request.authorization.baseΒΆ

Provides the AuthorizationComponent class for authorization logic.

Module ContentsΒΆ

class request.authorization.base.AuthorizationComponent[source]ΒΆ

Bases: abc.ABC

Abstract base class for authorization components.

abstractmethod authorize(context)[source]ΒΆ

Execute authorization logic.

Parameters:

context (request.request_context.BaseRequestContext)

Return type:

None

class request.authorization.base.ProtocolAuthorization(allowed_protocols)[source]ΒΆ

Bases: AuthorizationComponent, trustpoint.logger.LoggerMixin

Ensures the request is under the correct protocol: CMP or EST.

Parameters:

allowed_protocols (list[str])

allowed_protocols[source]ΒΆ
authorize(context)[source]ΒΆ

Authorize the request based on the protocol.

Parameters:

context (request.request_context.BaseRequestContext)

Return type:

None

class request.authorization.base.CertificateProfileAuthorization[source]ΒΆ

Bases: AuthorizationComponent, trustpoint.logger.LoggerMixin

Ensures the device is allowed to use the requested certificate profile.

authorize(context)[source]ΒΆ

Authorize the request based on the certificate profile.

Parameters:

context (request.request_context.BaseRequestContext)

Return type:

None

class request.authorization.base.DomainScopeValidation[source]ΒΆ

Bases: AuthorizationComponent, trustpoint.logger.LoggerMixin

Ensures the request is within the authorized domain.

authorize(context)[source]ΒΆ

Authorize the request based on the domain scope.

Parameters:

context (request.request_context.BaseRequestContext)

Return type:

None

class request.authorization.base.OnboardingDomainCredentialAuthorization[source]ΒΆ

Bases: AuthorizationComponent, trustpoint.logger.LoggerMixin

Ensures that a device requiring onboarding has a valid domain credential first.

authorize(context)[source]ΒΆ

Reject enrollment when the onboarding device lacks a valid domain credential.

Parameters:

context (request.request_context.BaseRequestContext)

Return type:

None

class request.authorization.base.DevOwnerIDAuthorization[source]ΒΆ

Bases: AuthorizationComponent, trustpoint.logger.LoggerMixin

Ensure that if this is an AOKI request, we have a matching DevOwnerID to the IDevID.

authorize(context)[source]ΒΆ

Authorize the request based on the DevOwnerID corresponding to the client certificate.

Parameters:

context (request.request_context.BaseRequestContext)

Return type:

None

class request.authorization.base.SecurityConfigAuthorization[source]ΒΆ

Bases: AuthorizationComponent, trustpoint.logger.LoggerMixin

Validates a certificate request against the active SecurityConfig policy.

authorize(context)[source]ΒΆ

Run all applicable SecurityConfig policy checks.

Parameters:

context (request.request_context.BaseRequestContext)

Return type:

None

class request.authorization.base.CompositeAuthorization[source]ΒΆ

Bases: AuthorizationComponent, trustpoint.logger.LoggerMixin

Composite authorization handler for grouping and executing multiple authorization components.

components: list[AuthorizationComponent] = [][source]ΒΆ
add(component)[source]ΒΆ

Add a new authorization component to the composite.

Parameters:

component (AuthorizationComponent)

Return type:

None

remove(component)[source]ΒΆ

Remove an authorization component from the composite.

Parameters:

component (AuthorizationComponent)

Return type:

None

authorize(context)[source]ΒΆ

Iterate through all child authorization components and execute their authorization logic.

Parameters:

context (request.request_context.BaseRequestContext)

Return type:

None