From 02540b7de644b35660d1185340a7725b0d5eb0e4 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen@gazlene.net>
Date: Sun, 17 Feb 2019 22:24:32 +0100
Subject: [PATCH] Add a permissive mode for access rules config

In the case that operators want to allow users to have unrestricted
ability to create access rules for application credentials, add a config
option to allow them to not have to create access rules config files.

bp whitelist-extension-for-app-creds

Change-Id: I10939b83cd6e72f0205f0191c7df9bca2cef8483
---
 keystone/access_rules_config/backends/json.py |  2 ++
 keystone/access_rules_config/core.py          | 23 +++++++++++++++++-
 keystone/conf/access_rules_config.py          | 10 ++++++++
 .../unit/access_rules_config/test_backends.py | 24 +++++++++++++++++++
 4 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/keystone/access_rules_config/backends/json.py b/keystone/access_rules_config/backends/json.py
index ae38abdff8..518aa444ae 100644
--- a/keystone/access_rules_config/backends/json.py
+++ b/keystone/access_rules_config/backends/json.py
@@ -94,6 +94,8 @@ class AccessRulesConfig(base.AccessRulesConfigDriverBase):
 
     def __init__(self):
         super(AccessRulesConfig, self).__init__()
+        if CONF.access_rules_config.permissive:
+            return
         access_rules_file = CONF.access_rules_config.rules_file
         self.access_rules = dict()
         self.access_rules_json = dict()
diff --git a/keystone/access_rules_config/core.py b/keystone/access_rules_config/core.py
index 43fd2e5cf5..118d0894cc 100644
--- a/keystone/access_rules_config/core.py
+++ b/keystone/access_rules_config/core.py
@@ -12,15 +12,18 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-"""List access rules."""
+"""List access rules config."""
 
 from keystone.common import cache
+from keystone.common import driver_hints
 from keystone.common import manager
+from keystone.common import provider_api
 import keystone.conf
 
 
 CONF = keystone.conf.CONF
 MEMOIZE = cache.get_memoization_decorator(group='access_rules_config')
+PROVIDERS = provider_api.ProviderAPIs
 
 
 class Manager(manager.Manager):
@@ -41,6 +44,22 @@ class Manager(manager.Manager):
                   HTTP method.
 
         """
+        if CONF.access_rules_config.permissive:
+            hints = driver_hints.Hints()
+            if service:
+                hints.add_filter('service', service)
+            rules = {}
+            services = PROVIDERS.catalog_api.list_services(hints=hints)
+            if service:
+                services = [svc for svc in services if svc['type'] == service]
+            for svc in services:
+                rules[svc['type']] = []
+                for method in ['HEAD', 'GET', 'POST', 'PUT', 'PATCH', 'DELETE']:
+                    rules[svc['type']].append({
+                        "path": "**",
+                        "method": method
+                    })
+            return rules
         return self.driver.list_access_rules_config(service)
 
     @MEMOIZE
@@ -55,5 +74,7 @@ class Manager(manager.Manager):
                   configured access rules
 
         """
+        if CONF.access_rules_config.permissive:
+            return True
         return self.driver.check_access_rule(service, request_path,
                                              request_method)
diff --git a/keystone/conf/access_rules_config.py b/keystone/conf/access_rules_config.py
index f502c0ad7c..0e1ad944cd 100644
--- a/keystone/conf/access_rules_config.py
+++ b/keystone/conf/access_rules_config.py
@@ -51,12 +51,22 @@ configuration will be loaded and application credential access rules will be
 unavailable.
 """))
 
+permissive = cfg.BoolOpt(
+    'permissive',
+    default=False,
+    help=utils.fmt("""
+Toggles permissive mode for access rules. When enabled, application
+credentials can be created with any access rules regardless of operator's
+configuration.
+"""))
+
 GROUP_NAME = __name__.split('.')[-1]
 ALL_OPTS = [
     driver,
     caching,
     cache_time,
     rules_file,
+    permissive,
 ]
 
 
diff --git a/keystone/tests/unit/access_rules_config/test_backends.py b/keystone/tests/unit/access_rules_config/test_backends.py
index ec0c7f20c9..1e3c9bb379 100644
--- a/keystone/tests/unit/access_rules_config/test_backends.py
+++ b/keystone/tests/unit/access_rules_config/test_backends.py
@@ -12,9 +12,12 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import uuid
+
 from keystone.common import provider_api
 from keystone.tests import unit
 from keystone.tests.unit.ksfixtures import access_rules_config
+from keystone.tests.unit.ksfixtures import database
 
 PROVIDERS = provider_api.ProviderAPIs
 
@@ -43,3 +46,24 @@ class AccessRulesConfigTest(unit.TestCase):
         result = PROVIDERS.access_rules_config_api.check_access_rule(
             'identity', '/v3/users', 'GET')
         self.assertTrue(result)
+
+
+class AccessRulesConfigPermissiveTest(AccessRulesConfigTest):
+
+    def setUp(self):
+        super(AccessRulesConfigPermissiveTest, self).setUp()
+        self.config_fixture.config(group='access_rules_config',
+                                   permissive=True)
+        self.useFixture(database.Database())
+        services = [
+            'identity',
+            'image',
+            'block-storage',
+            'network',
+            'compute',
+            'object'
+        ]
+        for service in services:
+            ref = unit.new_service_ref(type=service)
+            PROVIDERS.catalog_api.create_service(
+                uuid.uuid4().hex, ref)