Merge "Policy management for Climate"

climate/api/oshosts/service.py

@@ -14,20 +14,19 @@
 # limitations under the License.
 
 from climate.manager.oshosts import rpcapi as manager_rpcapi
-from climate.openstack.common import log as logging
+from climate import policy
-
-
-LOG = logging.getLogger(__name__)
 
 
 class API(object):
     def __init__(self):
         self.manager_rpcapi = manager_rpcapi.ManagerRPCAPI()
 
+    @policy.authorize('oshosts', 'get')
     def get_computehosts(self):
         """List all existing computehosts."""
         return self.manager_rpcapi.list_computehosts()
 
+    @policy.authorize('oshosts', 'create')
     def create_computehost(self, data):
         """Create new computehost.
 
@@ -37,6 +36,7 @@ class API(object):
 
         return self.manager_rpcapi.create_computehost(data)
 
+    @policy.authorize('oshosts', 'get')
     def get_computehost(self, host_id):
         """Get computehost by its ID.
 
@@ -45,6 +45,7 @@ class API(object):
         """
         return self.manager_rpcapi.get_computehost(host_id)
 
+    @policy.authorize('oshosts', 'update')
     def update_computehost(self, host_id, data):
         """Update computehost. Only name changing may be proceeded.
 
@@ -55,6 +56,7 @@ class API(object):
         """
         return self.manager_rpcapi.update_computehost(host_id, data)
 
+    @policy.authorize('oshosts', 'delete')
     def delete_computehost(self, host_id):
         """Delete specified computehost.
 

climate/api/service.py

@@ -16,6 +16,7 @@
 from climate import exceptions
 from climate.manager import rpcapi as manager_rpcapi
 from climate.openstack.common import log as logging
+from climate import policy
 
 
 LOG = logging.getLogger(__name__)
@@ -28,10 +29,12 @@ class API(object):
 
     ## Leases operations
 
+    @policy.authorize('leases', 'get')
     def get_leases(self):
         """List all existing leases."""
         return self.manager_rpcapi.list_leases()
 
+    @policy.authorize('leases', 'create')
     def create_lease(self, data):
         """Create new lease.
 
@@ -43,6 +46,7 @@ class API(object):
         data.update({'trust': trust})
         return self.manager_rpcapi.create_lease(data)
 
+    @policy.authorize('leases', 'get')
     def get_lease(self, lease_id):
         """Get lease by its ID.
 
@@ -51,6 +55,7 @@ class API(object):
         """
         return self.manager_rpcapi.get_lease(lease_id)
 
+    @policy.authorize('leases', 'update')
     def update_lease(self, lease_id, data):
         """Update lease. Only name changing and prolonging may be proceeded.
 
@@ -76,6 +81,7 @@ class API(object):
             data['start_date'] = start_date
         return self.manager_rpcapi.update_lease(lease_id, data)
 
+    @policy.authorize('leases', 'delete')
     def delete_lease(self, lease_id):
         """Delete specified lease.
 
@@ -86,6 +92,7 @@ class API(object):
 
     ## Plugins operations
 
+    @policy.authorize('plugins', 'get')
     def get_plugins(self):
         """List all possible plugins."""
         pass

climate/policy.py

@@ -0,0 +1,111 @@
+# Copyright (c) 2013 Bull.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Policy Engine For Climate."""
+
+import functools
+from oslo.config import cfg
+
+from climate import context
+from climate import exceptions
+from climate.openstack.common import log as logging
+from climate.openstack.common import policy
+
+CONF = cfg.CONF
+
+LOG = logging.getLogger(__name__)
+
+_ENFORCER = None
+
+
+def reset():
+    global _ENFORCER
+
+    if _ENFORCER:
+        _ENFORCER.clear()
+    _ENFORCER = None
+
+
+def init():
+    global _ENFORCER
+    if not _ENFORCER:
+        LOG.debug("Enforcer not present, recreating at init stage.")
+        _ENFORCER = policy.Enforcer()
+
+
+def set_rules(data, default_rule=None):
+    default_rule = default_rule or CONF.policy_default_rule
+    if not _ENFORCER:
+        LOG.debug("Enforcer not present, recreating at rules stage.")
+        init()
+    if default_rule:
+        _ENFORCER.default_rule = default_rule
+    _ENFORCER.set_rules(policy.Rules.load_json(data, default_rule))
+
+
+def enforce(context, action, target, do_raise=True):
+    """Verifies that the action is valid on the target in this context.
+
+       :param context: climate context
+       :param action: string representing the action to be checked
+           this should be colon separated for clarity.
+           i.e. ``compute:create_instance``,
+           ``compute:attach_volume``,
+           ``volume:attach_volume``
+       :param target: dictionary representing the object of the action
+           for object creation this should be a dictionary representing the
+           location of the object e.g. ``{'tenant_id': context.tenant_id}``
+       :param do_raise: if True (the default), raises PolicyNotAuthorized;
+           if False, returns False
+
+       :raises climate.exceptions.PolicyNotAuthorized: if verification fails
+           and do_raise is True.
+
+       :return: returns a non-False value (not necessarily "True") if
+           authorized, and the exact value False if not authorized and
+           do_raise is False.
+    """
+
+    init()
+
+    credentials = context.to_dict()
+
+    # Add the exceptions arguments if asked to do a raise
+    extra = {}
+    if do_raise:
+        extra.update(exc=exceptions.PolicyNotAuthorized, action=action)
+
+    return _ENFORCER.enforce(action, target, credentials, do_raise=do_raise,
+                             **extra)
+
+
+def authorize(extension, action=None, api='climate', ctx=None,
+              target=None):
+    def decorator(func):
+
+        @functools.wraps(func)
+        def wrapped(self, *args, **kwargs):
+            cur_ctx = ctx or context.current()
+            tgt = target or {'tenant_id': cur_ctx.tenant_id,
+                             'user_id': cur_ctx.user_id}
+            if action is None:
+                act = '%s:%s' % (api, extension)
+            else:
+                act = '%s:%s:%s' % (api, extension, action)
+            enforce(cur_ctx, act, tgt)
+            return func(self, *args, **kwargs)
+
+        return wrapped
+    return decorator

climate/tests/__init__.py

@@ -22,11 +22,13 @@ from oslo.config import cfg
 from climate import context
 from climate.db.sqlalchemy import api as db_api
 from climate.openstack.common.db.sqlalchemy import session as db_session
+from climate.openstack.common import fileutils
 from climate.openstack.common.fixture import config
 from climate.openstack.common.fixture import mockpatch
 from climate.openstack.common import log as logging
+from climate.openstack.common import policy as common_policy
 from climate.openstack.common import test
-
+from climate.tests import fake_policy
 
 CONF = cfg.CONF
 CONF.set_override('use_stderr', False)
@@ -66,6 +68,13 @@ class TestCase(test.BaseTestCase):
         self.useFixture(config.Config())
         self.context_mock = None
 
+        self.fileutils = fileutils
+        self.read_cached_file = self.patch(self.fileutils, 'read_cached_file')
+        self.read_cached_file.return_value = (True, fake_policy.policy_data)
+        self.common_policy = common_policy
+        self.patch(self.common_policy.Enforcer, '_get_policy_path')
+        CONF.set_override('policy_file', 'fake')
+
     def patch(self, obj, attr):
         """Returns a Mocked object on the patched attribute."""
         mockfixture = self.useFixture(mockpatch.PatchObject(obj, attr))

climate/tests/fake_policy.py

@@ -0,0 +1,28 @@
+# Copyright (c) 2013 Bull.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+policy_data = """
+{
+
+    "admin": "is_admin:True or role:admin or role:masterofuniverse",
+    "admin_or_owner":  "rule:admin or tenant_id:%(tenant_id)s",
+    "default": "!",
+
+    "admin_api": "rule:admin",
+    "climate:leases": "rule:admin_or_owner",
+    "climate:leases:get": "rule:admin_or_owner",
+    "climate:os-hosts": "rule:admin_api"
+}
+"""

climate/tests/test_policy.py

@@ -0,0 +1,137 @@
+# Copyright (c) 2013 Bull.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Test of Policy Engine For Climate."""
+
+from oslo.config import cfg
+
+from climate import context
+from climate import exceptions
+from climate import policy
+from climate import tests
+
+CONF = cfg.CONF
+
+
+class DefaultPolicyTestCase(tests.TestCase):
+
+    def setUp(self):
+        super(DefaultPolicyTestCase, self).setUp()
+
+        self.rules = """
+        {
+            "default": "",
+            "example:exist": "!",
+            "example:allowed": "@",
+            "example:my_file": "role:admin or \
+                               tenant_id:%(tenant_id)s"
+        }
+        """
+
+        self.default_rule = None
+        policy.reset()
+        self.read_cached_file.return_value = (True, self.rules)
+        self.context = context.ClimateContext(user_id='fake', tenant_id='fake',
+                                              roles=['member'])
+
+    def _set_rules(self, default_rule):
+        self.default_rule = default_rule
+        policy.set_rules(self.rules, default_rule)
+
+    def test_policy_called(self):
+        self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
+                          self.context, "example:exist", {})
+
+    def test_not_found_policy_calls_default(self):
+        result = policy.enforce(self.context, "example:noexist", {}, False)
+        self.assertEqual(result, True)
+
+    def test_default_not_found(self):
+        self._set_rules("default_noexist")
+        self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
+                          self.context, "example:noexist", {})
+
+    def test_enforce_good_action(self):
+        action = "example:allowed"
+        result = policy.enforce(self.context, action, {}, False)
+        self.assertEqual(result, True)
+
+    def test_templatized_enforcement(self):
+        target_mine = {'tenant_id': 'fake'}
+        target_not_mine = {'tenant_id': 'another'}
+        action = "example:my_file"
+        policy.enforce(self.context, action, target_mine)
+        self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
+                          self.context, action, target_not_mine)
+
+
+class ClimatePolicyTestCase(tests.TestCase):
+
+    def setUp(self):
+        super(ClimatePolicyTestCase, self).setUp()
+
+        self.context = context.ClimateContext(user_id='fake', tenant_id='fake',
+                                              roles=['member'])
+
+    def test_standardpolicy(self):
+        target_good = {'user_id': self.context.user_id,
+                       'tenant_id': self.context.tenant_id}
+        target_wrong = {'user_id': self.context.user_id,
+                        'tenant_id': 'bad_tenant'}
+        action = "climate:leases"
+        self.assertEqual(True, policy.enforce(self.context, action,
+                                              target_good))
+        self.assertEqual(False, policy.enforce(self.context, action,
+                                               target_wrong, False))
+
+    def test_adminpolicy(self):
+        target = {'user_id': self.context.user_id,
+                  'tenant_id': self.context.tenant_id}
+        action = "climate:os-hosts"
+        self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
+                          self.context, action, target)
+
+    def test_elevatedpolicy(self):
+        target = {'user_id': self.context.user_id,
+                  'tenant_id': self.context.tenant_id}
+        action = "climate:os-hosts"
+        self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
+                          self.context, action, target)
+        elevated_context = self.context.elevated()
+        self.assertEqual(True,
+                         policy.enforce(elevated_context, action, target))
+
+    def test_authorize(self):
+
+        @policy.authorize('leases', ctx=self.context)
+        def user_method(self):
+            return True
+
+        @policy.authorize('leases', 'get', ctx=self.context)
+        def user_method_with_action(self):
+            return True
+
+        @policy.authorize('oshosts', ctx=self.context)
+        def adminonly_method(self):
+            return True
+
+        self.assertEqual(True, user_method(self))
+        self.assertEqual(True, user_method_with_action(self))
+        try:
+            adminonly_method(self)
+            self.assertTrue(False)
+        except exceptions.PolicyNotAuthorized:
+            # We are expecting this exception
+            self.assertTrue(True)

etc/policy.json

@@ -0,0 +1,20 @@
+{
+    "admin": "is_admin:True or role:admin or role:masterofuniverse",
+
+    "admin_or_owner":  "rule:admin or tenant_id:%(tenant_id)s",
+
+    "default": "!",
+    "admin_api": "rule:admin",
+
+    "climate:leases:get": "rule:admin_or_owner",
+    "climate:leases:create": "rule:admin_or_owner",
+    "climate:leases:delete": "rule:admin_or_owner",
+    "climate:leases:update": "rule:admin_or_owner",
+
+    "climate:plugins:get": "@",
+
+    "climate:oshosts:get": "rule:admin_or_owner",
+    "climate:oshosts:create": "rule:admin_api",
+    "climate:oshosts:delete": "rule:admin_api",
+    "climate:oshosts:update": "rule:admin_api"
+}