e744336385
C-6: ConnectorRuntime enforces capability_mask per operation.
READ-only ACs cannot invoke MUTATE operations (wipe, lock, retire).
C-7: AC validated against database (exists, active, not expired)
before connector invocation.
C-9: Delegated AC capability bounded by delegator's capability.
C-10: Command counter uses atomic SQL increment with limit check.
M-23: expire_stale() uses same atomic SQL pattern.
H-1: Sensitive credential fields hidden from repr/logs via repr=False.
H-2: Stub backend requires ALLOW_STUB_CREDENTIALS=true to activate.
H-3: Kerberos backend raises CredentialResolutionError instead of
returning stub ticket.
H-4: Chronicle INTENT emitted before execution, RESULT after.
H-5: device_id validated as UUID before Graph API URL interpolation.
H-8: ConnectorRuntime enforces governance for all connector invocations.
Signed-off-by: Tyler King <tking@guildhouse.dev>
34 lines
958 B
Python
34 lines
958 B
Python
# This file is dual licensed under the terms of the Apache License, Version
|
|
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
|
|
# for complete details.
|
|
|
|
from __future__ import annotations
|
|
|
|
import typing
|
|
|
|
from cryptography.hazmat.bindings._rust import x509 as rust_x509
|
|
from cryptography.x509.general_name import DNSName, IPAddress
|
|
|
|
__all__ = [
|
|
"ClientVerifier",
|
|
"Criticality",
|
|
"ExtensionPolicy",
|
|
"Policy",
|
|
"PolicyBuilder",
|
|
"ServerVerifier",
|
|
"Store",
|
|
"Subject",
|
|
"VerificationError",
|
|
"VerifiedClient",
|
|
]
|
|
|
|
Store = rust_x509.Store
|
|
Subject = typing.Union[DNSName, IPAddress]
|
|
VerifiedClient = rust_x509.VerifiedClient
|
|
ClientVerifier = rust_x509.ClientVerifier
|
|
ServerVerifier = rust_x509.ServerVerifier
|
|
PolicyBuilder = rust_x509.PolicyBuilder
|
|
Policy = rust_x509.Policy
|
|
ExtensionPolicy = rust_x509.ExtensionPolicy
|
|
Criticality = rust_x509.Criticality
|
|
VerificationError = rust_x509.VerificationError
|