Browse Source

Merge "changed self oslo.policy enforcement to monasca-common oslo.policy enforcement engine."

Zuul 1 year ago
parent
commit
5bf5f27f1b

+ 3
- 1
monasca_events_api/app/core/request.py View File

@@ -13,12 +13,14 @@
13 13
 # under the License.
14 14
 
15 15
 import falcon
16
+from monasca_common.policy import policy_engine as policy
16 17
 from oslo_log import log
17 18
 
18 19
 from monasca_events_api.app.core import request_contex
19
-from monasca_events_api import policy
20
+from monasca_events_api import policies
20 21
 
21 22
 LOG = log.getLogger(__name__)
23
+policy.POLICIES = policies
22 24
 
23 25
 
24 26
 class Request(falcon.Request):

+ 4
- 1
monasca_events_api/app/core/request_contex.py View File

@@ -12,9 +12,12 @@
12 12
 # License for the specific language governing permissions and limitations
13 13
 # under the License.
14 14
 
15
+from monasca_common.policy import policy_engine as policy
15 16
 from oslo_context import context
16 17
 
17
-from monasca_events_api import policy
18
+from monasca_events_api import policies
19
+
20
+policy.POLICIES = policies
18 21
 
19 22
 
20 23
 class RequestContext(context.RequestContext):

+ 0
- 148
monasca_events_api/policy.py View File

@@ -1,148 +0,0 @@
1
-# Copyright 2017 FUJITSU LIMITED
2
-#
3
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
4
-# not use this file except in compliance with the License. You may obtain
5
-# a copy of the License at
6
-#
7
-#      http://www.apache.org/licenses/LICENSE-2.0
8
-#
9
-# Unless required by applicable law or agreed to in writing, software
10
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12
-# License for the specific language governing permissions and limitations
13
-# under the License.
14
-
15
-import copy
16
-
17
-from oslo_config import cfg
18
-from oslo_log import log
19
-from oslo_policy import policy
20
-
21
-from monasca_events_api import policies
22
-
23
-CONF = cfg.CONF
24
-LOG = log.getLogger(__name__)
25
-
26
-_ENFORCER = None
27
-# oslo_policy will read the policy configuration file again when the file
28
-# is changed in runtime so the old policy rules will be saved to
29
-# saved_file_rules and used to compare with new rules to determine the
30
-# rules whether were updated.
31
-saved_file_rules = []
32
-
33
-
34
-def reset():
35
-    """Reset Enforcer class."""
36
-    global _ENFORCER
37
-    if _ENFORCER:
38
-        _ENFORCER.clear()
39
-        _ENFORCER = None
40
-
41
-
42
-def init(policy_file=None, rules=None, default_rule=None, use_conf=True):
43
-    """Init an Enforcer class."""
44
-    global _ENFORCER
45
-    global saved_file_rules
46
-
47
-    if not _ENFORCER:
48
-        _ENFORCER = policy.Enforcer(CONF,
49
-                                    policy_file=policy_file,
50
-                                    rules=rules,
51
-                                    default_rule=default_rule,
52
-                                    use_conf=use_conf
53
-                                    )
54
-        register_rules(_ENFORCER)
55
-        _ENFORCER.load_rules()
56
-    # Only the rules which are loaded from file may be changed
57
-    current_file_rules = _ENFORCER.file_rules
58
-    current_file_rules = _serialize_rules(current_file_rules)
59
-
60
-    if saved_file_rules != current_file_rules:
61
-        saved_file_rules = copy.deepcopy(current_file_rules)
62
-
63
-
64
-def _serialize_rules(rules):
65
-    """Serialize all the Rule object as string.
66
-
67
-    New string is used to compare the rules list.
68
-    """
69
-    result = [(rule_name, str(rule)) for rule_name, rule in rules.items()]
70
-    return sorted(result, key=lambda rule: rule[0])
71
-
72
-
73
-def register_rules(enforcer):
74
-    """Register default policy rules."""
75
-    rules = policies.list_rules()
76
-    enforcer.register_defaults(rules)
77
-
78
-
79
-def authorize(context, action, target, do_raise=True):
80
-    """Verify that the action is valid on the target in this context.
81
-
82
-    :param context: monasca-events-api context
83
-    :param action: String representing the action to be checked. This
84
-                   should be colon separated for clarity.
85
-    :param target: Dictionary representing the object of the action for
86
-                   object creation. This should be a dictionary representing
87
-                   the location of the object e.g.
88
-                   ``{'project_id': 'context.project_id'}``
89
-    :param do_raise: if True (the default), raises PolicyNotAuthorized,
90
-                     if False returns False
91
-    :type context: object
92
-    :type action: str
93
-    :type target: dict
94
-    :type do_raise: bool
95
-    :return: returns a non-False value (not necessarily True) if authorized,
96
-             and the False if not authorized and do_raise if False
97
-
98
-    :raises oslo_policy.policy.PolicyNotAuthorized: if verification fails
99
-    """
100
-    init()
101
-    credentials = context.to_policy_values()
102
-
103
-    try:
104
-        result = _ENFORCER.authorize(action, target, credentials,
105
-                                     do_raise=do_raise, action=action)
106
-        return result
107
-    except policy.PolicyNotRegistered:
108
-        LOG.exception('Policy not registered')
109
-        raise
110
-    except Exception:
111
-        LOG.debug('Policy check for %(action)s failed with credentials '
112
-                  '%(credentials)s',
113
-                  {'action': action, 'credentials': credentials})
114
-        raise
115
-
116
-
117
-def check_is_admin(context):
118
-    """Check if roles contains 'admin' role according to policy settings."""
119
-    init()
120
-    credentials = context.to_policy_values()
121
-    target = credentials
122
-    return _ENFORCER.authorize('admin_required', target, credentials)
123
-
124
-
125
-def set_rules(rules, overwrite=True, use_conf=False):  # pragma: no cover
126
-    """Set rules based on the provided dict of rules.
127
-
128
-    Note:
129
-        Used in tests only.
130
-
131
-    :param rules: New rules to use. It should be an instance of dict
132
-    :param overwrite: Whether to overwrite current rules or update them
133
-                      with the new rules.
134
-    :param use_conf: Whether to reload rules from config file.
135
-    """
136
-    init(use_conf=False)
137
-    _ENFORCER.set_rules(rules, overwrite, use_conf)
138
-
139
-
140
-def get_rules():  # pragma: no cover
141
-    """Get policy rules.
142
-
143
-    Note:
144
-        Used in tests only.
145
-
146
-    """
147
-    if _ENFORCER:
148
-        return _ENFORCER.rules

+ 3
- 1
monasca_events_api/tests/unit/base.py View File

@@ -17,6 +17,7 @@ import os
17 17
 import falcon
18 18
 from falcon import testing
19 19
 import fixtures
20
+from monasca_common.policy import policy_engine as policy
20 21
 from oslo_config import cfg
21 22
 from oslo_config import fixture as config_fixture
22 23
 from oslo_context import fixture as oc_fixture
@@ -27,9 +28,10 @@ from oslotest import base
27 28
 from monasca_events_api.app.core import request
28 29
 from monasca_events_api import config
29 30
 from monasca_events_api import policies
30
-from monasca_events_api import policy
31
+
31 32
 
32 33
 CONF = cfg.CONF
34
+policy.POLICIES = policies
33 35
 
34 36
 
35 37
 class ConfigFixture(config_fixture.Config):

+ 1
- 1
monasca_events_api/tests/unit/test_policy.py View File

@@ -13,11 +13,11 @@
13 13
 # under the License.
14 14
 from falcon import testing
15 15
 
16
+from monasca_common.policy import policy_engine as policy
16 17
 from oslo_context import context
17 18
 from oslo_policy import policy as os_policy
18 19
 
19 20
 from monasca_events_api.app.core import request
20
-from monasca_events_api import policy
21 21
 from monasca_events_api.tests.unit import base
22 22
 
23 23
 

Loading…
Cancel
Save