Rules engine to enforce access control policy
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
oslo.policy/oslo_policy/generator.py

391 lines
14 KiB

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import logging
import sys
import textwrap
import warnings
import yaml
from oslo_config import cfg
from oslo_serialization import jsonutils
import stevedore
from oslo_policy import policy
LOG = logging.getLogger(__name__)
GENERATOR_OPTS = [
cfg.StrOpt('output-file',
help='Path of the file to write to. Defaults to stdout.'),
]
RULE_OPTS = [
cfg.MultiStrOpt('namespace',
required=True,
help='Option namespace(s) under "oslo.policy.policies" in '
'which to query for options.'),
cfg.StrOpt('format',
help='Desired format for the output.',
default='yaml',
choices=['json', 'yaml']),
]
ENFORCER_OPTS = [
cfg.StrOpt('namespace',
required=True,
help='Option namespace under "oslo.policy.enforcer" in '
'which to look for a policy.Enforcer.'),
]
UPGRADE_OPTS = [
cfg.StrOpt('policy',
required=True,
help='Path to the policy file which need to be updated.')
]
def get_policies_dict(namespaces):
"""Find the options available via the given namespaces.
:param namespaces: a list of namespaces registered under
'oslo.policy.policies'
:returns: a dict of {namespace1: [rule_default_1, rule_default_2],
namespace2: [rule_default_3]...}
"""
mgr = stevedore.named.NamedExtensionManager(
'oslo.policy.policies',
names=namespaces,
on_load_failure_callback=on_load_failure_callback,
invoke_on_load=True)
opts = {ep.name: ep.obj for ep in mgr}
return opts
def _get_enforcer(namespace):
"""Find a policy.Enforcer via an entry point with the given namespace.
:param namespace: a namespace under oslo.policy.enforcer where the desired
enforcer object can be found.
:returns: a policy.Enforcer object
"""
mgr = stevedore.named.NamedExtensionManager(
'oslo.policy.enforcer',
names=[namespace],
on_load_failure_callback=on_load_failure_callback,
invoke_on_load=True)
if namespace not in mgr:
raise KeyError('Namespace "%s" not found.' % namespace)
enforcer = mgr[namespace].obj
return enforcer
def _format_help_text(description):
"""Format a comment for a policy based on the description provided.
:param description: A string with helpful text.
:returns: A line wrapped comment, or blank comment if description is None
"""
if not description:
return '#'
formatted_lines = []
paragraph = []
def _wrap_paragraph(lines):
return textwrap.wrap(' '.join(lines), 70, initial_indent='# ',
subsequent_indent='# ')
for line in description.strip().splitlines():
if not line.strip():
# empty line -> line break, so dump anything we have
formatted_lines.extend(_wrap_paragraph(paragraph))
formatted_lines.append('#')
paragraph = []
elif len(line) == len(line.lstrip()):
# no leading whitespace = paragraph, which should be wrapped
paragraph.append(line.rstrip())
else:
# leading whitespace - literal block, which should not be wrapping
if paragraph:
# ...however, literal blocks need a new line before them to
# delineate things
# TODO(stephenfin): Raise an exception here and stop doing
# anything else in oslo.policy 2.0
warnings.warn(
'Invalid policy description: literal blocks must be '
'preceded by a new line. This will raise an exception in '
'a future version of oslo.policy:\n%s' % description,
FutureWarning)
formatted_lines.extend(_wrap_paragraph(paragraph))
formatted_lines.append('#')
paragraph = []
formatted_lines.append('# %s' % line.rstrip())
if paragraph:
# dump anything we might still have in the buffer
formatted_lines.extend(_wrap_paragraph(paragraph))
return '\n'.join(formatted_lines)
def _format_rule_default_yaml(default, include_help=True):
"""Create a yaml node from policy.RuleDefault or policy.DocumentedRuleDefault.
:param default: A policy.RuleDefault or policy.DocumentedRuleDefault object
:returns: A string containing a yaml representation of the RuleDefault
"""
text = ('"%(name)s": "%(check_str)s"\n' %
{'name': default.name,
'check_str': default.check_str})
if include_help:
op = ""
if hasattr(default, 'operations'):
for operation in default.operations:
op += ('# %(method)s %(path)s\n' %
{'method': operation['method'],
'path': operation['path']})
intended_scope = ""
if getattr(default, 'scope_types', None) is not None:
intended_scope = (
'# Intended scope(s): ' + ', '.join(default.scope_types) + '\n'
)
text = ('%(help)s\n%(op)s%(scope)s#%(text)s\n' %
{'help': _format_help_text(default.description),
'op': op,
'scope': intended_scope,
'text': text})
if default.deprecated_for_removal:
text = (
'# DEPRECATED\n# "%(name)s" has been deprecated since '
'%(since)s.\n%(reason)s\n%(text)s'
) % {'name': default.name,
'check_str': default.check_str,
'since': default.deprecated_since,
'reason': _format_help_text(default.deprecated_reason),
'text': text}
elif default.deprecated_rule:
# This issues a deprecation warning but aliases the old policy name
# with the new policy name for compatibility.
deprecated_text = (
'DEPRECATED\n"%(old_name)s":"%(old_check_str)s" has been '
'deprecated since %(since)s in favor of '
'"%(name)s":"%(check_str)s".\n%(reason)s'
) % {'old_name': default.deprecated_rule.name,
'old_check_str': default.deprecated_rule.check_str,
'since': default.deprecated_since,
'name': default.name,
'check_str': default.check_str,
'reason': default.deprecated_reason}
text = (
'%(text)s%(deprecated_text)s\n"%(old_name)s": "rule:%(name)s"\n'
) % {'text': text,
'deprecated_text': _format_help_text(deprecated_text),
'old_name': default.deprecated_rule.name,
'name': default.name}
return text
def _format_rule_default_json(default):
"""Create a json node from policy.RuleDefault or policy.DocumentedRuleDefault.
:param default: A policy.RuleDefault or policy.DocumentedRuleDefault object
:returns: A string containing a json representation of the RuleDefault
"""
return ('"%(name)s": "%(check_str)s"' %
{'name': default.name,
'check_str': default.check_str})
def _sort_and_format_by_section(policies, output_format='yaml',
include_help=True):
"""Generate a list of policy section texts
The text for a section will be created and returned one at a time. The
sections are sorted first to provide for consistent output.
Text is created in yaml format. This is done manually because PyYaml
does not facilitate outputing comments.
:param policies: A dict of {section1: [rule_default_1, rule_default_2],
section2: [rule_default_3]}
:param output_format: The format of the file to output to.
"""
for section in sorted(policies.keys()):
rule_defaults = policies[section]
for rule_default in rule_defaults:
if output_format == 'yaml':
yield _format_rule_default_yaml(rule_default,
include_help=include_help)
elif output_format == 'json':
yield _format_rule_default_json(rule_default)
def _generate_sample(namespaces, output_file=None, output_format='yaml',
include_help=True):
"""Generate a sample policy file.
List all of the policies available via the namespace specified in the
given configuration and write them to the specified output file.
:param namespaces: a list of namespaces registered under
'oslo.policy.policies'. Stevedore will look here for
policy options.
:param output_file: The path of a file to output to. stdout used if None.
:param output_format: The format of the file to output to.
:param include_help: True, generates a sample-policy file with help text
along with rules in which everything is commented out.
False, generates a sample-policy file with only rules.
"""
policies = get_policies_dict(namespaces)
output_file = (open(output_file, 'w') if output_file
else sys.stdout)
sections_text = []
for section in _sort_and_format_by_section(policies, output_format,
include_help=include_help):
sections_text.append(section)
if output_format == 'yaml':
output_file.writelines(sections_text)
elif output_format == 'json':
output_file.writelines((
'{\n ',
',\n '.join(sections_text),
'\n}\n'))
def _generate_policy(namespace, output_file=None):
"""Generate a policy file showing what will be used.
This takes all registered policies and merges them with what's defined in
a policy file and outputs the result. That result is the effective policy
that will be honored by policy checks.
:param output_file: The path of a file to output to. stdout used if None.
"""
enforcer = _get_enforcer(namespace)
# Ensure that files have been parsed
enforcer.load_rules()
file_rules = [policy.RuleDefault(name, default.check_str)
for name, default in enforcer.file_rules.items()]
registered_rules = [policy.RuleDefault(name, default.check_str)
for name, default in enforcer.registered_rules.items()
if name not in enforcer.file_rules]
policies = {'rules': file_rules + registered_rules}
output_file = (open(output_file, 'w') if output_file
else sys.stdout)
for section in _sort_and_format_by_section(policies, include_help=False):
output_file.write(section)
def _list_redundant(namespace):
"""Generate a list of configured policies which match defaults.
This checks all policies loaded from policy files and checks to see if they
match registered policies. If so then it is redundant to have them defined
in a policy file and operators should consider removing them.
"""
enforcer = _get_enforcer(namespace)
# Ensure that files have been parsed
enforcer.load_rules()
for name, file_rule in enforcer.file_rules.items():
reg_rule = enforcer.registered_rules.get(name, None)
if reg_rule:
if file_rule == reg_rule:
print(reg_rule)
def on_load_failure_callback(*args, **kwargs):
raise
def generate_sample(args=None):
logging.basicConfig(level=logging.WARN)
conf = cfg.ConfigOpts()
conf.register_cli_opts(GENERATOR_OPTS + RULE_OPTS)
conf.register_opts(GENERATOR_OPTS + RULE_OPTS)
conf(args)
_generate_sample(conf.namespace, conf.output_file, conf.format)
def generate_policy(args=None):
logging.basicConfig(level=logging.WARN)
conf = cfg.ConfigOpts()
conf.register_cli_opts(GENERATOR_OPTS + ENFORCER_OPTS)
conf.register_opts(GENERATOR_OPTS + ENFORCER_OPTS)
conf(args)
_generate_policy(conf.namespace, conf.output_file)
def _upgrade_policies(policies, default_policies):
old_policies_keys = list(policies.keys())
for section in sorted(default_policies.keys()):
rule_defaults = default_policies[section]
for rule_default in rule_defaults:
if (rule_default.deprecated_rule and
rule_default.deprecated_rule.name in old_policies_keys):
policies[rule_default.name] = policies.pop(
rule_default.deprecated_rule.name)
LOG.info('The name of policy %(old_name)s has been upgraded to'
'%(new_name)',
{'old_name': rule_default.deprecated_rule.name,
'new_name': rule_default.name})
def upgrade_policy(args=None):
logging.basicConfig(level=logging.WARN)
conf = cfg.ConfigOpts()
conf.register_cli_opts(GENERATOR_OPTS + RULE_OPTS + UPGRADE_OPTS)
conf.register_opts(GENERATOR_OPTS + RULE_OPTS + UPGRADE_OPTS)
conf(args)
with open(conf.policy, 'r') as input_data:
policies = policy.parse_file_contents(input_data.read())
default_policies = get_policies_dict(conf.namespace)
_upgrade_policies(policies, default_policies)
if conf.output_file:
if conf.format == 'yaml':
yaml.safe_dump(policies, open(conf.output_file, 'w'),
default_flow_style=False)
elif conf.format == 'json':
jsonutils.dump(policies, open(conf.output_file, 'w'),
indent=4)
else:
if conf.format == 'yaml':
sys.stdout.write(yaml.safe_dump(policies,
default_flow_style=False))
elif conf.format == 'json':
sys.stdout.write(jsonutils.dumps(policies, indent=4))
def list_redundant(args=None):
logging.basicConfig(level=logging.WARN)
conf = cfg.ConfigOpts()
conf.register_cli_opts(ENFORCER_OPTS)
conf.register_opts(ENFORCER_OPTS)
conf(args)
_list_redundant(conf.namespace)