified in the request body, whereby
a new revision is created. Also, roll back a revision to a previous one in the
revision history, whereby the target revision's documents are re-created for
the new revision.""",
[
{
'method': 'PUT',
'path': '/api/v1.0/buckets/{bucket_name}/documents'
},
{
'method': 'POST',
'path': '/api/v1.0/rollback/{target_revision_id}'
}
]),
policy.DocumentedRuleDefault(
base.POLICY_ROOT % 'create_encrypted_documents',
base.RULE_ADMIN_API,
"""Create a batch of documents specified in the request body, whereby
a new revision is created. Also, roll back a revision to a previous one in the
history, whereby the target revision's documents are re-created for the new
revision.
Only enforced after ``create_cleartext_documents`` passes.
Conditionally enforced for the endpoints below if the any of the documents in
the request body have a ``metadata.storagePolicy`` of "encrypted".""",
[
{
'method': 'PUT',
'path': '/api/v1.0/buckets/{bucket_name}/documents'
},
{
'method': 'POST',
'path': '/api/v1.0/rollback/{target_revision_id}'
}
]),
policy.DocumentedRuleDefault(
base.POLICY_ROOT % 'list_cleartext_documents',
base.RULE_ADMIN_API,
"""List cleartext documents for a revision (with no layering or
substitution applied) as well as fully layered and substituted concrete
documents.""",
[
{
'method': 'GET',
'path': 'api/v1.0/revisions/{revision_id}/documents'
},
{
'method': 'GET',
'path': 'api/v1.0/revisions/{revision_id}/rendered-documents'
}
]),
policy.DocumentedRuleDefault(
base.POLICY_ROOT % 'list_encrypted_documents',
base.RULE_ADMIN_API,
"""List encrypted documents for a revision (with no layering or
substitution applied) as well as fully layered and substituted concrete
documents.
Only enforced after ``list_cleartext_documents`` passes.
Conditionally enforced for the endpoints below if any of the documents in the
request body have a ``metadata.storagePolicy`` of "encrypted". If policy
enforcement fails, encrypted documents are excluded from the response.""",
[
{
'method': 'GET',
'path': 'api/v1.0/revisions/{revision_id}/documents'
},
{
'method': 'GET',
'path': 'api/v1.0/revisions/{revision_id}/rendered-documents'
}
]),
]
[docs]def list_rules():
return document_policies