add the policy code

2011-11-17 11:58:43 -08:00 · 2011-11-17 11:58:43 -08:00 · 860aa86e03
parent 63943c98c6
commit 860aa86e03
3 changed files with 50 additions and 2 deletions
--- a/keystonelight/backends/policy.py
+++ b/keystonelight/backends/policy.py
@ -0,0 +1,23 @@
+
+
+class TrivialTrue(object):
+  def __init__(self, options):
+    self.options = options
+
+  def can_haz(self, target, credentials):
+    return True
+
+
+class SimpleMatch(object):
+  def __init__(self, options):
+    self.options = options
+
+  def can_haz(self, target, credentials):
+    """Check whether key-values in target are present in credentials."""
+    # TODO(termie): handle ANDs, probably by providing a tuple instead of a
+    #               string
+    for requirement in target:
+      key, match = requirement.split(':', 1)
+      check = credentials.get(key)
+      if check == match:
+        return True
--- a/keystonelight/keystone_compat.py
+++ b/keystonelight/keystone_compat.py
@ -44,7 +44,6 @@ class KeystoneController(service.BaseApplication):
        self.identity_api = identity.Manager(options)
        self.token_api = token.Manager(options)
        self.policy_api = policy.Manager(options)
-        pass

    def noop(self, context):
        return {}
@ -155,7 +154,15 @@ class KeystoneController(service.BaseApplication):
        Optionally, also ensure that it is owned by a specific tenant.

        """
-        assert context['is_admin']
+        # TODO(termie): this stuff should probably be moved to middleware
+        if not context['is_admin']:
+            user_token_ref = self.token_api.get_token(context['token_id'])
+            creds = user_token_ref['extras'].copy()
+            creds['user_id'] = user_token_ref['user'].get('id')
+            creds['tenant_id'] = user_token_ref['tenant'].get('id')
+            # Accept either is_admin or the admin role
+            assert self.policy_api.can_haz(('is_admin:1', 'roles:admin'),
+                                           creds)

        token_ref = self.token_api.get_token(context=context,
                                             token_id=token_id)
--- a/keystonelight/policy.py
+++ b/keystonelight/policy.py
@ -0,0 +1,18 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# the catalog interfaces
+
+import uuid
+
+from keystonelight import utils
+
+
+class Manager(object):
+    def __init__(self, options):
+        self.options = options
+        self.driver = utils.import_object(options['policy_driver'],
+                                          options=options)
+
+    def can_haz(self, context, target, credentials):
+        """Check whether the given creds can perform action on target."""
+        return self.driver.can_haz(target, credentials)