Add roles checking.
Until now, only the token validity was checked, without checking roles. Change-Id: Ic437885b9bfeff4a931225fdaa6c5c076b124195
This commit is contained in:
parent
9d49090d31
commit
ffc58f7996
|
@ -20,6 +20,7 @@ import sys
|
||||||
from oslo.config import cfg
|
from oslo.config import cfg
|
||||||
|
|
||||||
from kwapi.plugins.api import app
|
from kwapi.plugins.api import app
|
||||||
|
from kwapi.plugins.api import acl
|
||||||
from kwapi.openstack.common import log
|
from kwapi.openstack.common import log
|
||||||
|
|
||||||
app_opts = [
|
app_opts = [
|
||||||
|
@ -36,6 +37,6 @@ if __name__ == '__main__':
|
||||||
default_config_files=['/etc/kwapi/api.conf']
|
default_config_files=['/etc/kwapi/api.conf']
|
||||||
)
|
)
|
||||||
log.setup('kwapi')
|
log.setup('kwapi')
|
||||||
|
log.setup('keystoneclient')
|
||||||
root = app.make_app()
|
root = app.make_app()
|
||||||
root.run(host='0.0.0.0', port=cfg.CONF.api_port)
|
root.run(host='0.0.0.0', port=cfg.CONF.api_port)
|
||||||
|
|
|
@ -24,7 +24,9 @@ from kwapi.drivers import driver_manager
|
||||||
from kwapi.openstack.common import log
|
from kwapi.openstack.common import log
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
cfg.CONF(sys.argv[1:], project='kwapi', default_config_files=['/etc/kwapi/drivers.conf'])
|
cfg.CONF(sys.argv[1:],
|
||||||
|
project='kwapi',
|
||||||
|
default_config_files=['/etc/kwapi/drivers.conf'])
|
||||||
log.setup('kwapi')
|
log.setup('kwapi')
|
||||||
|
|
||||||
driver_manager.start_zmq_server()
|
driver_manager.start_zmq_server()
|
||||||
|
|
|
@ -31,7 +31,9 @@ app_opts = [
|
||||||
cfg.CONF.register_opts(app_opts)
|
cfg.CONF.register_opts(app_opts)
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
cfg.CONF(sys.argv[1:], project='kwapi', default_config_files=['/etc/kwapi/rrd.conf'])
|
cfg.CONF(sys.argv[1:],
|
||||||
|
project='kwapi',
|
||||||
|
default_config_files=['/etc/kwapi/rrd.conf'])
|
||||||
log.setup('kwapi')
|
log.setup('kwapi')
|
||||||
|
|
||||||
root = app.make_app()
|
root = app.make_app()
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
# ACL
|
# ACL
|
||||||
acl_enabled = true
|
acl_enabled = true
|
||||||
acl_auth_url = http://10.0.0.2:5000/v2.0
|
policy_file = /etc/kwapi/policy.json
|
||||||
|
|
||||||
# Signature
|
# Signature
|
||||||
signature_checking = true
|
signature_checking = true
|
||||||
|
@ -13,10 +13,13 @@ driver_metering_secret = Change This Or Be Hacked
|
||||||
# Communication
|
# Communication
|
||||||
api_port = 5000
|
api_port = 5000
|
||||||
probes_endpoint = ipc:///tmp/kwapi
|
probes_endpoint = ipc:///tmp/kwapi
|
||||||
probes_endpoint = tcp://140.77.13.25:6000
|
|
||||||
|
|
||||||
# Timers
|
# Timers
|
||||||
cleaning_interval = 300
|
cleaning_interval = 300
|
||||||
|
|
||||||
# Log files
|
# Log files
|
||||||
log_file = /tmp/kwapi-api.log
|
log_file = /tmp/kwapi-api.log
|
||||||
|
verbose = True
|
||||||
|
|
||||||
|
[keystone_authtoken]
|
||||||
|
auth_host = 10.0.0.2
|
||||||
|
|
|
@ -14,6 +14,7 @@ check_drivers_interval = 60
|
||||||
|
|
||||||
# Log files
|
# Log files
|
||||||
log_file = /tmp/kwapi-drivers.log
|
log_file = /tmp/kwapi-drivers.log
|
||||||
|
verbose = True
|
||||||
|
|
||||||
[Wattmeter 1]
|
[Wattmeter 1]
|
||||||
probes = ['A']
|
probes = ['A']
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
{
|
||||||
|
"context_is_admin": [["role:admin"]]
|
||||||
|
}
|
|
@ -23,3 +23,4 @@ refresh_interval = 5
|
||||||
|
|
||||||
# Log files
|
# Log files
|
||||||
log_file = /tmp/kwapi-rrd.log
|
log_file = /tmp/kwapi-rrd.log
|
||||||
|
verbose = True
|
||||||
|
|
|
@ -0,0 +1,779 @@
|
||||||
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||||
|
|
||||||
|
# Copyright (c) 2012 OpenStack, LLC.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
"""
|
||||||
|
Common Policy Engine Implementation
|
||||||
|
|
||||||
|
Policies can be expressed in one of two forms: A list of lists, or a
|
||||||
|
string written in the new policy language.
|
||||||
|
|
||||||
|
In the list-of-lists representation, each check inside the innermost
|
||||||
|
list is combined as with an "and" conjunction--for that check to pass,
|
||||||
|
all the specified checks must pass. These innermost lists are then
|
||||||
|
combined as with an "or" conjunction. This is the original way of
|
||||||
|
expressing policies, but there now exists a new way: the policy
|
||||||
|
language.
|
||||||
|
|
||||||
|
In the policy language, each check is specified the same way as in the
|
||||||
|
list-of-lists representation: a simple "a:b" pair that is matched to
|
||||||
|
the correct code to perform that check. However, conjunction
|
||||||
|
operators are available, allowing for more expressiveness in crafting
|
||||||
|
policies.
|
||||||
|
|
||||||
|
As an example, take the following rule, expressed in the list-of-lists
|
||||||
|
representation::
|
||||||
|
|
||||||
|
[["role:admin"], ["project_id:%(project_id)s", "role:projectadmin"]]
|
||||||
|
|
||||||
|
In the policy language, this becomes::
|
||||||
|
|
||||||
|
role:admin or (project_id:%(project_id)s and role:projectadmin)
|
||||||
|
|
||||||
|
The policy language also has the "not" operator, allowing a richer
|
||||||
|
policy rule::
|
||||||
|
|
||||||
|
project_id:%(project_id)s and not role:dunce
|
||||||
|
|
||||||
|
Finally, two special policy checks should be mentioned; the policy
|
||||||
|
check "@" will always accept an access, and the policy check "!" will
|
||||||
|
always reject an access. (Note that if a rule is either the empty
|
||||||
|
list ("[]") or the empty string, this is equivalent to the "@" policy
|
||||||
|
check.) Of these, the "!" policy check is probably the most useful,
|
||||||
|
as it allows particular rules to be explicitly disabled.
|
||||||
|
"""
|
||||||
|
|
||||||
|
import abc
|
||||||
|
import logging
|
||||||
|
import re
|
||||||
|
import urllib
|
||||||
|
|
||||||
|
import urllib2
|
||||||
|
|
||||||
|
from kwapi.openstack.common.gettextutils import _
|
||||||
|
from kwapi.openstack.common import jsonutils
|
||||||
|
|
||||||
|
|
||||||
|
LOG = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
_rules = None
|
||||||
|
_checks = {}
|
||||||
|
|
||||||
|
|
||||||
|
class Rules(dict):
|
||||||
|
"""
|
||||||
|
A store for rules. Handles the default_rule setting directly.
|
||||||
|
"""
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def load_json(cls, data, default_rule=None):
|
||||||
|
"""
|
||||||
|
Allow loading of JSON rule data.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Suck in the JSON data and parse the rules
|
||||||
|
rules = dict((k, parse_rule(v)) for k, v in
|
||||||
|
jsonutils.loads(data).items())
|
||||||
|
|
||||||
|
return cls(rules, default_rule)
|
||||||
|
|
||||||
|
def __init__(self, rules=None, default_rule=None):
|
||||||
|
"""Initialize the Rules store."""
|
||||||
|
|
||||||
|
super(Rules, self).__init__(rules or {})
|
||||||
|
self.default_rule = default_rule
|
||||||
|
|
||||||
|
def __missing__(self, key):
|
||||||
|
"""Implements the default rule handling."""
|
||||||
|
|
||||||
|
# If the default rule isn't actually defined, do something
|
||||||
|
# reasonably intelligent
|
||||||
|
if not self.default_rule or self.default_rule not in self:
|
||||||
|
raise KeyError(key)
|
||||||
|
|
||||||
|
return self[self.default_rule]
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
"""Dumps a string representation of the rules."""
|
||||||
|
|
||||||
|
# Start by building the canonical strings for the rules
|
||||||
|
out_rules = {}
|
||||||
|
for key, value in self.items():
|
||||||
|
# Use empty string for singleton TrueCheck instances
|
||||||
|
if isinstance(value, TrueCheck):
|
||||||
|
out_rules[key] = ''
|
||||||
|
else:
|
||||||
|
out_rules[key] = str(value)
|
||||||
|
|
||||||
|
# Dump a pretty-printed JSON representation
|
||||||
|
return jsonutils.dumps(out_rules, indent=4)
|
||||||
|
|
||||||
|
|
||||||
|
# Really have to figure out a way to deprecate this
|
||||||
|
def set_rules(rules):
|
||||||
|
"""Set the rules in use for policy checks."""
|
||||||
|
|
||||||
|
global _rules
|
||||||
|
|
||||||
|
_rules = rules
|
||||||
|
|
||||||
|
|
||||||
|
# Ditto
|
||||||
|
def reset():
|
||||||
|
"""Clear the rules used for policy checks."""
|
||||||
|
|
||||||
|
global _rules
|
||||||
|
|
||||||
|
_rules = None
|
||||||
|
|
||||||
|
|
||||||
|
def check(rule, target, creds, exc=None, *args, **kwargs):
|
||||||
|
"""
|
||||||
|
Checks authorization of a rule against the target and credentials.
|
||||||
|
|
||||||
|
:param rule: The rule to evaluate.
|
||||||
|
:param target: As much information about the object being operated
|
||||||
|
on as possible, as a dictionary.
|
||||||
|
:param creds: As much information about the user performing the
|
||||||
|
action as possible, as a dictionary.
|
||||||
|
:param exc: Class of the exception to raise if the check fails.
|
||||||
|
Any remaining arguments passed to check() (both
|
||||||
|
positional and keyword arguments) will be passed to
|
||||||
|
the exception class. If exc is not provided, returns
|
||||||
|
False.
|
||||||
|
|
||||||
|
:return: Returns False if the policy does not allow the action and
|
||||||
|
exc is not provided; otherwise, returns a value that
|
||||||
|
evaluates to True. Note: for rules using the "case"
|
||||||
|
expression, this True value will be the specified string
|
||||||
|
from the expression.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Allow the rule to be a Check tree
|
||||||
|
if isinstance(rule, BaseCheck):
|
||||||
|
result = rule(target, creds)
|
||||||
|
elif not _rules:
|
||||||
|
# No rules to reference means we're going to fail closed
|
||||||
|
result = False
|
||||||
|
else:
|
||||||
|
try:
|
||||||
|
# Evaluate the rule
|
||||||
|
result = _rules[rule](target, creds)
|
||||||
|
except KeyError:
|
||||||
|
# If the rule doesn't exist, fail closed
|
||||||
|
result = False
|
||||||
|
|
||||||
|
# If it is False, raise the exception if requested
|
||||||
|
if exc and result is False:
|
||||||
|
raise exc(*args, **kwargs)
|
||||||
|
|
||||||
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
class BaseCheck(object):
|
||||||
|
"""
|
||||||
|
Abstract base class for Check classes.
|
||||||
|
"""
|
||||||
|
|
||||||
|
__metaclass__ = abc.ABCMeta
|
||||||
|
|
||||||
|
@abc.abstractmethod
|
||||||
|
def __str__(self):
|
||||||
|
"""
|
||||||
|
Retrieve a string representation of the Check tree rooted at
|
||||||
|
this node.
|
||||||
|
"""
|
||||||
|
|
||||||
|
pass
|
||||||
|
|
||||||
|
@abc.abstractmethod
|
||||||
|
def __call__(self, target, cred):
|
||||||
|
"""
|
||||||
|
Perform the check. Returns False to reject the access or a
|
||||||
|
true value (not necessary True) to accept the access.
|
||||||
|
"""
|
||||||
|
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
class FalseCheck(BaseCheck):
|
||||||
|
"""
|
||||||
|
A policy check that always returns False (disallow).
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
"""Return a string representation of this check."""
|
||||||
|
|
||||||
|
return "!"
|
||||||
|
|
||||||
|
def __call__(self, target, cred):
|
||||||
|
"""Check the policy."""
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
class TrueCheck(BaseCheck):
|
||||||
|
"""
|
||||||
|
A policy check that always returns True (allow).
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
"""Return a string representation of this check."""
|
||||||
|
|
||||||
|
return "@"
|
||||||
|
|
||||||
|
def __call__(self, target, cred):
|
||||||
|
"""Check the policy."""
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
class Check(BaseCheck):
|
||||||
|
"""
|
||||||
|
A base class to allow for user-defined policy checks.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, kind, match):
|
||||||
|
"""
|
||||||
|
:param kind: The kind of the check, i.e., the field before the
|
||||||
|
':'.
|
||||||
|
:param match: The match of the check, i.e., the field after
|
||||||
|
the ':'.
|
||||||
|
"""
|
||||||
|
|
||||||
|
self.kind = kind
|
||||||
|
self.match = match
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
"""Return a string representation of this check."""
|
||||||
|
|
||||||
|
return "%s:%s" % (self.kind, self.match)
|
||||||
|
|
||||||
|
|
||||||
|
class NotCheck(BaseCheck):
|
||||||
|
"""
|
||||||
|
A policy check that inverts the result of another policy check.
|
||||||
|
Implements the "not" operator.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, rule):
|
||||||
|
"""
|
||||||
|
Initialize the 'not' check.
|
||||||
|
|
||||||
|
:param rule: The rule to negate. Must be a Check.
|
||||||
|
"""
|
||||||
|
|
||||||
|
self.rule = rule
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
"""Return a string representation of this check."""
|
||||||
|
|
||||||
|
return "not %s" % self.rule
|
||||||
|
|
||||||
|
def __call__(self, target, cred):
|
||||||
|
"""
|
||||||
|
Check the policy. Returns the logical inverse of the wrapped
|
||||||
|
check.
|
||||||
|
"""
|
||||||
|
|
||||||
|
return not self.rule(target, cred)
|
||||||
|
|
||||||
|
|
||||||
|
class AndCheck(BaseCheck):
|
||||||
|
"""
|
||||||
|
A policy check that requires that a list of other checks all
|
||||||
|
return True. Implements the "and" operator.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, rules):
|
||||||
|
"""
|
||||||
|
Initialize the 'and' check.
|
||||||
|
|
||||||
|
:param rules: A list of rules that will be tested.
|
||||||
|
"""
|
||||||
|
|
||||||
|
self.rules = rules
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
"""Return a string representation of this check."""
|
||||||
|
|
||||||
|
return "(%s)" % ' and '.join(str(r) for r in self.rules)
|
||||||
|
|
||||||
|
def __call__(self, target, cred):
|
||||||
|
"""
|
||||||
|
Check the policy. Requires that all rules accept in order to
|
||||||
|
return True.
|
||||||
|
"""
|
||||||
|
|
||||||
|
for rule in self.rules:
|
||||||
|
if not rule(target, cred):
|
||||||
|
return False
|
||||||
|
|
||||||
|
return True
|
||||||
|
|
||||||
|
def add_check(self, rule):
|
||||||
|
"""
|
||||||
|
Allows addition of another rule to the list of rules that will
|
||||||
|
be tested. Returns the AndCheck object for convenience.
|
||||||
|
"""
|
||||||
|
|
||||||
|
self.rules.append(rule)
|
||||||
|
return self
|
||||||
|
|
||||||
|
|
||||||
|
class OrCheck(BaseCheck):
|
||||||
|
"""
|
||||||
|
A policy check that requires that at least one of a list of other
|
||||||
|
checks returns True. Implements the "or" operator.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, rules):
|
||||||
|
"""
|
||||||
|
Initialize the 'or' check.
|
||||||
|
|
||||||
|
:param rules: A list of rules that will be tested.
|
||||||
|
"""
|
||||||
|
|
||||||
|
self.rules = rules
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
"""Return a string representation of this check."""
|
||||||
|
|
||||||
|
return "(%s)" % ' or '.join(str(r) for r in self.rules)
|
||||||
|
|
||||||
|
def __call__(self, target, cred):
|
||||||
|
"""
|
||||||
|
Check the policy. Requires that at least one rule accept in
|
||||||
|
order to return True.
|
||||||
|
"""
|
||||||
|
|
||||||
|
for rule in self.rules:
|
||||||
|
if rule(target, cred):
|
||||||
|
return True
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
|
def add_check(self, rule):
|
||||||
|
"""
|
||||||
|
Allows addition of another rule to the list of rules that will
|
||||||
|
be tested. Returns the OrCheck object for convenience.
|
||||||
|
"""
|
||||||
|
|
||||||
|
self.rules.append(rule)
|
||||||
|
return self
|
||||||
|
|
||||||
|
|
||||||
|
def _parse_check(rule):
|
||||||
|
"""
|
||||||
|
Parse a single base check rule into an appropriate Check object.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Handle the special checks
|
||||||
|
if rule == '!':
|
||||||
|
return FalseCheck()
|
||||||
|
elif rule == '@':
|
||||||
|
return TrueCheck()
|
||||||
|
|
||||||
|
try:
|
||||||
|
kind, match = rule.split(':', 1)
|
||||||
|
except Exception:
|
||||||
|
LOG.exception(_("Failed to understand rule %(rule)s") % locals())
|
||||||
|
# If the rule is invalid, we'll fail closed
|
||||||
|
return FalseCheck()
|
||||||
|
|
||||||
|
# Find what implements the check
|
||||||
|
if kind in _checks:
|
||||||
|
return _checks[kind](kind, match)
|
||||||
|
elif None in _checks:
|
||||||
|
return _checks[None](kind, match)
|
||||||
|
else:
|
||||||
|
LOG.error(_("No handler for matches of kind %s") % kind)
|
||||||
|
return FalseCheck()
|
||||||
|
|
||||||
|
|
||||||
|
def _parse_list_rule(rule):
|
||||||
|
"""
|
||||||
|
Provided for backwards compatibility. Translates the old
|
||||||
|
list-of-lists syntax into a tree of Check objects.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Empty rule defaults to True
|
||||||
|
if not rule:
|
||||||
|
return TrueCheck()
|
||||||
|
|
||||||
|
# Outer list is joined by "or"; inner list by "and"
|
||||||
|
or_list = []
|
||||||
|
for inner_rule in rule:
|
||||||
|
# Elide empty inner lists
|
||||||
|
if not inner_rule:
|
||||||
|
continue
|
||||||
|
|
||||||
|
# Handle bare strings
|
||||||
|
if isinstance(inner_rule, basestring):
|
||||||
|
inner_rule = [inner_rule]
|
||||||
|
|
||||||
|
# Parse the inner rules into Check objects
|
||||||
|
and_list = [_parse_check(r) for r in inner_rule]
|
||||||
|
|
||||||
|
# Append the appropriate check to the or_list
|
||||||
|
if len(and_list) == 1:
|
||||||
|
or_list.append(and_list[0])
|
||||||
|
else:
|
||||||
|
or_list.append(AndCheck(and_list))
|
||||||
|
|
||||||
|
# If we have only one check, omit the "or"
|
||||||
|
if len(or_list) == 0:
|
||||||
|
return FalseCheck()
|
||||||
|
elif len(or_list) == 1:
|
||||||
|
return or_list[0]
|
||||||
|
|
||||||
|
return OrCheck(or_list)
|
||||||
|
|
||||||
|
|
||||||
|
# Used for tokenizing the policy language
|
||||||
|
_tokenize_re = re.compile(r'\s+')
|
||||||
|
|
||||||
|
|
||||||
|
def _parse_tokenize(rule):
|
||||||
|
"""
|
||||||
|
Tokenizer for the policy language.
|
||||||
|
|
||||||
|
Most of the single-character tokens are specified in the
|
||||||
|
_tokenize_re; however, parentheses need to be handled specially,
|
||||||
|
because they can appear inside a check string. Thankfully, those
|
||||||
|
parentheses that appear inside a check string can never occur at
|
||||||
|
the very beginning or end ("%(variable)s" is the correct syntax).
|
||||||
|
"""
|
||||||
|
|
||||||
|
for tok in _tokenize_re.split(rule):
|
||||||
|
# Skip empty tokens
|
||||||
|
if not tok or tok.isspace():
|
||||||
|
continue
|
||||||
|
|
||||||
|
# Handle leading parens on the token
|
||||||
|
clean = tok.lstrip('(')
|
||||||
|
for i in range(len(tok) - len(clean)):
|
||||||
|
yield '(', '('
|
||||||
|
|
||||||
|
# If it was only parentheses, continue
|
||||||
|
if not clean:
|
||||||
|
continue
|
||||||
|
else:
|
||||||
|
tok = clean
|
||||||
|
|
||||||
|
# Handle trailing parens on the token
|
||||||
|
clean = tok.rstrip(')')
|
||||||
|
trail = len(tok) - len(clean)
|
||||||
|
|
||||||
|
# Yield the cleaned token
|
||||||
|
lowered = clean.lower()
|
||||||
|
if lowered in ('and', 'or', 'not'):
|
||||||
|
# Special tokens
|
||||||
|
yield lowered, clean
|
||||||
|
elif clean:
|
||||||
|
# Not a special token, but not composed solely of ')'
|
||||||
|
if len(tok) >= 2 and ((tok[0], tok[-1]) in
|
||||||
|
[('"', '"'), ("'", "'")]):
|
||||||
|
# It's a quoted string
|
||||||
|
yield 'string', tok[1:-1]
|
||||||
|
else:
|
||||||
|
yield 'check', _parse_check(clean)
|
||||||
|
|
||||||
|
# Yield the trailing parens
|
||||||
|
for i in range(trail):
|
||||||
|
yield ')', ')'
|
||||||
|
|
||||||
|
|
||||||
|
class ParseStateMeta(type):
|
||||||
|
"""
|
||||||
|
Metaclass for the ParseState class. Facilitates identifying
|
||||||
|
reduction methods.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __new__(mcs, name, bases, cls_dict):
|
||||||
|
"""
|
||||||
|
Create the class. Injects the 'reducers' list, a list of
|
||||||
|
tuples matching token sequences to the names of the
|
||||||
|
corresponding reduction methods.
|
||||||
|
"""
|
||||||
|
|
||||||
|
reducers = []
|
||||||
|
|
||||||
|
for key, value in cls_dict.items():
|
||||||
|
if not hasattr(value, 'reducers'):
|
||||||
|
continue
|
||||||
|
for reduction in value.reducers:
|
||||||
|
reducers.append((reduction, key))
|
||||||
|
|
||||||
|
cls_dict['reducers'] = reducers
|
||||||
|
|
||||||
|
return super(ParseStateMeta, mcs).__new__(mcs, name, bases, cls_dict)
|
||||||
|
|
||||||
|
|
||||||
|
def reducer(*tokens):
|
||||||
|
"""
|
||||||
|
Decorator for reduction methods. Arguments are a sequence of
|
||||||
|
tokens, in order, which should trigger running this reduction
|
||||||
|
method.
|
||||||
|
"""
|
||||||
|
|
||||||
|
def decorator(func):
|
||||||
|
# Make sure we have a list of reducer sequences
|
||||||
|
if not hasattr(func, 'reducers'):
|
||||||
|
func.reducers = []
|
||||||
|
|
||||||
|
# Add the tokens to the list of reducer sequences
|
||||||
|
func.reducers.append(list(tokens))
|
||||||
|
|
||||||
|
return func
|
||||||
|
|
||||||
|
return decorator
|
||||||
|
|
||||||
|
|
||||||
|
class ParseState(object):
|
||||||
|
"""
|
||||||
|
Implement the core of parsing the policy language. Uses a greedy
|
||||||
|
reduction algorithm to reduce a sequence of tokens into a single
|
||||||
|
terminal, the value of which will be the root of the Check tree.
|
||||||
|
|
||||||
|
Note: error reporting is rather lacking. The best we can get with
|
||||||
|
this parser formulation is an overall "parse failed" error.
|
||||||
|
Fortunately, the policy language is simple enough that this
|
||||||
|
shouldn't be that big a problem.
|
||||||
|
"""
|
||||||
|
|
||||||
|
__metaclass__ = ParseStateMeta
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
"""Initialize the ParseState."""
|
||||||
|
|
||||||
|
self.tokens = []
|
||||||
|
self.values = []
|
||||||
|
|
||||||
|
def reduce(self):
|
||||||
|
"""
|
||||||
|
Perform a greedy reduction of the token stream. If a reducer
|
||||||
|
method matches, it will be executed, then the reduce() method
|
||||||
|
will be called recursively to search for any more possible
|
||||||
|
reductions.
|
||||||
|
"""
|
||||||
|
|
||||||
|
for reduction, methname in self.reducers:
|
||||||
|
if (len(self.tokens) >= len(reduction) and
|
||||||
|
self.tokens[-len(reduction):] == reduction):
|
||||||
|
# Get the reduction method
|
||||||
|
meth = getattr(self, methname)
|
||||||
|
|
||||||
|
# Reduce the token stream
|
||||||
|
results = meth(*self.values[-len(reduction):])
|
||||||
|
|
||||||
|
# Update the tokens and values
|
||||||
|
self.tokens[-len(reduction):] = [r[0] for r in results]
|
||||||
|
self.values[-len(reduction):] = [r[1] for r in results]
|
||||||
|
|
||||||
|
# Check for any more reductions
|
||||||
|
return self.reduce()
|
||||||
|
|
||||||
|
def shift(self, tok, value):
|
||||||
|
"""Adds one more token to the state. Calls reduce()."""
|
||||||
|
|
||||||
|
self.tokens.append(tok)
|
||||||
|
self.values.append(value)
|
||||||
|
|
||||||
|
# Do a greedy reduce...
|
||||||
|
self.reduce()
|
||||||
|
|
||||||
|
@property
|
||||||
|
def result(self):
|
||||||
|
"""
|
||||||
|
Obtain the final result of the parse. Raises ValueError if
|
||||||
|
the parse failed to reduce to a single result.
|
||||||
|
"""
|
||||||
|
|
||||||
|
if len(self.values) != 1:
|
||||||
|
raise ValueError("Could not parse rule")
|
||||||
|
return self.values[0]
|
||||||
|
|
||||||
|
@reducer('(', 'check', ')')
|
||||||
|
@reducer('(', 'and_expr', ')')
|
||||||
|
@reducer('(', 'or_expr', ')')
|
||||||
|
def _wrap_check(self, _p1, check, _p2):
|
||||||
|
"""Turn parenthesized expressions into a 'check' token."""
|
||||||
|
|
||||||
|
return [('check', check)]
|
||||||
|
|
||||||
|
@reducer('check', 'and', 'check')
|
||||||
|
def _make_and_expr(self, check1, _and, check2):
|
||||||
|
"""
|
||||||
|
Create an 'and_expr' from two checks joined by the 'and'
|
||||||
|
operator.
|
||||||
|
"""
|
||||||
|
|
||||||
|
return [('and_expr', AndCheck([check1, check2]))]
|
||||||
|
|
||||||
|
@reducer('and_expr', 'and', 'check')
|
||||||
|
def _extend_and_expr(self, and_expr, _and, check):
|
||||||
|
"""
|
||||||
|
Extend an 'and_expr' by adding one more check.
|
||||||
|
"""
|
||||||
|
|
||||||
|
return [('and_expr', and_expr.add_check(check))]
|
||||||
|
|
||||||
|
@reducer('check', 'or', 'check')
|
||||||
|
def _make_or_expr(self, check1, _or, check2):
|
||||||
|
"""
|
||||||
|
Create an 'or_expr' from two checks joined by the 'or'
|
||||||
|
operator.
|
||||||
|
"""
|
||||||
|
|
||||||
|
return [('or_expr', OrCheck([check1, check2]))]
|
||||||
|
|
||||||
|
@reducer('or_expr', 'or', 'check')
|
||||||
|
def _extend_or_expr(self, or_expr, _or, check):
|
||||||
|
"""
|
||||||
|
Extend an 'or_expr' by adding one more check.
|
||||||
|
"""
|
||||||
|
|
||||||
|
return [('or_expr', or_expr.add_check(check))]
|
||||||
|
|
||||||
|
@reducer('not', 'check')
|
||||||
|
def _make_not_expr(self, _not, check):
|
||||||
|
"""Invert the result of another check."""
|
||||||
|
|
||||||
|
return [('check', NotCheck(check))]
|
||||||
|
|
||||||
|
|
||||||
|
def _parse_text_rule(rule):
|
||||||
|
"""
|
||||||
|
Translates a policy written in the policy language into a tree of
|
||||||
|
Check objects.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Empty rule means always accept
|
||||||
|
if not rule:
|
||||||
|
return TrueCheck()
|
||||||
|
|
||||||
|
# Parse the token stream
|
||||||
|
state = ParseState()
|
||||||
|
for tok, value in _parse_tokenize(rule):
|
||||||
|
state.shift(tok, value)
|
||||||
|
|
||||||
|
try:
|
||||||
|
return state.result
|
||||||
|
except ValueError:
|
||||||
|
# Couldn't parse the rule
|
||||||
|
LOG.exception(_("Failed to understand rule %(rule)r") % locals())
|
||||||
|
|
||||||
|
# Fail closed
|
||||||
|
return FalseCheck()
|
||||||
|
|
||||||
|
|
||||||
|
def parse_rule(rule):
|
||||||
|
"""
|
||||||
|
Parses a policy rule into a tree of Check objects.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# If the rule is a string, it's in the policy language
|
||||||
|
if isinstance(rule, basestring):
|
||||||
|
return _parse_text_rule(rule)
|
||||||
|
return _parse_list_rule(rule)
|
||||||
|
|
||||||
|
|
||||||
|
def register(name, func=None):
|
||||||
|
"""
|
||||||
|
Register a function or Check class as a policy check.
|
||||||
|
|
||||||
|
:param name: Gives the name of the check type, e.g., 'rule',
|
||||||
|
'role', etc. If name is None, a default check type
|
||||||
|
will be registered.
|
||||||
|
:param func: If given, provides the function or class to register.
|
||||||
|
If not given, returns a function taking one argument
|
||||||
|
to specify the function or class to register,
|
||||||
|
allowing use as a decorator.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# Perform the actual decoration by registering the function or
|
||||||
|
# class. Returns the function or class for compliance with the
|
||||||
|
# decorator interface.
|
||||||
|
def decorator(func):
|
||||||
|
_checks[name] = func
|
||||||
|
return func
|
||||||
|
|
||||||
|
# If the function or class is given, do the registration
|
||||||
|
if func:
|
||||||
|
return decorator(func)
|
||||||
|
|
||||||
|
return decorator
|
||||||
|
|
||||||
|
|
||||||
|
@register("rule")
|
||||||
|
class RuleCheck(Check):
|
||||||
|
def __call__(self, target, creds):
|
||||||
|
"""
|
||||||
|
Recursively checks credentials based on the defined rules.
|
||||||
|
"""
|
||||||
|
|
||||||
|
try:
|
||||||
|
return _rules[self.match](target, creds)
|
||||||
|
except KeyError:
|
||||||
|
# We don't have any matching rule; fail closed
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
@register("role")
|
||||||
|
class RoleCheck(Check):
|
||||||
|
def __call__(self, target, creds):
|
||||||
|
"""Check that there is a matching role in the cred dict."""
|
||||||
|
|
||||||
|
return self.match.lower() in [x.lower() for x in creds['roles']]
|
||||||
|
|
||||||
|
|
||||||
|
@register('http')
|
||||||
|
class HttpCheck(Check):
|
||||||
|
def __call__(self, target, creds):
|
||||||
|
"""
|
||||||
|
Check http: rules by calling to a remote server.
|
||||||
|
|
||||||
|
This example implementation simply verifies that the response
|
||||||
|
is exactly 'True'.
|
||||||
|
"""
|
||||||
|
|
||||||
|
url = ('http:' + self.match) % target
|
||||||
|
data = {'target': jsonutils.dumps(target),
|
||||||
|
'credentials': jsonutils.dumps(creds)}
|
||||||
|
post_data = urllib.urlencode(data)
|
||||||
|
f = urllib2.urlopen(url, post_data)
|
||||||
|
return f.read() == "True"
|
||||||
|
|
||||||
|
|
||||||
|
@register(None)
|
||||||
|
class GenericCheck(Check):
|
||||||
|
def __call__(self, target, creds):
|
||||||
|
"""
|
||||||
|
Check an individual match.
|
||||||
|
|
||||||
|
Matches look like:
|
||||||
|
|
||||||
|
tenant:%(tenant_id)s
|
||||||
|
role:compute:admin
|
||||||
|
"""
|
||||||
|
|
||||||
|
# TODO(termie): do dict inspection via dot syntax
|
||||||
|
match = self.match % target
|
||||||
|
if self.kind in creds:
|
||||||
|
return match == unicode(creds[self.kind])
|
||||||
|
return False
|
|
@ -17,32 +17,34 @@
|
||||||
"""Set up the ACL to access the API."""
|
"""Set up the ACL to access the API."""
|
||||||
|
|
||||||
import flask
|
import flask
|
||||||
from keystoneclient.v2_0.client import Client
|
import keystoneclient.middleware.auth_token as auth_token
|
||||||
from oslo.config import cfg
|
from oslo.config import cfg
|
||||||
|
|
||||||
acl_opts = [
|
from kwapi import policy
|
||||||
cfg.StrOpt('acl_auth_url',
|
|
||||||
required=True,
|
|
||||||
),
|
|
||||||
]
|
|
||||||
|
|
||||||
cfg.CONF.register_opts(acl_opts)
|
OPT_GROUP_NAME = 'keystone_authtoken'
|
||||||
|
|
||||||
|
|
||||||
def install(app):
|
def register_opts(conf):
|
||||||
|
"""Registers keystoneclient middleware options."""
|
||||||
|
conf.register_opts(auth_token.opts,
|
||||||
|
group=OPT_GROUP_NAME,
|
||||||
|
)
|
||||||
|
auth_token.CONF = conf
|
||||||
|
|
||||||
|
|
||||||
|
register_opts(cfg.CONF)
|
||||||
|
|
||||||
|
|
||||||
|
def install(app, conf):
|
||||||
"""Installs ACL check on application."""
|
"""Installs ACL check on application."""
|
||||||
|
app.wsgi_app = auth_token.AuthProtocol(app.wsgi_app,
|
||||||
|
conf=dict(conf.get(OPT_GROUP_NAME)))
|
||||||
app.before_request(check)
|
app.before_request(check)
|
||||||
return app
|
|
||||||
|
|
||||||
|
|
||||||
def check():
|
def check():
|
||||||
"""Checks application access."""
|
"""Checks application access."""
|
||||||
headers = flask.request.headers
|
headers = flask.request.headers
|
||||||
try:
|
if not policy.check_is_admin(headers.get('X-Roles', "").split(",")):
|
||||||
client = Client(token=headers.get('X-Auth-Token'),
|
|
||||||
auth_url=cfg.CONF.acl_auth_url)
|
|
||||||
except:
|
|
||||||
return "Access denied", 401
|
|
||||||
else:
|
|
||||||
if not client.authenticate():
|
|
||||||
return "Access denied", 401
|
return "Access denied", 401
|
||||||
|
|
|
@ -50,6 +50,6 @@ def make_app():
|
||||||
|
|
||||||
# Install the middleware wrapper
|
# Install the middleware wrapper
|
||||||
if cfg.CONF.acl_enabled:
|
if cfg.CONF.acl_enabled:
|
||||||
return acl.install(app)
|
acl.install(app, cfg.CONF)
|
||||||
|
|
||||||
return app
|
return app
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||||
|
|
||||||
|
# Copyright (c) 2011 OpenStack, LLC.
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
"""Policy Engine For Kwapi"""
|
||||||
|
|
||||||
|
import os
|
||||||
|
|
||||||
|
from oslo.config import cfg
|
||||||
|
|
||||||
|
from kwapi.openstack.common import policy
|
||||||
|
from kwapi import utils
|
||||||
|
|
||||||
|
|
||||||
|
OPTS = [
|
||||||
|
cfg.StrOpt('policy_file',
|
||||||
|
default='policy.json',
|
||||||
|
help='JSON file representing policy'),
|
||||||
|
cfg.StrOpt('policy_default_rule',
|
||||||
|
default='default',
|
||||||
|
help='Rule checked when requested rule is not found'),
|
||||||
|
]
|
||||||
|
|
||||||
|
cfg.CONF.register_opts(OPTS)
|
||||||
|
|
||||||
|
_POLICY_PATH = None
|
||||||
|
_POLICY_CACHE = {}
|
||||||
|
|
||||||
|
|
||||||
|
def init():
|
||||||
|
global _POLICY_PATH
|
||||||
|
global _POLICY_CACHE
|
||||||
|
if not _POLICY_PATH:
|
||||||
|
_POLICY_PATH = cfg.CONF.policy_file
|
||||||
|
if not os.path.exists(_POLICY_PATH):
|
||||||
|
_POLICY_PATH = cfg.CONF.find_file(_POLICY_PATH)
|
||||||
|
if not _POLICY_PATH:
|
||||||
|
raise cfg.ConfigFilesNotFoundError([cfg.CONF.policy_file])
|
||||||
|
utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE,
|
||||||
|
reload_func=_set_rules)
|
||||||
|
|
||||||
|
|
||||||
|
def _set_rules(data):
|
||||||
|
default_rule = cfg.CONF.policy_default_rule
|
||||||
|
policy.set_rules(policy.Rules.load_json(data, default_rule))
|
||||||
|
|
||||||
|
|
||||||
|
def check_is_admin(roles):
|
||||||
|
"""Whether or not roles contains 'admin' role according to policy setting.
|
||||||
|
|
||||||
|
"""
|
||||||
|
init()
|
||||||
|
|
||||||
|
return policy.check('context_is_admin', {}, {'roles': roles})
|
|
@ -0,0 +1,42 @@
|
||||||
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||||
|
|
||||||
|
# Copyright 2010 United States Government as represented by the
|
||||||
|
# Administrator of the National Aeronautics and Space Administration.
|
||||||
|
# Copyright 2011 Justin Santa Barbara
|
||||||
|
# All Rights Reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
"""Utilities and helper functions."""
|
||||||
|
|
||||||
|
import os
|
||||||
|
|
||||||
|
|
||||||
|
def read_cached_file(filename, cache_info, reload_func=None):
|
||||||
|
"""Read from a file if it has been modified.
|
||||||
|
|
||||||
|
:param cache_info: dictionary to hold opaque cache.
|
||||||
|
:param reload_func: optional function to be called with data when
|
||||||
|
file is reloaded due to a modification.
|
||||||
|
|
||||||
|
:returns: data from file
|
||||||
|
|
||||||
|
"""
|
||||||
|
mtime = os.path.getmtime(filename)
|
||||||
|
if not cache_info or mtime != cache_info.get('mtime'):
|
||||||
|
with open(filename) as fap:
|
||||||
|
cache_info['data'] = fap.read()
|
||||||
|
cache_info['mtime'] = mtime
|
||||||
|
if reload_func:
|
||||||
|
reload_func(cache_info['data'])
|
||||||
|
return cache_info['data']
|
|
@ -1,3 +1,3 @@
|
||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
modules=timeutils,log,gettextutils,jsonutils,local,notifier
|
modules=gettextutils,jsonutils,local,log,notifier,policy,timeutils
|
||||||
base=kwapi
|
base=kwapi
|
||||||
|
|
Loading…
Reference in New Issue