Merge "Use oslo_policy lib instead of oslo-incubator code"
This commit is contained in:
commit
9dba8de36f
@ -425,6 +425,7 @@ def main():
|
|||||||
sys.exit(2)
|
sys.exit(2)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
log.register_options(CONF)
|
||||||
CONF(sys.argv[1:], project='manila',
|
CONF(sys.argv[1:], project='manila',
|
||||||
version=version.version_string())
|
version=version.version_string())
|
||||||
log.setup(CONF, "manila")
|
log.setup(CONF, "manila")
|
||||||
|
@ -1,924 +0,0 @@
|
|||||||
# Copyright (c) 2012 OpenStack Foundation.
|
|
||||||
# All Rights Reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License. You may obtain
|
|
||||||
# a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
||||||
# License for the specific language governing permissions and limitations
|
|
||||||
# under the License.
|
|
||||||
|
|
||||||
"""
|
|
||||||
Common Policy Engine Implementation
|
|
||||||
|
|
||||||
Policies can be expressed in one of two forms: A list of lists, or a
|
|
||||||
string written in the new policy language.
|
|
||||||
|
|
||||||
In the list-of-lists representation, each check inside the innermost
|
|
||||||
list is combined as with an "and" conjunction--for that check to pass,
|
|
||||||
all the specified checks must pass. These innermost lists are then
|
|
||||||
combined as with an "or" conjunction. This is the original way of
|
|
||||||
expressing policies, but there now exists a new way: the policy
|
|
||||||
language.
|
|
||||||
|
|
||||||
In the policy language, each check is specified the same way as in the
|
|
||||||
list-of-lists representation: a simple "a:b" pair that is matched to
|
|
||||||
the correct code to perform that check. However, conjunction
|
|
||||||
operators are available, allowing for more expressiveness in crafting
|
|
||||||
policies.
|
|
||||||
|
|
||||||
As an example, take the following rule, expressed in the list-of-lists
|
|
||||||
representation::
|
|
||||||
|
|
||||||
[["role:admin"], ["project_id:%(project_id)s", "role:projectadmin"]]
|
|
||||||
|
|
||||||
In the policy language, this becomes::
|
|
||||||
|
|
||||||
role:admin or (project_id:%(project_id)s and role:projectadmin)
|
|
||||||
|
|
||||||
The policy language also has the "not" operator, allowing a richer
|
|
||||||
policy rule::
|
|
||||||
|
|
||||||
project_id:%(project_id)s and not role:dunce
|
|
||||||
|
|
||||||
It is possible to perform policy checks on the following user
|
|
||||||
attributes (obtained through the token): user_id, domain_id or
|
|
||||||
project_id::
|
|
||||||
|
|
||||||
domain_id:<some_value>
|
|
||||||
|
|
||||||
Attributes sent along with API calls can be used by the policy engine
|
|
||||||
(on the right side of the expression), by using the following syntax::
|
|
||||||
|
|
||||||
<some_value>:user.id
|
|
||||||
|
|
||||||
Contextual attributes of objects identified by their IDs are loaded
|
|
||||||
from the database. They are also available to the policy engine and
|
|
||||||
can be checked through the `target` keyword::
|
|
||||||
|
|
||||||
<some_value>:target.role.name
|
|
||||||
|
|
||||||
All these attributes (related to users, API calls, and context) can be
|
|
||||||
checked against each other or against constants, be it literals (True,
|
|
||||||
<a_number>) or strings.
|
|
||||||
|
|
||||||
Finally, two special policy checks should be mentioned; the policy
|
|
||||||
check "@" will always accept an access, and the policy check "!" will
|
|
||||||
always reject an access. (Note that if a rule is either the empty
|
|
||||||
list ("[]") or the empty string, this is equivalent to the "@" policy
|
|
||||||
check.) Of these, the "!" policy check is probably the most useful,
|
|
||||||
as it allows particular rules to be explicitly disabled.
|
|
||||||
"""
|
|
||||||
|
|
||||||
import abc
|
|
||||||
import ast
|
|
||||||
import os
|
|
||||||
import re
|
|
||||||
|
|
||||||
from oslo.config import cfg
|
|
||||||
from oslo.serialization import jsonutils
|
|
||||||
import six
|
|
||||||
import six.moves.urllib.parse as urlparse
|
|
||||||
import six.moves.urllib.request as urlrequest
|
|
||||||
|
|
||||||
from manila.openstack.common import fileutils
|
|
||||||
from manila.openstack.common._i18n import _, _LE, _LW
|
|
||||||
from manila.openstack.common import log as logging
|
|
||||||
|
|
||||||
|
|
||||||
policy_opts = [
|
|
||||||
cfg.StrOpt('policy_file',
|
|
||||||
default='policy.json',
|
|
||||||
help=_('The JSON file that defines policies.')),
|
|
||||||
cfg.StrOpt('policy_default_rule',
|
|
||||||
default='default',
|
|
||||||
help=_('Default rule. Enforced when a requested rule is not '
|
|
||||||
'found.')),
|
|
||||||
cfg.MultiStrOpt('policy_dirs',
|
|
||||||
default=['policy.d'],
|
|
||||||
help=_('Directories where policy configuration files are '
|
|
||||||
'stored')),
|
|
||||||
]
|
|
||||||
|
|
||||||
CONF = cfg.CONF
|
|
||||||
CONF.register_opts(policy_opts)
|
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
_checks = {}
|
|
||||||
|
|
||||||
|
|
||||||
class PolicyNotAuthorized(Exception):
|
|
||||||
|
|
||||||
def __init__(self, rule):
|
|
||||||
msg = _("Policy doesn't allow %s to be performed.") % rule
|
|
||||||
super(PolicyNotAuthorized, self).__init__(msg)
|
|
||||||
|
|
||||||
|
|
||||||
class Rules(dict):
|
|
||||||
"""A store for rules. Handles the default_rule setting directly."""
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def load_json(cls, data, default_rule=None):
|
|
||||||
"""Allow loading of JSON rule data."""
|
|
||||||
|
|
||||||
# Suck in the JSON data and parse the rules
|
|
||||||
rules = dict((k, parse_rule(v)) for k, v in
|
|
||||||
jsonutils.loads(data).items())
|
|
||||||
|
|
||||||
return cls(rules, default_rule)
|
|
||||||
|
|
||||||
def __init__(self, rules=None, default_rule=None):
|
|
||||||
"""Initialize the Rules store."""
|
|
||||||
|
|
||||||
super(Rules, self).__init__(rules or {})
|
|
||||||
self.default_rule = default_rule
|
|
||||||
|
|
||||||
def __missing__(self, key):
|
|
||||||
"""Implements the default rule handling."""
|
|
||||||
|
|
||||||
if isinstance(self.default_rule, dict):
|
|
||||||
raise KeyError(key)
|
|
||||||
|
|
||||||
# If the default rule isn't actually defined, do something
|
|
||||||
# reasonably intelligent
|
|
||||||
if not self.default_rule:
|
|
||||||
raise KeyError(key)
|
|
||||||
|
|
||||||
if isinstance(self.default_rule, BaseCheck):
|
|
||||||
return self.default_rule
|
|
||||||
|
|
||||||
# We need to check this or we can get infinite recursion
|
|
||||||
if self.default_rule not in self:
|
|
||||||
raise KeyError(key)
|
|
||||||
|
|
||||||
elif isinstance(self.default_rule, six.string_types):
|
|
||||||
return self[self.default_rule]
|
|
||||||
|
|
||||||
def __str__(self):
|
|
||||||
"""Dumps a string representation of the rules."""
|
|
||||||
|
|
||||||
# Start by building the canonical strings for the rules
|
|
||||||
out_rules = {}
|
|
||||||
for key, value in self.items():
|
|
||||||
# Use empty string for singleton TrueCheck instances
|
|
||||||
if isinstance(value, TrueCheck):
|
|
||||||
out_rules[key] = ''
|
|
||||||
else:
|
|
||||||
out_rules[key] = str(value)
|
|
||||||
|
|
||||||
# Dump a pretty-printed JSON representation
|
|
||||||
return jsonutils.dumps(out_rules, indent=4)
|
|
||||||
|
|
||||||
|
|
||||||
class Enforcer(object):
|
|
||||||
"""Responsible for loading and enforcing rules.
|
|
||||||
|
|
||||||
:param policy_file: Custom policy file to use, if none is
|
|
||||||
specified, `CONF.policy_file` will be
|
|
||||||
used.
|
|
||||||
:param rules: Default dictionary / Rules to use. It will be
|
|
||||||
considered just in the first instantiation. If
|
|
||||||
`load_rules(True)`, `clear()` or `set_rules(True)`
|
|
||||||
is called this will be overwritten.
|
|
||||||
:param default_rule: Default rule to use, CONF.default_rule will
|
|
||||||
be used if none is specified.
|
|
||||||
:param use_conf: Whether to load rules from cache or config file.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self, policy_file=None, rules=None,
|
|
||||||
default_rule=None, use_conf=True):
|
|
||||||
self.default_rule = default_rule or CONF.policy_default_rule
|
|
||||||
self.rules = Rules(rules, self.default_rule)
|
|
||||||
|
|
||||||
self.policy_path = None
|
|
||||||
self.policy_file = policy_file or CONF.policy_file
|
|
||||||
self.use_conf = use_conf
|
|
||||||
|
|
||||||
def set_rules(self, rules, overwrite=True, use_conf=False):
|
|
||||||
"""Create a new Rules object based on the provided dict of rules.
|
|
||||||
|
|
||||||
:param rules: New rules to use. It should be an instance of dict.
|
|
||||||
:param overwrite: Whether to overwrite current rules or update them
|
|
||||||
with the new rules.
|
|
||||||
:param use_conf: Whether to reload rules from cache or config file.
|
|
||||||
"""
|
|
||||||
|
|
||||||
if not isinstance(rules, dict):
|
|
||||||
raise TypeError(_("Rules must be an instance of dict or Rules, "
|
|
||||||
"got %s instead") % type(rules))
|
|
||||||
self.use_conf = use_conf
|
|
||||||
if overwrite:
|
|
||||||
self.rules = Rules(rules, self.default_rule)
|
|
||||||
else:
|
|
||||||
self.rules.update(rules)
|
|
||||||
|
|
||||||
def clear(self):
|
|
||||||
"""Clears Enforcer rules, policy's cache and policy's path."""
|
|
||||||
self.set_rules({})
|
|
||||||
fileutils.delete_cached_file(self.policy_path)
|
|
||||||
self.default_rule = None
|
|
||||||
self.policy_path = None
|
|
||||||
|
|
||||||
def load_rules(self, force_reload=False):
|
|
||||||
"""Loads policy_path's rules.
|
|
||||||
|
|
||||||
Policy file is cached and will be reloaded if modified.
|
|
||||||
|
|
||||||
:param force_reload: Whether to overwrite current rules.
|
|
||||||
"""
|
|
||||||
|
|
||||||
if force_reload:
|
|
||||||
self.use_conf = force_reload
|
|
||||||
|
|
||||||
if self.use_conf:
|
|
||||||
if not self.policy_path:
|
|
||||||
self.policy_path = self._get_policy_path(self.policy_file)
|
|
||||||
|
|
||||||
self._load_policy_file(self.policy_path, force_reload)
|
|
||||||
for path in CONF.policy_dirs:
|
|
||||||
try:
|
|
||||||
path = self._get_policy_path(path)
|
|
||||||
except cfg.ConfigFilesNotFoundError:
|
|
||||||
LOG.warn(_LW("Can not find policy directories %s"), path)
|
|
||||||
continue
|
|
||||||
self._walk_through_policy_directory(path,
|
|
||||||
self._load_policy_file,
|
|
||||||
force_reload, False)
|
|
||||||
|
|
||||||
def _walk_through_policy_directory(self, path, func, *args):
|
|
||||||
# We do not iterate over sub-directories.
|
|
||||||
policy_files = next(os.walk(path))[2]
|
|
||||||
policy_files.sort()
|
|
||||||
for policy_file in [p for p in policy_files if not p.startswith('.')]:
|
|
||||||
func(os.path.join(path, policy_file), *args)
|
|
||||||
|
|
||||||
def _load_policy_file(self, path, force_reload, overwrite=True):
|
|
||||||
reloaded, data = fileutils.read_cached_file(
|
|
||||||
path, force_reload=force_reload)
|
|
||||||
if reloaded or not self.rules:
|
|
||||||
rules = Rules.load_json(data, self.default_rule)
|
|
||||||
self.set_rules(rules, overwrite)
|
|
||||||
LOG.debug("Rules successfully reloaded")
|
|
||||||
|
|
||||||
def _get_policy_path(self, path):
|
|
||||||
"""Locate the policy json data file/path.
|
|
||||||
|
|
||||||
:param path: It's value can be a full path or related path. When
|
|
||||||
full path specified, this function just returns the full
|
|
||||||
path. When related path specified, this function will
|
|
||||||
search configuration directories to find one that exists.
|
|
||||||
|
|
||||||
:returns: The policy path
|
|
||||||
|
|
||||||
:raises: ConfigFilesNotFoundError if the file/path couldn't
|
|
||||||
be located.
|
|
||||||
"""
|
|
||||||
policy_path = CONF.find_file(path)
|
|
||||||
|
|
||||||
if policy_path:
|
|
||||||
return policy_path
|
|
||||||
|
|
||||||
raise cfg.ConfigFilesNotFoundError((path,))
|
|
||||||
|
|
||||||
def enforce(self, rule, target, creds, do_raise=False,
|
|
||||||
exc=None, *args, **kwargs):
|
|
||||||
"""Checks authorization of a rule against the target and credentials.
|
|
||||||
|
|
||||||
:param rule: A string or BaseCheck instance specifying the rule
|
|
||||||
to evaluate.
|
|
||||||
:param target: As much information about the object being operated
|
|
||||||
on as possible, as a dictionary.
|
|
||||||
:param creds: As much information about the user performing the
|
|
||||||
action as possible, as a dictionary.
|
|
||||||
:param do_raise: Whether to raise an exception or not if check
|
|
||||||
fails.
|
|
||||||
:param exc: Class of the exception to raise if the check fails.
|
|
||||||
Any remaining arguments passed to enforce() (both
|
|
||||||
positional and keyword arguments) will be passed to
|
|
||||||
the exception class. If not specified, PolicyNotAuthorized
|
|
||||||
will be used.
|
|
||||||
|
|
||||||
:return: Returns False if the policy does not allow the action and
|
|
||||||
exc is not provided; otherwise, returns a value that
|
|
||||||
evaluates to True. Note: for rules using the "case"
|
|
||||||
expression, this True value will be the specified string
|
|
||||||
from the expression.
|
|
||||||
"""
|
|
||||||
|
|
||||||
self.load_rules()
|
|
||||||
|
|
||||||
# Allow the rule to be a Check tree
|
|
||||||
if isinstance(rule, BaseCheck):
|
|
||||||
result = rule(target, creds, self)
|
|
||||||
elif not self.rules:
|
|
||||||
# No rules to reference means we're going to fail closed
|
|
||||||
result = False
|
|
||||||
else:
|
|
||||||
try:
|
|
||||||
# Evaluate the rule
|
|
||||||
result = self.rules[rule](target, creds, self)
|
|
||||||
except KeyError:
|
|
||||||
LOG.debug("Rule [%s] doesn't exist" % rule)
|
|
||||||
# If the rule doesn't exist, fail closed
|
|
||||||
result = False
|
|
||||||
|
|
||||||
# If it is False, raise the exception if requested
|
|
||||||
if do_raise and not result:
|
|
||||||
if exc:
|
|
||||||
raise exc(*args, **kwargs)
|
|
||||||
|
|
||||||
raise PolicyNotAuthorized(rule)
|
|
||||||
|
|
||||||
return result
|
|
||||||
|
|
||||||
|
|
||||||
@six.add_metaclass(abc.ABCMeta)
|
|
||||||
class BaseCheck(object):
|
|
||||||
"""Abstract base class for Check classes."""
|
|
||||||
|
|
||||||
@abc.abstractmethod
|
|
||||||
def __str__(self):
|
|
||||||
"""String representation of the Check tree rooted at this node."""
|
|
||||||
|
|
||||||
pass
|
|
||||||
|
|
||||||
@abc.abstractmethod
|
|
||||||
def __call__(self, target, cred, enforcer):
|
|
||||||
"""Triggers if instance of the class is called.
|
|
||||||
|
|
||||||
Performs the check. Returns False to reject the access or a
|
|
||||||
true value (not necessary True) to accept the access.
|
|
||||||
"""
|
|
||||||
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
class FalseCheck(BaseCheck):
|
|
||||||
"""A policy check that always returns False (disallow)."""
|
|
||||||
|
|
||||||
def __str__(self):
|
|
||||||
"""Return a string representation of this check."""
|
|
||||||
|
|
||||||
return "!"
|
|
||||||
|
|
||||||
def __call__(self, target, cred, enforcer):
|
|
||||||
"""Check the policy."""
|
|
||||||
|
|
||||||
return False
|
|
||||||
|
|
||||||
|
|
||||||
class TrueCheck(BaseCheck):
|
|
||||||
"""A policy check that always returns True (allow)."""
|
|
||||||
|
|
||||||
def __str__(self):
|
|
||||||
"""Return a string representation of this check."""
|
|
||||||
|
|
||||||
return "@"
|
|
||||||
|
|
||||||
def __call__(self, target, cred, enforcer):
|
|
||||||
"""Check the policy."""
|
|
||||||
|
|
||||||
return True
|
|
||||||
|
|
||||||
|
|
||||||
class Check(BaseCheck):
|
|
||||||
"""A base class to allow for user-defined policy checks."""
|
|
||||||
|
|
||||||
def __init__(self, kind, match):
|
|
||||||
"""Initiates Check instance.
|
|
||||||
|
|
||||||
:param kind: The kind of the check, i.e., the field before the
|
|
||||||
':'.
|
|
||||||
:param match: The match of the check, i.e., the field after
|
|
||||||
the ':'.
|
|
||||||
"""
|
|
||||||
|
|
||||||
self.kind = kind
|
|
||||||
self.match = match
|
|
||||||
|
|
||||||
def __str__(self):
|
|
||||||
"""Return a string representation of this check."""
|
|
||||||
|
|
||||||
return "%s:%s" % (self.kind, self.match)
|
|
||||||
|
|
||||||
|
|
||||||
class NotCheck(BaseCheck):
|
|
||||||
"""Implements the "not" logical operator.
|
|
||||||
|
|
||||||
A policy check that inverts the result of another policy check.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self, rule):
|
|
||||||
"""Initialize the 'not' check.
|
|
||||||
|
|
||||||
:param rule: The rule to negate. Must be a Check.
|
|
||||||
"""
|
|
||||||
|
|
||||||
self.rule = rule
|
|
||||||
|
|
||||||
def __str__(self):
|
|
||||||
"""Return a string representation of this check."""
|
|
||||||
|
|
||||||
return "not %s" % self.rule
|
|
||||||
|
|
||||||
def __call__(self, target, cred, enforcer):
|
|
||||||
"""Check the policy.
|
|
||||||
|
|
||||||
Returns the logical inverse of the wrapped check.
|
|
||||||
"""
|
|
||||||
|
|
||||||
return not self.rule(target, cred, enforcer)
|
|
||||||
|
|
||||||
|
|
||||||
class AndCheck(BaseCheck):
|
|
||||||
"""Implements the "and" logical operator.
|
|
||||||
|
|
||||||
A policy check that requires that a list of other checks all return True.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self, rules):
|
|
||||||
"""Initialize the 'and' check.
|
|
||||||
|
|
||||||
:param rules: A list of rules that will be tested.
|
|
||||||
"""
|
|
||||||
|
|
||||||
self.rules = rules
|
|
||||||
|
|
||||||
def __str__(self):
|
|
||||||
"""Return a string representation of this check."""
|
|
||||||
|
|
||||||
return "(%s)" % ' and '.join(str(r) for r in self.rules)
|
|
||||||
|
|
||||||
def __call__(self, target, cred, enforcer):
|
|
||||||
"""Check the policy.
|
|
||||||
|
|
||||||
Requires that all rules accept in order to return True.
|
|
||||||
"""
|
|
||||||
|
|
||||||
for rule in self.rules:
|
|
||||||
if not rule(target, cred, enforcer):
|
|
||||||
return False
|
|
||||||
|
|
||||||
return True
|
|
||||||
|
|
||||||
def add_check(self, rule):
|
|
||||||
"""Adds rule to be tested.
|
|
||||||
|
|
||||||
Allows addition of another rule to the list of rules that will
|
|
||||||
be tested. Returns the AndCheck object for convenience.
|
|
||||||
"""
|
|
||||||
|
|
||||||
self.rules.append(rule)
|
|
||||||
return self
|
|
||||||
|
|
||||||
|
|
||||||
class OrCheck(BaseCheck):
|
|
||||||
"""Implements the "or" operator.
|
|
||||||
|
|
||||||
A policy check that requires that at least one of a list of other
|
|
||||||
checks returns True.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self, rules):
|
|
||||||
"""Initialize the 'or' check.
|
|
||||||
|
|
||||||
:param rules: A list of rules that will be tested.
|
|
||||||
"""
|
|
||||||
|
|
||||||
self.rules = rules
|
|
||||||
|
|
||||||
def __str__(self):
|
|
||||||
"""Return a string representation of this check."""
|
|
||||||
|
|
||||||
return "(%s)" % ' or '.join(str(r) for r in self.rules)
|
|
||||||
|
|
||||||
def __call__(self, target, cred, enforcer):
|
|
||||||
"""Check the policy.
|
|
||||||
|
|
||||||
Requires that at least one rule accept in order to return True.
|
|
||||||
"""
|
|
||||||
|
|
||||||
for rule in self.rules:
|
|
||||||
if rule(target, cred, enforcer):
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
def add_check(self, rule):
|
|
||||||
"""Adds rule to be tested.
|
|
||||||
|
|
||||||
Allows addition of another rule to the list of rules that will
|
|
||||||
be tested. Returns the OrCheck object for convenience.
|
|
||||||
"""
|
|
||||||
|
|
||||||
self.rules.append(rule)
|
|
||||||
return self
|
|
||||||
|
|
||||||
|
|
||||||
def _parse_check(rule):
|
|
||||||
"""Parse a single base check rule into an appropriate Check object."""
|
|
||||||
|
|
||||||
# Handle the special checks
|
|
||||||
if rule == '!':
|
|
||||||
return FalseCheck()
|
|
||||||
elif rule == '@':
|
|
||||||
return TrueCheck()
|
|
||||||
|
|
||||||
try:
|
|
||||||
kind, match = rule.split(':', 1)
|
|
||||||
except Exception:
|
|
||||||
LOG.exception(_LE("Failed to understand rule %s") % rule)
|
|
||||||
# If the rule is invalid, we'll fail closed
|
|
||||||
return FalseCheck()
|
|
||||||
|
|
||||||
# Find what implements the check
|
|
||||||
if kind in _checks:
|
|
||||||
return _checks[kind](kind, match)
|
|
||||||
elif None in _checks:
|
|
||||||
return _checks[None](kind, match)
|
|
||||||
else:
|
|
||||||
LOG.error(_LE("No handler for matches of kind %s") % kind)
|
|
||||||
return FalseCheck()
|
|
||||||
|
|
||||||
|
|
||||||
def _parse_list_rule(rule):
|
|
||||||
"""Translates the old list-of-lists syntax into a tree of Check objects.
|
|
||||||
|
|
||||||
Provided for backwards compatibility.
|
|
||||||
"""
|
|
||||||
|
|
||||||
# Empty rule defaults to True
|
|
||||||
if not rule:
|
|
||||||
return TrueCheck()
|
|
||||||
|
|
||||||
# Outer list is joined by "or"; inner list by "and"
|
|
||||||
or_list = []
|
|
||||||
for inner_rule in rule:
|
|
||||||
# Elide empty inner lists
|
|
||||||
if not inner_rule:
|
|
||||||
continue
|
|
||||||
|
|
||||||
# Handle bare strings
|
|
||||||
if isinstance(inner_rule, six.string_types):
|
|
||||||
inner_rule = [inner_rule]
|
|
||||||
|
|
||||||
# Parse the inner rules into Check objects
|
|
||||||
and_list = [_parse_check(r) for r in inner_rule]
|
|
||||||
|
|
||||||
# Append the appropriate check to the or_list
|
|
||||||
if len(and_list) == 1:
|
|
||||||
or_list.append(and_list[0])
|
|
||||||
else:
|
|
||||||
or_list.append(AndCheck(and_list))
|
|
||||||
|
|
||||||
# If we have only one check, omit the "or"
|
|
||||||
if not or_list:
|
|
||||||
return FalseCheck()
|
|
||||||
elif len(or_list) == 1:
|
|
||||||
return or_list[0]
|
|
||||||
|
|
||||||
return OrCheck(or_list)
|
|
||||||
|
|
||||||
|
|
||||||
# Used for tokenizing the policy language
|
|
||||||
_tokenize_re = re.compile(r'\s+')
|
|
||||||
|
|
||||||
|
|
||||||
def _parse_tokenize(rule):
|
|
||||||
"""Tokenizer for the policy language.
|
|
||||||
|
|
||||||
Most of the single-character tokens are specified in the
|
|
||||||
_tokenize_re; however, parentheses need to be handled specially,
|
|
||||||
because they can appear inside a check string. Thankfully, those
|
|
||||||
parentheses that appear inside a check string can never occur at
|
|
||||||
the very beginning or end ("%(variable)s" is the correct syntax).
|
|
||||||
"""
|
|
||||||
|
|
||||||
for tok in _tokenize_re.split(rule):
|
|
||||||
# Skip empty tokens
|
|
||||||
if not tok or tok.isspace():
|
|
||||||
continue
|
|
||||||
|
|
||||||
# Handle leading parens on the token
|
|
||||||
clean = tok.lstrip('(')
|
|
||||||
for i in range(len(tok) - len(clean)):
|
|
||||||
yield '(', '('
|
|
||||||
|
|
||||||
# If it was only parentheses, continue
|
|
||||||
if not clean:
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
tok = clean
|
|
||||||
|
|
||||||
# Handle trailing parens on the token
|
|
||||||
clean = tok.rstrip(')')
|
|
||||||
trail = len(tok) - len(clean)
|
|
||||||
|
|
||||||
# Yield the cleaned token
|
|
||||||
lowered = clean.lower()
|
|
||||||
if lowered in ('and', 'or', 'not'):
|
|
||||||
# Special tokens
|
|
||||||
yield lowered, clean
|
|
||||||
elif clean:
|
|
||||||
# Not a special token, but not composed solely of ')'
|
|
||||||
if len(tok) >= 2 and ((tok[0], tok[-1]) in
|
|
||||||
[('"', '"'), ("'", "'")]):
|
|
||||||
# It's a quoted string
|
|
||||||
yield 'string', tok[1:-1]
|
|
||||||
else:
|
|
||||||
yield 'check', _parse_check(clean)
|
|
||||||
|
|
||||||
# Yield the trailing parens
|
|
||||||
for i in range(trail):
|
|
||||||
yield ')', ')'
|
|
||||||
|
|
||||||
|
|
||||||
class ParseStateMeta(type):
|
|
||||||
"""Metaclass for the ParseState class.
|
|
||||||
|
|
||||||
Facilitates identifying reduction methods.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __new__(mcs, name, bases, cls_dict):
|
|
||||||
"""Create the class.
|
|
||||||
|
|
||||||
Injects the 'reducers' list, a list of tuples matching token sequences
|
|
||||||
to the names of the corresponding reduction methods.
|
|
||||||
"""
|
|
||||||
|
|
||||||
reducers = []
|
|
||||||
|
|
||||||
for key, value in cls_dict.items():
|
|
||||||
if not hasattr(value, 'reducers'):
|
|
||||||
continue
|
|
||||||
for reduction in value.reducers:
|
|
||||||
reducers.append((reduction, key))
|
|
||||||
|
|
||||||
cls_dict['reducers'] = reducers
|
|
||||||
|
|
||||||
return super(ParseStateMeta, mcs).__new__(mcs, name, bases, cls_dict)
|
|
||||||
|
|
||||||
|
|
||||||
def reducer(*tokens):
|
|
||||||
"""Decorator for reduction methods.
|
|
||||||
|
|
||||||
Arguments are a sequence of tokens, in order, which should trigger running
|
|
||||||
this reduction method.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def decorator(func):
|
|
||||||
# Make sure we have a list of reducer sequences
|
|
||||||
if not hasattr(func, 'reducers'):
|
|
||||||
func.reducers = []
|
|
||||||
|
|
||||||
# Add the tokens to the list of reducer sequences
|
|
||||||
func.reducers.append(list(tokens))
|
|
||||||
|
|
||||||
return func
|
|
||||||
|
|
||||||
return decorator
|
|
||||||
|
|
||||||
|
|
||||||
@six.add_metaclass(ParseStateMeta)
|
|
||||||
class ParseState(object):
|
|
||||||
"""Implement the core of parsing the policy language.
|
|
||||||
|
|
||||||
Uses a greedy reduction algorithm to reduce a sequence of tokens into
|
|
||||||
a single terminal, the value of which will be the root of the Check tree.
|
|
||||||
|
|
||||||
Note: error reporting is rather lacking. The best we can get with
|
|
||||||
this parser formulation is an overall "parse failed" error.
|
|
||||||
Fortunately, the policy language is simple enough that this
|
|
||||||
shouldn't be that big a problem.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self):
|
|
||||||
"""Initialize the ParseState."""
|
|
||||||
|
|
||||||
self.tokens = []
|
|
||||||
self.values = []
|
|
||||||
|
|
||||||
def reduce(self):
|
|
||||||
"""Perform a greedy reduction of the token stream.
|
|
||||||
|
|
||||||
If a reducer method matches, it will be executed, then the
|
|
||||||
reduce() method will be called recursively to search for any more
|
|
||||||
possible reductions.
|
|
||||||
"""
|
|
||||||
|
|
||||||
for reduction, methname in self.reducers:
|
|
||||||
if (len(self.tokens) >= len(reduction) and
|
|
||||||
self.tokens[-len(reduction):] == reduction):
|
|
||||||
# Get the reduction method
|
|
||||||
meth = getattr(self, methname)
|
|
||||||
|
|
||||||
# Reduce the token stream
|
|
||||||
results = meth(*self.values[-len(reduction):])
|
|
||||||
|
|
||||||
# Update the tokens and values
|
|
||||||
self.tokens[-len(reduction):] = [r[0] for r in results]
|
|
||||||
self.values[-len(reduction):] = [r[1] for r in results]
|
|
||||||
|
|
||||||
# Check for any more reductions
|
|
||||||
return self.reduce()
|
|
||||||
|
|
||||||
def shift(self, tok, value):
|
|
||||||
"""Adds one more token to the state. Calls reduce()."""
|
|
||||||
|
|
||||||
self.tokens.append(tok)
|
|
||||||
self.values.append(value)
|
|
||||||
|
|
||||||
# Do a greedy reduce...
|
|
||||||
self.reduce()
|
|
||||||
|
|
||||||
@property
|
|
||||||
def result(self):
|
|
||||||
"""Obtain the final result of the parse.
|
|
||||||
|
|
||||||
Raises ValueError if the parse failed to reduce to a single result.
|
|
||||||
"""
|
|
||||||
|
|
||||||
if len(self.values) != 1:
|
|
||||||
raise ValueError("Could not parse rule")
|
|
||||||
return self.values[0]
|
|
||||||
|
|
||||||
@reducer('(', 'check', ')')
|
|
||||||
@reducer('(', 'and_expr', ')')
|
|
||||||
@reducer('(', 'or_expr', ')')
|
|
||||||
def _wrap_check(self, _p1, check, _p2):
|
|
||||||
"""Turn parenthesized expressions into a 'check' token."""
|
|
||||||
|
|
||||||
return [('check', check)]
|
|
||||||
|
|
||||||
@reducer('check', 'and', 'check')
|
|
||||||
def _make_and_expr(self, check1, _and, check2):
|
|
||||||
"""Create an 'and_expr'.
|
|
||||||
|
|
||||||
Join two checks by the 'and' operator.
|
|
||||||
"""
|
|
||||||
|
|
||||||
return [('and_expr', AndCheck([check1, check2]))]
|
|
||||||
|
|
||||||
@reducer('and_expr', 'and', 'check')
|
|
||||||
def _extend_and_expr(self, and_expr, _and, check):
|
|
||||||
"""Extend an 'and_expr' by adding one more check."""
|
|
||||||
|
|
||||||
return [('and_expr', and_expr.add_check(check))]
|
|
||||||
|
|
||||||
@reducer('check', 'or', 'check')
|
|
||||||
def _make_or_expr(self, check1, _or, check2):
|
|
||||||
"""Create an 'or_expr'.
|
|
||||||
|
|
||||||
Join two checks by the 'or' operator.
|
|
||||||
"""
|
|
||||||
|
|
||||||
return [('or_expr', OrCheck([check1, check2]))]
|
|
||||||
|
|
||||||
@reducer('or_expr', 'or', 'check')
|
|
||||||
def _extend_or_expr(self, or_expr, _or, check):
|
|
||||||
"""Extend an 'or_expr' by adding one more check."""
|
|
||||||
|
|
||||||
return [('or_expr', or_expr.add_check(check))]
|
|
||||||
|
|
||||||
@reducer('not', 'check')
|
|
||||||
def _make_not_expr(self, _not, check):
|
|
||||||
"""Invert the result of another check."""
|
|
||||||
|
|
||||||
return [('check', NotCheck(check))]
|
|
||||||
|
|
||||||
|
|
||||||
def _parse_text_rule(rule):
|
|
||||||
"""Parses policy to the tree.
|
|
||||||
|
|
||||||
Translates a policy written in the policy language into a tree of
|
|
||||||
Check objects.
|
|
||||||
"""
|
|
||||||
|
|
||||||
# Empty rule means always accept
|
|
||||||
if not rule:
|
|
||||||
return TrueCheck()
|
|
||||||
|
|
||||||
# Parse the token stream
|
|
||||||
state = ParseState()
|
|
||||||
for tok, value in _parse_tokenize(rule):
|
|
||||||
state.shift(tok, value)
|
|
||||||
|
|
||||||
try:
|
|
||||||
return state.result
|
|
||||||
except ValueError:
|
|
||||||
# Couldn't parse the rule
|
|
||||||
LOG.exception(_LE("Failed to understand rule %s") % rule)
|
|
||||||
|
|
||||||
# Fail closed
|
|
||||||
return FalseCheck()
|
|
||||||
|
|
||||||
|
|
||||||
def parse_rule(rule):
|
|
||||||
"""Parses a policy rule into a tree of Check objects."""
|
|
||||||
|
|
||||||
# If the rule is a string, it's in the policy language
|
|
||||||
if isinstance(rule, six.string_types):
|
|
||||||
return _parse_text_rule(rule)
|
|
||||||
return _parse_list_rule(rule)
|
|
||||||
|
|
||||||
|
|
||||||
def register(name, func=None):
|
|
||||||
"""Register a function or Check class as a policy check.
|
|
||||||
|
|
||||||
:param name: Gives the name of the check type, e.g., 'rule',
|
|
||||||
'role', etc. If name is None, a default check type
|
|
||||||
will be registered.
|
|
||||||
:param func: If given, provides the function or class to register.
|
|
||||||
If not given, returns a function taking one argument
|
|
||||||
to specify the function or class to register,
|
|
||||||
allowing use as a decorator.
|
|
||||||
"""
|
|
||||||
|
|
||||||
# Perform the actual decoration by registering the function or
|
|
||||||
# class. Returns the function or class for compliance with the
|
|
||||||
# decorator interface.
|
|
||||||
def decorator(func):
|
|
||||||
_checks[name] = func
|
|
||||||
return func
|
|
||||||
|
|
||||||
# If the function or class is given, do the registration
|
|
||||||
if func:
|
|
||||||
return decorator(func)
|
|
||||||
|
|
||||||
return decorator
|
|
||||||
|
|
||||||
|
|
||||||
@register("rule")
|
|
||||||
class RuleCheck(Check):
|
|
||||||
def __call__(self, target, creds, enforcer):
|
|
||||||
"""Recursively checks credentials based on the defined rules."""
|
|
||||||
|
|
||||||
try:
|
|
||||||
return enforcer.rules[self.match](target, creds, enforcer)
|
|
||||||
except KeyError:
|
|
||||||
# We don't have any matching rule; fail closed
|
|
||||||
return False
|
|
||||||
|
|
||||||
|
|
||||||
@register("role")
|
|
||||||
class RoleCheck(Check):
|
|
||||||
def __call__(self, target, creds, enforcer):
|
|
||||||
"""Check that there is a matching role in the cred dict."""
|
|
||||||
|
|
||||||
return self.match.lower() in [x.lower() for x in creds['roles']]
|
|
||||||
|
|
||||||
|
|
||||||
@register('http')
|
|
||||||
class HttpCheck(Check):
|
|
||||||
def __call__(self, target, creds, enforcer):
|
|
||||||
"""Check http: rules by calling to a remote server.
|
|
||||||
|
|
||||||
This example implementation simply verifies that the response
|
|
||||||
is exactly 'True'.
|
|
||||||
"""
|
|
||||||
|
|
||||||
url = ('http:' + self.match) % target
|
|
||||||
data = {'target': jsonutils.dumps(target),
|
|
||||||
'credentials': jsonutils.dumps(creds)}
|
|
||||||
post_data = urlparse.urlencode(data)
|
|
||||||
f = urlrequest.urlopen(url, post_data)
|
|
||||||
return f.read() == "True"
|
|
||||||
|
|
||||||
|
|
||||||
@register(None)
|
|
||||||
class GenericCheck(Check):
|
|
||||||
def __call__(self, target, creds, enforcer):
|
|
||||||
"""Check an individual match.
|
|
||||||
|
|
||||||
Matches look like:
|
|
||||||
|
|
||||||
tenant:%(tenant_id)s
|
|
||||||
role:compute:admin
|
|
||||||
True:%(user.enabled)s
|
|
||||||
'Member':%(role.name)s
|
|
||||||
"""
|
|
||||||
|
|
||||||
try:
|
|
||||||
match = self.match % target
|
|
||||||
except KeyError:
|
|
||||||
# While doing GenericCheck if key not
|
|
||||||
# present in Target return false
|
|
||||||
return False
|
|
||||||
|
|
||||||
try:
|
|
||||||
# Try to interpret self.kind as a literal
|
|
||||||
leftval = ast.literal_eval(self.kind)
|
|
||||||
except ValueError:
|
|
||||||
try:
|
|
||||||
kind_parts = self.kind.split('.')
|
|
||||||
leftval = creds
|
|
||||||
for kind_part in kind_parts:
|
|
||||||
leftval = leftval[kind_part]
|
|
||||||
except KeyError:
|
|
||||||
return False
|
|
||||||
return match == six.text_type(leftval)
|
|
@ -21,6 +21,7 @@ import itertools
|
|||||||
|
|
||||||
import oslo_concurrency.opts
|
import oslo_concurrency.opts
|
||||||
import oslo_log._options
|
import oslo_log._options
|
||||||
|
import oslo_policy.opts
|
||||||
|
|
||||||
import manila.api.common
|
import manila.api.common
|
||||||
import manila.api.middleware.auth
|
import manila.api.middleware.auth
|
||||||
@ -39,7 +40,6 @@ import manila.network.nova_network_plugin
|
|||||||
import manila.network.standalone_network_plugin
|
import manila.network.standalone_network_plugin
|
||||||
import manila.openstack.common.eventlet_backdoor
|
import manila.openstack.common.eventlet_backdoor
|
||||||
import manila.openstack.common.log
|
import manila.openstack.common.log
|
||||||
import manila.openstack.common.policy
|
|
||||||
import manila.quota
|
import manila.quota
|
||||||
import manila.scheduler.driver
|
import manila.scheduler.driver
|
||||||
import manila.scheduler.host_manager
|
import manila.scheduler.host_manager
|
||||||
@ -98,7 +98,6 @@ _global_opt_lists = [
|
|||||||
manila.openstack.common.log.generic_log_opts,
|
manila.openstack.common.log.generic_log_opts,
|
||||||
manila.openstack.common.log.log_opts,
|
manila.openstack.common.log.log_opts,
|
||||||
manila.openstack.common.log.logging_cli_opts,
|
manila.openstack.common.log.logging_cli_opts,
|
||||||
manila.openstack.common.policy.policy_opts,
|
|
||||||
manila.quota.quota_opts,
|
manila.quota.quota_opts,
|
||||||
manila.scheduler.driver.scheduler_driver_opts,
|
manila.scheduler.driver.scheduler_driver_opts,
|
||||||
manila.scheduler.host_manager.host_manager_opts,
|
manila.scheduler.host_manager.host_manager_opts,
|
||||||
@ -147,6 +146,7 @@ _opts = [
|
|||||||
|
|
||||||
_opts.extend(oslo_concurrency.opts.list_opts())
|
_opts.extend(oslo_concurrency.opts.list_opts())
|
||||||
_opts.extend(oslo_log._options.list_opts())
|
_opts.extend(oslo_log._options.list_opts())
|
||||||
|
_opts.extend(oslo_policy.opts.list_opts())
|
||||||
|
|
||||||
|
|
||||||
def list_opts():
|
def list_opts():
|
||||||
|
@ -17,9 +17,12 @@
|
|||||||
|
|
||||||
import functools
|
import functools
|
||||||
|
|
||||||
from manila import exception
|
from oslo_config import cfg
|
||||||
from manila.openstack.common import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from manila import exception
|
||||||
|
|
||||||
|
CONF = cfg.CONF
|
||||||
_ENFORCER = None
|
_ENFORCER = None
|
||||||
|
|
||||||
|
|
||||||
@ -33,7 +36,7 @@ def reset():
|
|||||||
def init(policy_path=None):
|
def init(policy_path=None):
|
||||||
global _ENFORCER
|
global _ENFORCER
|
||||||
if not _ENFORCER:
|
if not _ENFORCER:
|
||||||
_ENFORCER = policy.Enforcer()
|
_ENFORCER = policy.Enforcer(CONF)
|
||||||
if policy_path:
|
if policy_path:
|
||||||
_ENFORCER.policy_path = policy_path
|
_ENFORCER.policy_path = policy_path
|
||||||
_ENFORCER.load_rules()
|
_ENFORCER.load_rules()
|
||||||
|
@ -335,10 +335,11 @@ class ManilaCmdManageTestCase(test.TestCase):
|
|||||||
self.assertEqual(exit.code, 2)
|
self.assertEqual(exit.code, 2)
|
||||||
|
|
||||||
@mock.patch('oslo_config.cfg.ConfigOpts.__call__')
|
@mock.patch('oslo_config.cfg.ConfigOpts.__call__')
|
||||||
@mock.patch('manila.openstack.common.log.setup')
|
@mock.patch('oslo_log.log.register_options')
|
||||||
|
@mock.patch('oslo_log.log.setup')
|
||||||
@mock.patch('oslo_config.cfg.ConfigOpts.register_cli_opt')
|
@mock.patch('oslo_config.cfg.ConfigOpts.register_cli_opt')
|
||||||
def test_main_sudo_failed(self, register_cli_opt, log_setup,
|
def test_main_sudo_failed(self, register_cli_opt, log_setup,
|
||||||
config_opts_call):
|
register_log_opts, config_opts_call):
|
||||||
script_name = 'manila-manage'
|
script_name = 'manila-manage'
|
||||||
sys.argv = [script_name, 'fake_category', 'fake_action']
|
sys.argv = [script_name, 'fake_category', 'fake_action']
|
||||||
config_opts_call.side_effect = cfg.ConfigFilesNotFoundError(
|
config_opts_call.side_effect = cfg.ConfigFilesNotFoundError(
|
||||||
@ -347,6 +348,7 @@ class ManilaCmdManageTestCase(test.TestCase):
|
|||||||
exit = self.assertRaises(SystemExit, manila_manage.main)
|
exit = self.assertRaises(SystemExit, manila_manage.main)
|
||||||
|
|
||||||
self.assertTrue(register_cli_opt.called)
|
self.assertTrue(register_cli_opt.called)
|
||||||
|
register_log_opts.assert_called_once_with(CONF)
|
||||||
config_opts_call.assert_called_once_with(
|
config_opts_call.assert_called_once_with(
|
||||||
sys.argv[1:], project='manila',
|
sys.argv[1:], project='manila',
|
||||||
version=version.version_string())
|
version=version.version_string())
|
||||||
@ -355,7 +357,8 @@ class ManilaCmdManageTestCase(test.TestCase):
|
|||||||
|
|
||||||
@mock.patch('oslo_config.cfg.ConfigOpts.__call__')
|
@mock.patch('oslo_config.cfg.ConfigOpts.__call__')
|
||||||
@mock.patch('oslo_config.cfg.ConfigOpts.register_cli_opt')
|
@mock.patch('oslo_config.cfg.ConfigOpts.register_cli_opt')
|
||||||
def test_main(self, register_cli_opt, config_opts_call):
|
@mock.patch('oslo_log.log.register_options')
|
||||||
|
def test_main(self, register_log_opts, register_cli_opt, config_opts_call):
|
||||||
script_name = 'manila-manage'
|
script_name = 'manila-manage'
|
||||||
sys.argv = [script_name, 'config', 'list']
|
sys.argv = [script_name, 'config', 'list']
|
||||||
action_fn = mock.MagicMock()
|
action_fn = mock.MagicMock()
|
||||||
@ -364,6 +367,7 @@ class ManilaCmdManageTestCase(test.TestCase):
|
|||||||
manila_manage.main()
|
manila_manage.main()
|
||||||
|
|
||||||
self.assertTrue(register_cli_opt.called)
|
self.assertTrue(register_cli_opt.called)
|
||||||
|
register_log_opts.assert_called_once_with(CONF)
|
||||||
config_opts_call.assert_called_once_with(
|
config_opts_call.assert_called_once_with(
|
||||||
sys.argv[1:], project='manila', version=version.version_string())
|
sys.argv[1:], project='manila', version=version.version_string())
|
||||||
self.assertTrue(action_fn.called)
|
self.assertTrue(action_fn.called)
|
||||||
|
@ -16,6 +16,8 @@
|
|||||||
|
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
from oslo_policy import opts
|
||||||
|
|
||||||
from manila.common import config
|
from manila.common import config
|
||||||
|
|
||||||
CONF = config.CONF
|
CONF = config.CONF
|
||||||
@ -31,7 +33,7 @@ def set_defaults(conf):
|
|||||||
_safe_set_of_opts(conf, 'sqlite_synchronous', False)
|
_safe_set_of_opts(conf, 'sqlite_synchronous', False)
|
||||||
_POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path,
|
_POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path,
|
||||||
'manila/tests/policy.json'))
|
'manila/tests/policy.json'))
|
||||||
_safe_set_of_opts(conf, 'policy_file', _POLICY_PATH)
|
opts.set_defaults(conf, policy_file=_POLICY_PATH)
|
||||||
_safe_set_of_opts(conf, 'service_instance_user', 'fake_user')
|
_safe_set_of_opts(conf, 'service_instance_user', 'fake_user')
|
||||||
_API_PASTE_PATH = os.path.abspath(os.path.join(CONF.state_path,
|
_API_PASTE_PATH = os.path.abspath(os.path.join(CONF.state_path,
|
||||||
'etc/manila/api-paste.ini'))
|
'etc/manila/api-paste.ini'))
|
||||||
|
@ -19,12 +19,12 @@ import os.path
|
|||||||
|
|
||||||
import mock
|
import mock
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
from oslo_policy import policy as common_policy
|
||||||
import six
|
import six
|
||||||
from six.moves.urllib import request as urlrequest
|
from six.moves.urllib import request as urlrequest
|
||||||
|
|
||||||
from manila import context
|
from manila import context
|
||||||
from manila import exception
|
from manila import exception
|
||||||
from manila.openstack.common import policy as common_policy
|
|
||||||
from manila import policy
|
from manila import policy
|
||||||
from manila import test
|
from manila import test
|
||||||
from manila import utils
|
from manila import utils
|
||||||
@ -44,7 +44,7 @@ class PolicyFileTestCase(test.TestCase):
|
|||||||
def test_modified_policy_reloads(self):
|
def test_modified_policy_reloads(self):
|
||||||
with utils.tempdir() as tmpdir:
|
with utils.tempdir() as tmpdir:
|
||||||
tmpfilename = os.path.join(tmpdir, 'policy')
|
tmpfilename = os.path.join(tmpdir, 'policy')
|
||||||
self.flags(policy_file=tmpfilename)
|
CONF.set_override('policy_file', tmpfilename, group='oslo_policy')
|
||||||
action = "example:test"
|
action = "example:test"
|
||||||
with open(tmpfilename, "w") as policyfile:
|
with open(tmpfilename, "w") as policyfile:
|
||||||
policyfile.write("""{"example:test": []}""")
|
policyfile.write("""{"example:test": []}""")
|
||||||
@ -90,9 +90,7 @@ class PolicyTestCase(test.TestCase):
|
|||||||
super(PolicyTestCase, self).tearDown()
|
super(PolicyTestCase, self).tearDown()
|
||||||
|
|
||||||
def _set_rules(self):
|
def _set_rules(self):
|
||||||
these_rules = common_policy.Rules(
|
these_rules = common_policy.Rules.from_dict(self.rules)
|
||||||
dict((k, common_policy.parse_rule(v))
|
|
||||||
for k, v in self.rules.items()))
|
|
||||||
policy._ENFORCER.set_rules(these_rules)
|
policy._ENFORCER.set_rules(these_rules)
|
||||||
|
|
||||||
def test_enforce_nonexistent_action_throws(self):
|
def test_enforce_nonexistent_action_throws(self):
|
||||||
@ -179,9 +177,8 @@ class DefaultPolicyTestCase(test.TestCase):
|
|||||||
policy.reset()
|
policy.reset()
|
||||||
|
|
||||||
def _set_rules(self, default_rule):
|
def _set_rules(self, default_rule):
|
||||||
these_rules = common_policy.Rules(
|
these_rules = common_policy.Rules.from_dict(self.rules,
|
||||||
dict((k, common_policy.parse_rule(v))
|
default_rule=default_rule)
|
||||||
for k, v in self.rules.items()), default_rule)
|
|
||||||
policy._ENFORCER.set_rules(these_rules)
|
policy._ENFORCER.set_rules(these_rules)
|
||||||
|
|
||||||
def test_policy_called(self):
|
def test_policy_called(self):
|
||||||
@ -211,9 +208,8 @@ class ContextIsAdminPolicyTestCase(test.TestCase):
|
|||||||
policy.init()
|
policy.init()
|
||||||
|
|
||||||
def _set_rules(self, rules, default_rule):
|
def _set_rules(self, rules, default_rule):
|
||||||
these_rules = common_policy.Rules(
|
these_rules = common_policy.Rules.from_dict(rules,
|
||||||
dict((k, common_policy.parse_rule(v))
|
default_rule=default_rule)
|
||||||
for k, v in rules.items()), default_rule)
|
|
||||||
policy._ENFORCER.set_rules(these_rules)
|
policy._ENFORCER.set_rules(these_rules)
|
||||||
|
|
||||||
def test_default_admin_role_is_admin(self):
|
def test_default_admin_role_is_admin(self):
|
||||||
@ -227,7 +223,7 @@ class ContextIsAdminPolicyTestCase(test.TestCase):
|
|||||||
rules = {
|
rules = {
|
||||||
'context_is_admin': [["role:administrator"], ["role:johnny-admin"]]
|
'context_is_admin': [["role:administrator"], ["role:johnny-admin"]]
|
||||||
}
|
}
|
||||||
self._set_rules(rules, CONF.policy_default_rule)
|
self._set_rules(rules, CONF.oslo_policy.policy_default_rule)
|
||||||
ctx = context.RequestContext('fake', 'fake', roles=['johnny-admin'])
|
ctx = context.RequestContext('fake', 'fake', roles=['johnny-admin'])
|
||||||
self.assertTrue(ctx.is_admin)
|
self.assertTrue(ctx.is_admin)
|
||||||
ctx = context.RequestContext('fake', 'fake', roles=['administrator'])
|
ctx = context.RequestContext('fake', 'fake', roles=['administrator'])
|
||||||
@ -241,7 +237,7 @@ class ContextIsAdminPolicyTestCase(test.TestCase):
|
|||||||
"admin_or_owner": "role:admin or project_id:%(project_id)s",
|
"admin_or_owner": "role:admin or project_id:%(project_id)s",
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
}
|
}
|
||||||
self._set_rules(rules, CONF.policy_default_rule)
|
self._set_rules(rules, CONF.oslo_policy.policy_default_rule)
|
||||||
ctx = context.RequestContext('fake', 'fake')
|
ctx = context.RequestContext('fake', 'fake')
|
||||||
self.assertFalse(ctx.is_admin)
|
self.assertFalse(ctx.is_admin)
|
||||||
ctx = context.RequestContext('fake', 'fake', roles=['admin'])
|
ctx = context.RequestContext('fake', 'fake', roles=['admin'])
|
||||||
|
@ -6,7 +6,6 @@ module=fileutils
|
|||||||
module=local
|
module=local
|
||||||
module=log
|
module=log
|
||||||
module=loopingcall
|
module=loopingcall
|
||||||
module=policy
|
|
||||||
module=scheduler
|
module=scheduler
|
||||||
module=scheduler.filters
|
module=scheduler.filters
|
||||||
module=scheduler.weights
|
module=scheduler.weights
|
||||||
|
@ -19,6 +19,7 @@ oslo.db>=1.7.0,<1.8.0 # Apache-2.0
|
|||||||
oslo.i18n>=1.5.0,<1.6.0 # Apache-2.0
|
oslo.i18n>=1.5.0,<1.6.0 # Apache-2.0
|
||||||
oslo.log>=1.0.0,<1.1.0 # Apache-2.0
|
oslo.log>=1.0.0,<1.1.0 # Apache-2.0
|
||||||
oslo.messaging>=1.8.0,<1.9.0 # Apache-2.0
|
oslo.messaging>=1.8.0,<1.9.0 # Apache-2.0
|
||||||
|
oslo.policy>=0.3.1,<0.4.0 # Apache-2.0
|
||||||
oslo.rootwrap>=1.6.0,<1.7.0 # Apache-2.0
|
oslo.rootwrap>=1.6.0,<1.7.0 # Apache-2.0
|
||||||
oslo.serialization>=1.4.0,<1.5.0 # Apache-2.0
|
oslo.serialization>=1.4.0,<1.5.0 # Apache-2.0
|
||||||
oslo.utils>=1.4.0,<1.5.0 # Apache-2.0
|
oslo.utils>=1.4.0,<1.5.0 # Apache-2.0
|
||||||
|
Loading…
Reference in New Issue
Block a user