## # This Module implements rights and lists of rights for the Geni wrapper. Rights # are implemented by two classes: # # Right - represents a single right # # RightList - represents a list of rights # # A right may allow several different operations. For example, the "info" right # allows "listslices", "listcomponentresources", etc. ## ## # privilege_table is a list of priviliges and what operations are allowed # per privilege. privilege_table = {"authority": ["*"], "refresh": ["remove", "update"], "resolve": ["resolve", "list", "getcredential"], "sa": ["*"], "embed": ["getticket", "createslice", "deleteslice", "updateslice"], "bind": ["getticket", "loanresources"], "control": ["updateslice", "stopslice", "startslice", "deleteslice", "resetslice"], "info": ["listslices", "listcomponentresources", "getsliceresources"], "ma": ["*"]} ## # The Right class represents a single privilege. class Right: ## # Create a new right. # # @param kind is a string naming the right. For example "control" def __init__(self, kind): self.kind = kind ## # Test to see if this right object is allowed to perform an operation. # Returns True if the operation is allowed, False otherwise. # # @param op_name is a string naming the operation. For example "listslices". def can_perform(self, op_name): allowed_ops = privilege_table.get(self.kind.lower(), None) if not allowed_ops: return False # if "*" is specified, then all ops are permitted if "*" in allowed_ops: return True return (op_name.lower() in allowed_ops) ## # Test to see if this right is a superset of a child right. A right is a # superset if every operating that is allowed by the child is also allowed # by this object. # # @param child is a Right object describing the child right def is_superset(self, child): my_allowed_ops = privilege_table.get(self.kind.lower(), None) child_allowed_ops = privilege_table.get(child.kind.lower(), None) if "*" in my_allowed_ops: return True for right in child_allowed_ops: if not right in my_allowed_ops: return False return True ## # A RightList object represents a list of privileges. class RightList: ## # Create a new rightlist object, containing no rights. # # @param string if string!=None, load the rightlist from the string def __init__(self, string=None): self.rights = [] if string: self.load_from_string(string) ## # Add a right to this list # # @param right is either a Right object or a string describing the right def add(self, right): if isinstance(right, str): right = Right(kind = right) self.rights.append(right) ## # Load the rightlist object from a string def load_from_string(self, string): self.rights = [] # none == no rights, so leave the list empty if not string: return parts = string.split(",") for part in parts: self.rights.append(Right(part)) ## # Save the rightlist object to a string. It is saved in the format of a # comma-separated list. def save_to_string(self): right_names = [] for right in self.rights: right_names.append(right.kind) return ",".join(right_names) ## # Check to see if some right in this list allows an operation. This is # done by evaluating the can_perform function of each operation in the # list. # # @param op_name is an operation to check, for example "listslices" def can_perform(self, op_name): for right in self.rights: if right.can_perform(op_name): return True return False ## # Check to see if all of the rights in this rightlist are a superset # of all the rights in a child rightlist. A rightlist is a superset # if there is no operation in the child rightlist that cannot be # performed in the parent rightlist. # # @param child is a rightlist object describing the child def is_superset(self, child): for child_right in child.rights: allowed = False for my_right in self.rights: if my_right.is_superset(child_right): allowed = True if not allowed: return False return True