in modular_api/services/policy_service.py [0:0]
def validate_policy_item(item: dict) -> str | None:
"""
Returns str in case there is an error
:param item:
:return:
"""
if not isinstance(item.get('Effect'), str):
return ('field \'Effect\' of type string is '
'required for each policy item')
if not isinstance(item.get('Module'), str):
return ('field \'Module\' of type string is '
'required for each policy item')
if not isinstance(item.get('Resources'), list) or not all(
[isinstance(v, str) for v in item.get('Resources')]):
return ('field \'Resources\' of type list is '
'required for each policy item')
effect = item['Effect']
effect_allowed = ('Allow', 'Deny')
if effect not in effect_allowed:
return (f'incorrect \'{effect}\' value provided for \'Effect\' key. '
f'Allowed value: {", ".join(effect_allowed)}')
resources = item['Resources']
if not resources: # empty list
return ('resources property in policy can not be empty. To mark all '
'resources use "*" symbol')
for value in resources:
if value.startswith('/'):
return (
f'resource name started with \'/\' not allowed. '
f'Incorrect value: {value}'
)
if value.startswith(':'):
return (
f'resource name started with \':\' not allowed. '
f'Incorrect value: {value}'
)
if value.startswith('*') and value != '*':
return (
f'resource name started with \'*\' not allowed. '
f'Incorrect value: {value}. To Allow/Deny all in module`s '
f'content use \'*\' or \'group:*\' or \'group\\subgroup:*\''
)