Source code for request.authorization.est
"""Provides the 'EstAuthorization' class using the Composite pattern for modular EST authorization."""
from request.request_context import BaseRequestContext, EstBaseRequestContext
from trustpoint.logger import LoggerMixin
from .base import (
AuthorizationComponent,
CertificateProfileAuthorization,
CompositeAuthorization,
DomainScopeValidation,
OnboardingDomainCredentialAuthorization,
ProtocolAuthorization,
SecurityConfigAuthorization,
)
[docs]
class EstOperationAuthorization(AuthorizationComponent, LoggerMixin):
"""Ensures the request is authorized for the specified operation."""
def __init__(self, allowed_operations: list[str]) -> None:
"""Initialize the authorization component with a list of allowed operations."""
[docs]
self.allowed_operations = allowed_operations
[docs]
def authorize(self, context: BaseRequestContext) -> None:
"""Authorize the request based on the operation type."""
if not isinstance(context, EstBaseRequestContext):
exc_msg = 'EstOperationAuthorization requires an EstBaseRequestContext.'
raise TypeError(exc_msg)
operation = context.operation
if not operation:
error_message = 'Operation information is missing. Authorization denied.'
self.logger.warning('Operation authorization failed: Operation information is missing')
raise ValueError(error_message)
if operation not in self.allowed_operations:
error_message = (
f"Unauthorized operation: '{operation}'. "
f"Allowed operations: {', '.join(self.allowed_operations)}."
)
self.logger.warning(
'Operation authorization failed: %s not in allowed operations %s',
operation, self.allowed_operations
)
raise ValueError(error_message)
self.logger.debug('Operation authorization successful for operation: %s', operation)
[docs]
class EstAuthorization(CompositeAuthorization):
"""Composite authorization handler for EST requests."""
def __init__(self, allowed_operations: list[str] | None = None) -> None:
"""Initialize the composite authorization handler with the default set of components.
Args:
allowed_operations: List of allowed EST operations. Defaults to ['cr', 'ir'] if not provided.
"""
super().__init__()
if allowed_operations is None:
allowed_operations = ['simpleenroll', 'simplereenroll']
self.add(DomainScopeValidation())
self.add(CertificateProfileAuthorization())
self.add(OnboardingDomainCredentialAuthorization())
self.add(ProtocolAuthorization(['est']))
self.add(EstOperationAuthorization(allowed_operations))
self.add(SecurityConfigAuthorization())