Source code for keystone.common.resource_options.options.immutable
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# Implement the "Immutable" resource option
from keystone.common.resource_options import core as ro_core
from keystone.common.validation import parameter_types
from keystone import exception
IMMUTABLE_OPT = ro_core.ResourceOption(
option_id='IMMU',
option_name='immutable',
validator=ro_core.boolean_validator,
json_schema_validation=parameter_types.boolean,
)
[docs]
def check_resource_immutable(resource_ref):
"""Check to see if a resource is immutable.
:param resource_ref: a dict reference of a resource to inspect
"""
return resource_ref.get('options', {}).get(
IMMUTABLE_OPT.option_name, False
)
[docs]
def check_immutable_update(
original_resource_ref, new_resource_ref, type, resource_id
):
"""Check if an update is allowed to an immutable resource.
Valid cases where an update is allowed:
* Resource is not immutable
* Resource is immutable, and update to set immutable to False or None
:param original_resource_ref: a dict resource reference representing
the current resource
:param new_resource_ref: a dict reference of the updates to perform
:param type: the resource type, e.g. 'project'
:param resource_id: the id of the resource (e.g. project['id']),
usually a UUID
:raises: ResourceUpdateForbidden
"""
immutable = check_resource_immutable(original_resource_ref)
if immutable:
new_options = new_resource_ref.get('options', {})
if type == "domain":
if (
new_resource_ref.get("is_domain", False) == True
and not new_resource_ref.get("domain_id")
and not new_resource_ref.get("parent_id")
):
# To keep next check happy - reject certain props for the domain set by default in
# `get_project_from_domain` if those ARE default
new_resource_ref.pop("is_domain")
new_resource_ref.pop("domain_id")
new_resource_ref.pop("parent_id")
# If resource is currently immutable - raise error in attempt to
# update more then 1 property while making resource mutable
# (first make mutable then update rest)
if (
(len(new_resource_ref.keys()) > 1)
or (IMMUTABLE_OPT.option_name not in new_options)
or (new_options[IMMUTABLE_OPT.option_name] not in (False, None))
):
raise exception.ResourceUpdateForbidden(
type=type, resource_id=resource_id
)
[docs]
def check_immutable_delete(resource_ref, resource_type, resource_id):
"""Check if a delete is allowed on a resource.
:param resource_ref: dict reference of the resource
:param resource_type: resource type (str) e.g. 'project'
:param resource_id: id of the resource (str) e.g. project['id']
:raises: ResourceDeleteForbidden
"""
if check_resource_immutable(resource_ref):
raise exception.ResourceDeleteForbidden(
type=resource_type, resource_id=resource_id
)