From b2b225e967b6eacdf677b5c030b35f5b5c16c9d7 Mon Sep 17 00:00:00 2001
From: jessegler <jess.egler@gmail.com>
Date: Thu, 21 Mar 2019 17:18:30 -0500
Subject: [PATCH] Adds policy in code to Tap-as-a-Service

Adding oslo.policy allows operators to use and customize RBAC for tap-as-a-service instead of
relying on Neutron's default policy.

Change-Id: I6132054ef3bd8423990f91fae6329dfd089660b4
---
 etc/policy-generator.conf            |  3 ++
 neutron_taas/policies/__init__.py    | 23 ++++++++++
 neutron_taas/policies/tap_flow.py    | 66 ++++++++++++++++++++++++++++
 neutron_taas/policies/tap_service.py | 66 ++++++++++++++++++++++++++++
 setup.cfg                            |  5 +++
 tox.ini                              |  4 ++
 6 files changed, 167 insertions(+)
 create mode 100644 etc/policy-generator.conf
 create mode 100644 neutron_taas/policies/__init__.py
 create mode 100644 neutron_taas/policies/tap_flow.py
 create mode 100644 neutron_taas/policies/tap_service.py

diff --git a/etc/policy-generator.conf b/etc/policy-generator.conf
new file mode 100644
index 00000000..1bd6f7a7
--- /dev/null
+++ b/etc/policy-generator.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/neutron/policy.yaml.sample
+namespace = tap-as-a-service
diff --git a/neutron_taas/policies/__init__.py b/neutron_taas/policies/__init__.py
new file mode 100644
index 00000000..5aa05c5f
--- /dev/null
+++ b/neutron_taas/policies/__init__.py
@@ -0,0 +1,23 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import itertools
+
+from neutron_taas.policies import tap_flow
+from neutron_taas.policies import tap_service
+
+
+def list_rules():
+    return itertools.chain(
+        tap_flow.list_rules(),
+        tap_service.list_rules(),
+    )
diff --git a/neutron_taas/policies/tap_flow.py b/neutron_taas/policies/tap_flow.py
new file mode 100644
index 00000000..c3f71760
--- /dev/null
+++ b/neutron_taas/policies/tap_flow.py
@@ -0,0 +1,66 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+from oslo_policy import policy
+
+from neutron_lib.policy import RULE_ADMIN_OR_OWNER
+
+rules = [
+    policy.DocumentedRuleDefault(
+        'create_tap_flow',
+        RULE_ADMIN_OR_OWNER,
+        'Create a tap flow',
+        [
+            {
+                'method': 'POST',
+                'path': '/taas/tap_flows',
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'update_tap_flow',
+        RULE_ADMIN_OR_OWNER,
+        'Update a tap flow',
+        [
+            {
+                'method': 'PUT',
+                'path': '/taas/tap_flows/{id}',
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'get_tap_flow',
+        RULE_ADMIN_OR_OWNER,
+        'Show a tap flow',
+        [
+            {
+                'method': 'GET',
+                'path': '/taas/tap_flows/{id}',
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'delete_tap_flow',
+        RULE_ADMIN_OR_OWNER,
+        'Delete a tap flow',
+        [
+            {
+                'method': 'DELETE',
+                'path': '/taas/tap_flows/{id}',
+            }
+        ]
+    ),
+]
+
+
+def list_rules():
+    return rules
diff --git a/neutron_taas/policies/tap_service.py b/neutron_taas/policies/tap_service.py
new file mode 100644
index 00000000..65a306cb
--- /dev/null
+++ b/neutron_taas/policies/tap_service.py
@@ -0,0 +1,66 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+from oslo_policy import policy
+
+from neutron_lib.policy import RULE_ADMIN_OR_OWNER
+
+rules = [
+    policy.DocumentedRuleDefault(
+        'create_tap_service',
+        RULE_ADMIN_OR_OWNER,
+        'Create a tap service',
+        [
+            {
+                'method': 'POST',
+                'path': '/taas/tap_services',
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'update_tap_service',
+        RULE_ADMIN_OR_OWNER,
+        'Updates a tap service',
+        [
+            {
+                'method': 'PUT',
+                'path': '/taas/tap_services/{id}',
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'get_tap_service',
+        RULE_ADMIN_OR_OWNER,
+        'Show a tap service',
+        [
+            {
+                'method': 'GET',
+                'path': '/taas/tap_services/{id}',
+            }
+        ]
+    ),
+    policy.DocumentedRuleDefault(
+        'delete_tap_service',
+        RULE_ADMIN_OR_OWNER,
+        'Delete a tap service',
+        [
+            {
+                'method': 'DELETE',
+                'path': '/taas/tap_services/{id}',
+            }
+        ]
+    ),
+]
+
+
+def list_rules():
+    return rules
diff --git a/setup.cfg b/setup.cfg
index 0349cb61..f39be0f7 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -71,6 +71,11 @@ tempest.test_plugins =
 neutronclient.extension =
     tap_service = neutron_taas.taas_client.tapservice
     tap_flow = neutron_taas.taas_client.tapflow
+oslo.policy.policies =
+    tap-as-a-service = neutron_taas.policies:list_rules
+neutron.policies =
+    tap-as-a-service = neutron_taas.policies:list_rules
+
 
 [pbr]
 autodoc_index_modules = True
diff --git a/tox.ini b/tox.ini
index 1555bc58..06225f58 100644
--- a/tox.ini
+++ b/tox.ini
@@ -27,6 +27,7 @@ setenv = OS_FAIL_ON_MISSING_DEPS=1
 commands =
   flake8
   neutron-db-manage --subproject tap-as-a-service --database-connection sqlite:// check_migration
+  {[testenv:genpolicy]commands}
 
 [testenv:venv]
 commands = {posargs}
@@ -49,6 +50,9 @@ commands = python setup.py build_sphinx
 [testenv:releasenotes]
 commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
 
+[testenv:genpolicy]
+commands = oslopolicy-sample-generator --config-file etc/policy-generator.conf
+
 [testenv:debug]
 commands = oslo_debug_helper {posargs}