582dee6fb9
This PS implements oslo.policy integration in Deckhand.
The policy.py file implements 2 types of functions for
performing policy enforcement in Deckhand: authorize,
which is a decorator that is used directly around
falcon on_HTTP_VERB methods that raises a 403 immediately
if policy enforcement fails; and conditional_authorize,
to be used inside controller code conditionally.
For example, since Deckhand has two types of documents
with respect to security -- encrypted and cleartext
documents -- policy enforcement is conditioned on the
type of the documents' metadata.storagePolicy.
Included in this PS:
- policy framework implementation
- policy in code and policy documentation for all
Deckhand policies
- modification of functional test script to override
default admin-only policies with custom policy file
dynamically created using lax permissions
- bug fix for filtering out deleted documents (and
its predecessors in previous revisions) for
PUT /revisions/{revision_id}/documents
- policy documentation
- basic unit tests for policy enforcement framework
- allow functional tests to be filtered via regex
Due to the size of this PS, functional tests related to
policy enforcement will be done in a follow up.
Change-Id: If418129f9b401091e098c0bd6c7336b8a5cd2359
76 lines
2.2 KiB
Python
76 lines
2.2 KiB
Python
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from oslo_policy import policy
|
|
|
|
from deckhand.policies import base
|
|
|
|
|
|
revision_tag_policies = [
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'create_tag',
|
|
base.RULE_ADMIN_API,
|
|
"Create a revision tag.",
|
|
[
|
|
{
|
|
'method': 'POST',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'show_tag',
|
|
base.RULE_ADMIN_API,
|
|
"Show details for a revision tag.",
|
|
[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags/{tag}'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'list_tags',
|
|
base.RULE_ADMIN_API,
|
|
"List all tags for a revision.",
|
|
[
|
|
{
|
|
'method': 'GET',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'delete_tag',
|
|
base.RULE_ADMIN_API,
|
|
"Delete a revision tag.",
|
|
[
|
|
{
|
|
'method': 'DELETE',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags/{tag}'
|
|
}
|
|
]),
|
|
policy.DocumentedRuleDefault(
|
|
base.POLICY_ROOT % 'delete_tags',
|
|
base.RULE_ADMIN_API,
|
|
"Delete all tags for a revision.",
|
|
[
|
|
{
|
|
'method': 'DELETE',
|
|
'path': '/api/v1.0/revisions/{revision_id}/tags'
|
|
}
|
|
])
|
|
]
|
|
|
|
|
|
def list_rules():
|
|
return revision_tag_policies
|