permission¶
Shell Permission Module.
This module provides a role-based access control (RBAC) system for managing permissions in shell environments. It uses Pydantic models to define permission settings for different roles, allowing fine-grained control over which paths can be read from or written to, and which commands can be executed.
The module enables the creation of security profiles for different user roles, which can be used to enforce access restrictions in shell scripting, automation tools, or other security-sensitive contexts.
Examples
>>> from haive.tools.toolkits.dev.shell.permission import RBACConfig
>>> rbac = RBACConfig()
>>> rbac.can_execute("developer", "python") # Check if developer can run python
True
>>> rbac.can_write("guest", "/home/guest/data") # Check if guest can write to path
False
Classes¶
Defines role-based access control settings. |
|
Defines permissions for a specific role. |
Module Contents¶
- class permission.RBACConfig(/, **data: Any)¶
Bases:
pydantic.BaseModelDefines role-based access control settings.
This model represents a complete RBAC configuration, mapping role names to their respective permissions. It provides methods to check permissions and save/load configurations.
- roles¶
Dictionary mapping role names to RolePermissions objects.
- add_role(role_name: str, permissions: RolePermissions) None¶
Add a new role with specified permissions.
- Parameters:
role_name – The name of the role to add.
permissions – The permissions to assign to the role.
- Raises:
ValueError – If the role already exists.
- can_execute(role: str, command: str) bool¶
Check if a role has permission to execute a command.
- Parameters:
role – The role name to check permissions for.
command – The command to check execution permissions for.
- Returns:
True if the role has permission to execute the command, False otherwise.
- can_read(role: str, path: str) bool¶
Check if a role has permission to read from a path.
- Parameters:
role – The role name to check permissions for.
path – The filesystem path to check read permissions for.
- Returns:
True if the role has permission to read from the path, False otherwise.
- can_write(role: str, path: str) bool¶
Check if a role has permission to write to a path.
- Parameters:
role – The role name to check permissions for.
path – The filesystem path to check write permissions for.
- Returns:
True if the role has permission to write to the path, False otherwise.
- delete_role(role_name: str) None¶
Delete an existing role.
- Parameters:
role_name – The name of the role to delete.
- Raises:
ValueError – If the role does not exist.
- classmethod load_config(path: str = '.rbac_config.json') RBACConfig¶
Load RBAC settings from a file.
- Parameters:
path – The file path to load the configuration from.
- Returns:
A new RBACConfig instance with the loaded settings.
- Raises:
FileNotFoundError – If the file does not exist.
json.JSONDecodeError – If the file contains invalid JSON.
ValidationError – If the loaded data does not match the expected schema.
- save_config(path: str = '.rbac_config.json') None¶
Save RBAC settings to a file.
- Parameters:
path – The file path to save the configuration to.
- Raises:
PermissionError – If the file cannot be written to.
OSError – If another I/O error occurs.
- update_role(role_name: str, permissions: RolePermissions) None¶
Update an existing role with new permissions.
- Parameters:
role_name – The name of the role to update.
permissions – The new permissions to assign to the role.
- Raises:
ValueError – If the role does not exist.
- roles: dict[str, RolePermissions] = None¶
- class permission.RolePermissions(/, **data: Any)¶
Bases:
pydantic.BaseModelDefines permissions for a specific role.
This model represents the set of permissions granted to a specific role, including which paths can be read from or written to, and which commands can be executed.
- read¶
List of filesystem paths allowed for reading.
- write¶
List of filesystem paths allowed for writing.
- execute¶
List of commands allowed for execution.
- read: list[pathlib.Path] = None¶
- write: list[pathlib.Path] = None¶