Reorganize user and access code

Move aws iam resources to heat/engine/resources/aws/user.py, and move OS::Heat::AccessPolicy to heat/engine/resources/openstack/access_policy.py. Change-Id: I390132cf2c8616c6b68771e0c6d8df460407fe97 Implements: blueprint decouple-aws-os-resources
2014-12-08 17:49:34 +08:00 · 2014-12-08 17:49:34 +08:00 · 6012fb94e4
commit 6012fb94e4
parent 7dcf6123db
3 changed files with 82 additions and 52 deletions
--- a/heat/engine/resources/aws/user.py
+++ b/heat/engine/resources/aws/user.py
@ -28,7 +28,9 @@ LOG = logging.getLogger(__name__)
 #
 # We are ignoring Groups as keystone does not support them.
 # For now support users and accesskeys,
-# We also now support a limited heat-native Policy implementation
+# We also now support a limited heat-native Policy implementation, and
+# the native access policy resource is located at:
+# heat/engine/resources/openstack/access_policy.py
 #


@ -267,43 +269,8 @@ class AccessKey(resource.Resource):
            self.resource_id, access_allowed)


-class AccessPolicy(resource.Resource):
-    PROPERTIES = (
-        ALLOWED_RESOURCES,
-    ) = (
-        'AllowedResources',
-    )
-
-    properties_schema = {
-        ALLOWED_RESOURCES: properties.Schema(
-            properties.Schema.LIST,
-            _('Resources that users are allowed to access by the '
-              'DescribeStackResource API.'),
-            required=True
-        ),
-    }
-
-    def handle_create(self):
-        pass
-
-    def validate(self):
-        """Make sure all the AllowedResources are present."""
-        super(AccessPolicy, self).validate()
-
-        resources = self.properties[self.ALLOWED_RESOURCES]
-        # All of the provided resource names must exist in this stack
-        for res in resources:
-            if res not in self.stack:
-                msg = _("AccessPolicy resource %s not in stack") % res
-                raise exception.StackValidationFailed(message=msg)
-
-    def access_allowed(self, resource_name):
-        return resource_name in self.properties[self.ALLOWED_RESOURCES]
-
-
 def resource_mapping():
    return {
        'AWS::IAM::User': User,
        'AWS::IAM::AccessKey': AccessKey,
-        'OS::Heat::AccessPolicy': AccessPolicy,
    }
--- a/heat/engine/resources/openstack/access_policy.py
+++ b/heat/engine/resources/openstack/access_policy.py
@ -0,0 +1,62 @@
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from heat.common import exception
+from heat.common.i18n import _
+from heat.engine import properties
+from heat.engine import resource
+
+#
+# Notes: Now this resource is actually associated with an AWS user resource,
+# not any OS:: resource though it is registered under the OS namespace below
+#
+
+
+class AccessPolicy(resource.Resource):
+    PROPERTIES = (
+        ALLOWED_RESOURCES,
+    ) = (
+        'AllowedResources',
+    )
+
+    properties_schema = {
+        ALLOWED_RESOURCES: properties.Schema(
+            properties.Schema.LIST,
+            _('Resources that users are allowed to access by the '
+              'DescribeStackResource API.'),
+            required=True
+        ),
+    }
+
+    def handle_create(self):
+        pass
+
+    def validate(self):
+        """Make sure all the AllowedResources are present."""
+        super(AccessPolicy, self).validate()
+
+        resources = self.properties[self.ALLOWED_RESOURCES]
+        # All of the provided resource names must exist in this stack
+        for res in resources:
+            if res not in self.stack:
+                msg = _("AccessPolicy resource %s not in stack") % res
+                raise exception.StackValidationFailed(message=msg)
+
+    def access_allowed(self, resource_name):
+        return resource_name in self.properties[self.ALLOWED_RESOURCES]
+
+
+def resource_mapping():
+    return {
+        'OS::Heat::AccessPolicy': AccessPolicy,
+    }
--- a/heat/tests/test_user.py
+++ b/heat/tests/test_user.py
@ -17,7 +17,8 @@ from heat.common import exception
 from heat.common import short_id
 from heat.common import template_format
 from heat.db import api as db_api
-from heat.engine.resources import user
+from heat.engine.resources.aws import user
+from heat.engine.resources.openstack import access_policy as ap
 from heat.engine import scheduler
 from heat.tests import common
 from heat.tests import fakes
@ -232,9 +233,9 @@ class UserTest(common.HeatTestCase):
                          rsrc.handle_create)

    def test_user_access_allowed(self):
-        self.m.StubOutWithMock(user.AccessPolicy, 'access_allowed')
-        user.AccessPolicy.access_allowed('a_resource').AndReturn(True)
-        user.AccessPolicy.access_allowed('b_resource').AndReturn(False)
+        self.m.StubOutWithMock(ap.AccessPolicy, 'access_allowed')
+        ap.AccessPolicy.access_allowed('a_resource').AndReturn(True)
+        ap.AccessPolicy.access_allowed('b_resource').AndReturn(False)

        self.m.ReplayAll()

@ -251,9 +252,9 @@ class UserTest(common.HeatTestCase):
        self.m.VerifyAll()

    def test_user_access_allowed_ignorepolicy(self):
-        self.m.StubOutWithMock(user.AccessPolicy, 'access_allowed')
-        user.AccessPolicy.access_allowed('a_resource').AndReturn(True)
-        user.AccessPolicy.access_allowed('b_resource').AndReturn(False)
+        self.m.StubOutWithMock(ap.AccessPolicy, 'access_allowed')
+        ap.AccessPolicy.access_allowed('a_resource').AndReturn(True)
+        ap.AccessPolicy.access_allowed('b_resource').AndReturn(False)

        self.m.ReplayAll()

@ -398,9 +399,9 @@ class AccessPolicyTest(common.HeatTestCase):

        resource_name = 'WebServerAccessPolicy'
        resource_defns = stack.t.resource_definitions(stack)
-        rsrc = user.AccessPolicy(resource_name,
-                                 resource_defns[resource_name],
-                                 stack)
+        rsrc = ap.AccessPolicy(resource_name,
+                               resource_defns[resource_name],
+                               stack)
        scheduler.TaskRunner(rsrc.create)()
        self.assertEqual((rsrc.CREATE, rsrc.COMPLETE), rsrc.state)

@ -411,9 +412,9 @@ class AccessPolicyTest(common.HeatTestCase):
        stack = utils.parse_stack(t)

        resource_defns = stack.t.resource_definitions(stack)
-        rsrc = user.AccessPolicy(resource_name,
-                                 resource_defns[resource_name],
-                                 stack)
+        rsrc = ap.AccessPolicy(resource_name,
+                               resource_defns[resource_name],
+                               stack)
        scheduler.TaskRunner(rsrc.create)()
        self.assertEqual((rsrc.CREATE, rsrc.COMPLETE), rsrc.state)

@ -432,9 +433,9 @@ class AccessPolicyTest(common.HeatTestCase):
        stack = utils.parse_stack(t)

        resource_defns = stack.t.resource_definitions(stack)
-        rsrc = user.AccessPolicy(resource_name,
-                                 resource_defns[resource_name],
-                                 stack)
+        rsrc = ap.AccessPolicy(resource_name,
+                               resource_defns[resource_name],
+                               stack)
        self.assertTrue(rsrc.access_allowed('WikiDatabase'))
        self.assertFalse(rsrc.access_allowed('NotWikiDatabase'))
        self.assertFalse(rsrc.access_allowed(None))