| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Neutron, based on the defined policy rules is creating check
objects "in flight" to e.g. include check some object's attributes,
like e.g. network's provider parameters.
That use case requires that BaseCheck class and classes which inherits
from it needs to have scope_types defined thus Neutron can set it for
the Check based on the defined policy rule.
This patch adds scope_types attribute to the BaseCheck class to make it
available for use cases like described above.
Related-Bug: #1923503
Change-Id: Ibf30d0ffa5e9b125742089705d3557c02a03bc43
|
|
|
|
|
|
|
|
| |
inspect.getargspec() is deprecated since py3
[1] https://docs.python.org/3/library/inspect.html#inspect.getargspec
Change-Id: If7492d7f755c80687f867428d80e4efb1e1a5d57
|
|
|
|
|
|
| |
Replace six with Python 3 style code.
Change-Id: I3d0c35e237484409d8410601ec482fac0dacf30d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
getargspec has been deprecated in py3 with plans to remove it in py3.6.
The recommendation is to move to inspect.signature, but the results
of that call are different than the existing one.
There is also getfullargspec available under py3 that was originally
deprecated, but for the sake of handling 2/3 code, it has been
un-deprecated. This call uses inspect internally, but returns a mostly
compatible result with what getargspec did. This handles getargspec
deprecation by just using getfullargspec instead if it is available.
Change-Id: I3fa2973aa21a64eae33f02c2a55f09fd7d01fd57
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why? HttpCheck/HttpsCheck are examples of rule checks
that can be implemented outside of the oslo.policy
library. Once we setup the infra for registering and
using these as stevedore extensions, we automatically
get the capability of other folks contributing to
writing custom rules for their own use cases.
* Add HttpCheck/HttpsCheck as entrypoints in setup.cfg
* parser will check get_extensions() to see if there
are any external checks registered
* Move HttpCheck/HttpsCheck into external module
* Move related test cases to test_external.py
Change-Id: Icde2b26a38d7c7842defae053228d9208454b969
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a HttpCheck that can check rules by calling a
remote server. However currently it just supports "http://"
and not "https://". In this patch, we add a HttpsCheck so
we can support "https://" urls as well. In addition to
ensure security, we add options to:
* Specify a ca cert to validate the server
* Specify cert/key to allow server to validate the client
Another quirk was that currently the payload is being
sent using 'application/x-www-form-urlencoded' as the
content-type. We add another option to send the payload
as 'application/json'. Add this same support to the
HttpCheck as well.
Change-Id: Ic9c5249555fb45010a92432a504c84ad3fbb9ea1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make it easier to reuse the invocation logic for check objects
Provide a new private function in oslo_policy._checks to evaluate a
check object. This function protects against API changes to the check
classes by inspecting the set of arguments accepted.
Update Enforcer to use the new function instead of invoking checks
directly.
Update the nested check classes (and, or, not) to use the new function
instead of invoking their sub-rules directly.
Update the way mocks were being used in some tests to replace them
with real minimal classes that implement the necessary APIs.
Simplify a few tests that were confirming multiple behaviors (for
example, the result of a compound check as well as the arguments
passed to its nested rules).
Ensure that we have test cases for invoking nested rules that do and
do not accept the new current_rule argument.
Change-Id: Ib9edd7954d0b977950be536fa9434243b0de7fcf
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
|
|
|
|
|
|
|
|
|
| |
Gracefully handle the case where RoleCheck gets invoked with
credentials that do not have a roles list defined (ie, when using an
unscoped keystone token).
Change-Id: Ib6c2fb749a0eddfe3e5150e470f05ae9d77d55cc
Closes-Bug: #1529721
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RoleCheck.__call__() doesn't render string format with target dict.
So, it couldn't handle rules like below:
"identity:create_grant": "role: %{target.role.name}s"
This patch adds string format rendering code to it. If target_dict
has a key specified at %()s in the rule, __call__() will render its
value and evaluate the rule. If not, the method will return False.
Change-Id: I82d677301ca2c764230ed9b3e3e9d82056afcea2
Closes-Bug: #1527055
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The text parser handles rules like below:
- A or B or C [or D...]
- A and B and C [and D...]
But it doesn't ones below:
- A or B and C
- A and B or C
So, this patch fixes them with:
- for "A and B or C": adds @reducer('and_expr', 'or', 'check') to
_make_or_expr().
- for "A or B and C": adds _mix_or_and_expr() method. It pops the last
check (B) from OrCheck rule list [A, B] and append AndCheck with
rule list [B, C] to the Or Check rule list. So, finally we will get
"OrCheck[A, AndCheck[B, C]]".
Change-Id: Iaaee4864356411374ee7e7c5c0c05b98889e0f4e
Closes-Bug: #1523030
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the checks are defined in a private module, the docs for them
weren't being generated. The docs are moved to the public symbols so
that they'll be generated.
Also, there were several references from public docs to private
symbols. These are changed since any references to private symbols
aren't going to be able to link to the private symbol docs since
they're not generated.
Change-Id: I27c666479ecb978ad6bf21dc2ad80ef0265f62c5
|
|
|
|
|
|
|
|
| |
The requests interface is much nicer and easier to
use so we might as well use it instead of direct urllib
usage.
Change-Id: I364ddb5f86900a3e166f4480d9f4889a68de247f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Generic check had no way to identify
a value inside a list. Since Lists are inherantly unstable in
indexing, requiring an index to match is not practical.
Lists now follow the same approach as the OrCheck:
When specifying a value inside a list, each element
of the lsit is checked for a match. If any of the sub lists match,
the check succeeds. Only if the entry is not in the list does the
check fail.
If the value is nested in a dictionary under the list, all of
the subordinate dictionaries are checked in a recursive manner.
Change-Id: Ia286dbd3757703779d7044b3003381eab6c5c919
|
|
|
|
|
|
|
|
| |
Throughout the project both single and double quotes are used,
let's just stick to one consistent format. Also removed a
few contractions in messages
Change-Id: I6636830bef53fadbab8616abdce9b731d39a1d10
|
|
Move the parser and checks logic into oslo_policy._parser and
oslo_policy._checks respectively. As a consequence, this allows us to
create separate test files for those modules so we now also have
oslo_policy.tests.test_parser and oslo_policy.tests.test_checks. Since
those modules needed some common classes and fixtures it was also
necessary to add oslo_policy.tests.base to service the three test
modules.
Change-Id: I656dcb8fda7b953f5def8ddfaa4d119a8c881965
|