582dee6fb9
This PS implements oslo.policy integration in Deckhand. The policy.py file implements 2 types of functions for performing policy enforcement in Deckhand: authorize, which is a decorator that is used directly around falcon on_HTTP_VERB methods that raises a 403 immediately if policy enforcement fails; and conditional_authorize, to be used inside controller code conditionally. For example, since Deckhand has two types of documents with respect to security -- encrypted and cleartext documents -- policy enforcement is conditioned on the type of the documents' metadata.storagePolicy. Included in this PS: - policy framework implementation - policy in code and policy documentation for all Deckhand policies - modification of functional test script to override default admin-only policies with custom policy file dynamically created using lax permissions - bug fix for filtering out deleted documents (and its predecessors in previous revisions) for PUT /revisions/{revision_id}/documents - policy documentation - basic unit tests for policy enforcement framework - allow functional tests to be filtered via regex Due to the size of this PS, functional tests related to policy enforcement will be done in a follow up. Change-Id: If418129f9b401091e098c0bd6c7336b8a5cd2359
76 lines
2.2 KiB
Python
76 lines
2.2 KiB
Python
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from oslo_policy import policy
|
|
|
|
from deckhand.policies import base
|
|
|
|
|
|
revision_tag_policies = [
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'create_tag',
|
|
base.RULE_ADMIN_API,
|
|
"Create a revision tag.",
|
|
[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'show_tag',
|
|
base.RULE_ADMIN_API,
|
|
"Show details for a revision tag.",
|
|
[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags/{tag}'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'list_tags',
|
|
base.RULE_ADMIN_API,
|
|
"List all tags for a revision.",
|
|
[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'delete_tag',
|
|
base.RULE_ADMIN_API,
|
|
"Delete a revision tag.",
|
|
[
|
|
{
|
|
'method': 'DELETE',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags/{tag}'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'delete_tags',
|
|
base.RULE_ADMIN_API,
|
|
"Delete all tags for a revision.",
|
|
[
|
|
{
|
|
'method': 'DELETE',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags'
|
|
}
|
|
])
|
|
]
|
|
|
|
|
|
def list_rules():
|
|
return revision_tag_policies
|