39bd444a0c
This is the first step in moving the policy engine to django_openstack_auth. It makes the policy check method pluggable in openstack_dashboard as it is in horizon. To do this, the wrapper around the policy engine is moved to a new file isolated from the policy check method. A thin check method is left in policy.py to allow the code and policy mix-ins to behave as now. The existing policy test file is also moved for relocation. A new test file has been added to exercise the simpler check method. Once the actual engine is moved to django_openstack_auth, we'll be able to remove policy_backend.py and the test version of policy_backend.py as well. Partially Implemenents: blueprint move-policy-engine Change-Id: I591bcbe69bf255f1aa0346fdf869fac86d2e6d3d
53 lines
1.8 KiB
Python
53 lines
1.8 KiB
Python
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
from django.conf import settings
|
|
|
|
|
|
def check(actions, request, target=None):
|
|
"""Wrapper of the configurable policy method."""
|
|
|
|
policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None)
|
|
|
|
if policy_check:
|
|
return policy_check(actions, request, target)
|
|
|
|
return True
|
|
|
|
|
|
class PolicyTargetMixin(object):
|
|
"""Mixin that adds the get_policy_target function
|
|
|
|
policy_target_attrs - a tuple of tuples which defines
|
|
the relationship between attributes in the policy
|
|
target dict and attributes in the passed datum object.
|
|
policy_target_attrs can be overwritten by sub-classes
|
|
which do not use the default, so they can neatly define
|
|
their policy target information, without overriding the
|
|
entire get_policy_target function.
|
|
"""
|
|
|
|
policy_target_attrs = (("project_id", "tenant_id"),
|
|
("user_id", "user_id"),
|
|
("domain_id", "domain_id"))
|
|
|
|
def get_policy_target(self, request, datum=None):
|
|
policy_target = {}
|
|
for policy_attr, datum_attr in self.policy_target_attrs:
|
|
if datum:
|
|
policy_target[policy_attr] = getattr(datum, datum_attr, None)
|
|
else:
|
|
policy_target[policy_attr] = None
|
|
return policy_target
|