Add ability for policy-checker to read configuration
Reading configurations will enable us to be able to use the oslopolicy-checker to do external checks (which require the configuration in the enforcer). Change-Id: If2e697f9ac0317046f5a872ad668b42c1b32eb1e Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
This commit is contained in:
parent
ce31c0fce9
commit
87c045199a
|
@ -19,9 +19,24 @@ import sys
|
||||||
from oslo_serialization import jsonutils
|
from oslo_serialization import jsonutils
|
||||||
|
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
from oslo_policy import opts
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
|
||||||
|
class FakeEnforcer(object):
|
||||||
|
def __init__(self, rules, config):
|
||||||
|
self.rules = rules
|
||||||
|
self.conf = None
|
||||||
|
|
||||||
|
if config:
|
||||||
|
self.conf = cfg.ConfigOpts()
|
||||||
|
|
||||||
|
for group, options in opts.list_opts():
|
||||||
|
self.conf.register_opts(options, group)
|
||||||
|
|
||||||
|
self.conf(["--config-file={}".format(config)])
|
||||||
|
|
||||||
|
|
||||||
def _try_rule(key, rule, target, access_data, o):
|
def _try_rule(key, rule, target, access_data, o):
|
||||||
try:
|
try:
|
||||||
result = rule(target, access_data, o, current_rule=key)
|
result = rule(target, access_data, o, current_rule=key)
|
||||||
|
@ -52,7 +67,8 @@ def flatten(d, parent_key=''):
|
||||||
|
|
||||||
|
|
||||||
def tool(policy_file, access_file, apply_rule, is_admin=False,
|
def tool(policy_file, access_file, apply_rule, is_admin=False,
|
||||||
target_file=None):
|
target_file=None, enforcer_config=None):
|
||||||
|
|
||||||
with open(access_file, "rb", 0) as a:
|
with open(access_file, "rb", 0) as a:
|
||||||
access = a.read()
|
access = a.read()
|
||||||
|
|
||||||
|
@ -66,10 +82,7 @@ def tool(policy_file, access_file, apply_rule, is_admin=False,
|
||||||
|
|
||||||
rules = policy.Rules.load(policy_data, "default")
|
rules = policy.Rules.load(policy_data, "default")
|
||||||
|
|
||||||
class Object(object):
|
enforcer = FakeEnforcer(rules, enforcer_config)
|
||||||
pass
|
|
||||||
o = Object()
|
|
||||||
o.rules = rules
|
|
||||||
|
|
||||||
if target_file:
|
if target_file:
|
||||||
with open(target_file, "rb", 0) as t:
|
with open(target_file, "rb", 0) as t:
|
||||||
|
@ -82,11 +95,12 @@ def tool(policy_file, access_file, apply_rule, is_admin=False,
|
||||||
if apply_rule:
|
if apply_rule:
|
||||||
key = apply_rule
|
key = apply_rule
|
||||||
rule = rules[apply_rule]
|
rule = rules[apply_rule]
|
||||||
_try_rule(key, rule, target_data, access_data, o)
|
_try_rule(key, rule, target_data, access_data, enforcer)
|
||||||
return
|
return
|
||||||
|
|
||||||
for key, rule in sorted(rules.items()):
|
for key, rule in sorted(rules.items()):
|
||||||
if ":" in key:
|
if ":" in key:
|
||||||
_try_rule(key, rule, target_data, access_data, o)
|
_try_rule(key, rule, target_data, access_data, enforcer)
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
|
@ -117,9 +131,14 @@ def main():
|
||||||
help='set is_admin=True on the credentials used for the evaluation.',
|
help='set is_admin=True on the credentials used for the evaluation.',
|
||||||
default=False))
|
default=False))
|
||||||
|
|
||||||
|
conf.register_cli_opt(cfg.StrOpt(
|
||||||
|
'enforcer_config',
|
||||||
|
help='configuration file for the oslopolicy-checker enforcer'))
|
||||||
|
|
||||||
conf()
|
conf()
|
||||||
|
|
||||||
tool(conf.policy, conf.access, conf.rule, conf.is_admin, conf.target)
|
tool(conf.policy, conf.access, conf.rule, conf.is_admin,
|
||||||
|
conf.target, conf.enforcer_config)
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
|
Loading…
Reference in New Issue