1
# Copyright 2010 Google Inc.
3
# Permission is hereby granted, free of charge, to any person obtaining a
4
# copy of this software and associated documentation files (the
5
# "Software"), to deal in the Software without restriction, including
6
# without limitation the rights to use, copy, modify, merge, publish, dis-
7
# tribute, sublicense, and/or sell copies of the Software, and to permit
8
# persons to whom the Software is furnished to do so, subject to the fol-
11
# The above copyright notice and this permission notice shall be included
12
# in all copies or substantial portions of the Software.
14
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
16
# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
17
# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
18
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22
from boto.gs.user import User
23
from boto.exception import InvalidAclError
25
ACCESS_CONTROL_LIST = 'AccessControlList'
26
ALL_AUTHENTICATED_USERS = 'AllAuthenticatedUsers'
27
ALL_USERS = 'AllUsers'
29
EMAIL_ADDRESS = 'EmailAddress'
32
GROUP_BY_DOMAIN = 'GroupByDomain'
33
GROUP_BY_EMAIL = 'GroupByEmail'
34
GROUP_BY_ID = 'GroupById'
38
PERMISSION = 'Permission'
41
USER_BY_EMAIL = 'UserByEmail'
42
USER_BY_ID = 'UserById'
45
CannedACLStrings = ['private', 'public-read', 'project-private',
46
'public-read-write', 'authenticated-read',
47
'bucket-owner-read', 'bucket-owner-full-control']
49
SupportedPermissions = ['READ', 'WRITE', 'FULL_CONTROL']
53
def __init__(self, parent=None):
62
# Owner is optional in GS ACLs.
63
if hasattr(self, 'owner'):
66
entries_repr = ['Owner:%s' % self.owner.__repr__()]
67
acl_entries = self.entries
69
for e in acl_entries.entry_list:
70
entries_repr.append(e.__repr__())
71
return '<%s>' % ', '.join(entries_repr)
73
# Method with same signature as boto.s3.acl.ACL.add_email_grant(), to allow
74
# polymorphic treatment at application layer.
75
def add_email_grant(self, permission, email_address):
76
entry = Entry(type=USER_BY_EMAIL, email_address=email_address,
77
permission=permission)
78
self.entries.entry_list.append(entry)
80
# Method with same signature as boto.s3.acl.ACL.add_user_grant(), to allow
81
# polymorphic treatment at application layer.
82
def add_user_grant(self, permission, user_id):
83
entry = Entry(permission=permission, type=USER_BY_ID, id=user_id)
84
self.entries.entry_list.append(entry)
86
def add_group_email_grant(self, permission, email_address):
87
entry = Entry(type=GROUP_BY_EMAIL, email_address=email_address,
88
permission=permission)
89
self.entries.entry_list.append(entry)
91
def add_group_grant(self, permission, group_id):
92
entry = Entry(type=GROUP_BY_ID, id=group_id, permission=permission)
93
self.entries.entry_list.append(entry)
95
def startElement(self, name, attrs, connection):
97
self.owner = User(self)
100
self.entries = Entries(self)
105
def endElement(self, name, value, connection):
108
elif name == ENTRIES:
111
setattr(self, name, value)
114
s = '<%s>' % ACCESS_CONTROL_LIST
115
# Owner is optional in GS ACLs.
116
if hasattr(self, 'owner'):
117
s += self.owner.to_xml()
118
acl_entries = self.entries
120
s += acl_entries.to_xml()
121
s += '</%s>' % ACCESS_CONTROL_LIST
127
def __init__(self, parent=None):
129
# Entries is the class that represents the same-named XML
130
# element. entry_list is the list within this class that holds the data.
135
for e in self.entry_list:
136
entries_repr.append(e.__repr__())
137
return '<Entries: %s>' % ', '.join(entries_repr)
139
def startElement(self, name, attrs, connection):
142
self.entry_list.append(entry)
147
def endElement(self, name, value, connection):
151
setattr(self, name, value)
155
for entry in self.entry_list:
157
s += '</%s>' % ENTRIES
161
# Class that represents a single (Scope, Permission) entry in an ACL.
164
def __init__(self, scope=None, type=None, id=None, name=None,
165
email_address=None, domain=None, permission=None):
167
scope = Scope(self, type, id, name, email_address, domain)
169
self.permission = permission
172
return '<%s: %s>' % (self.scope.__repr__(), self.permission.__repr__())
174
def startElement(self, name, attrs, connection):
176
if not TYPE in attrs:
177
raise InvalidAclError('Missing "%s" in "%s" part of ACL' %
179
self.scope = Scope(self, attrs[TYPE])
181
elif name == PERMISSION:
186
def endElement(self, name, value, connection):
189
elif name == PERMISSION:
190
value = value.strip()
191
if not value in SupportedPermissions:
192
raise InvalidAclError('Invalid Permission "%s"' % value)
193
self.permission = value
195
setattr(self, name, value)
199
s += self.scope.to_xml()
200
s += '<%s>%s</%s>' % (PERMISSION, self.permission, PERMISSION)
206
# Map from Scope type to list of allowed sub-elems.
207
ALLOWED_SCOPE_TYPE_SUB_ELEMS = {
208
ALL_AUTHENTICATED_USERS : [],
210
GROUP_BY_DOMAIN : [DOMAIN],
211
GROUP_BY_EMAIL : [EMAIL_ADDRESS, NAME],
212
GROUP_BY_ID : [ID, NAME],
213
USER_BY_EMAIL : [EMAIL_ADDRESS, NAME],
214
USER_BY_ID : [ID, NAME]
217
def __init__(self, parent, type=None, id=None, name=None,
218
email_address=None, domain=None):
224
self.email_address = email_address
225
if not self.ALLOWED_SCOPE_TYPE_SUB_ELEMS.has_key(self.type):
226
raise InvalidAclError('Invalid %s %s "%s" ' %
227
(SCOPE, TYPE, self.type))
232
named_entity = self.id
233
elif self.email_address:
234
named_entity = self.email_address
236
named_entity = self.domain
238
return '<%s: %s>' % (self.type, named_entity)
240
return '<%s>' % self.type
242
def startElement(self, name, attrs, connection):
243
if not name in self.ALLOWED_SCOPE_TYPE_SUB_ELEMS[self.type]:
244
raise InvalidAclError('Element "%s" not allowed in %s %s "%s" ' %
245
(name, SCOPE, TYPE, self.type))
248
def endElement(self, name, value, connection):
249
value = value.strip()
252
elif name == EMAIL_ADDRESS:
253
self.email_address = value
259
setattr(self, name, value)
262
s = '<%s type="%s">' % (SCOPE, self.type)
263
if self.type == ALL_AUTHENTICATED_USERS or self.type == ALL_USERS:
265
elif self.type == GROUP_BY_DOMAIN:
266
s += '<%s>%s</%s>' % (DOMAIN, self.domain, DOMAIN)
267
elif self.type == GROUP_BY_EMAIL or self.type == USER_BY_EMAIL:
268
s += '<%s>%s</%s>' % (EMAIL_ADDRESS, self.email_address,
271
s += '<%s>%s</%s>' % (NAME, self.name, NAME)
272
elif self.type == GROUP_BY_ID or self.type == USER_BY_ID:
273
s += '<%s>%s</%s>' % (ID, self.id, ID)
275
s += '<%s>%s</%s>' % (NAME, self.name, NAME)
277
raise InvalidAclError('Invalid scope type "%s" ', self.type)