migrate moon code from github to opnfv

Change-Id: Ice53e368fd1114d56a75271aa9f2e598e3eba604 Signed-off-by: WuKong <rebirthmonkey@gmail.com>
author: WuKong <rebirthmonkey@gmail.com> 2015-06-30 18:47:29 +0200
committer: WuKong <rebirthmonkey@gmail.com> 2015-06-30 18:47:29 +0200
commit: b8c756ecdd7cced1db4300935484e8c83701c82e (patch)
tree: 87e51107d82b217ede145de9d9d59e2100725bd7 /keystone-moon/keystone/policy
parent: c304c773bae68fb854ed9eab8fb35c4ef17cf136 (diff)
8 files changed, 439 insertions, 0 deletions
diff --git a/keystone-moon/keystone/policy/__init__.py b/keystone-moon/keystone/policy/__init__.py
new file mode 100644
index 00000000..4cd96793
--- /dev/null
+++ b/keystone-moon/keystone/policy/__init__.py
@@ -0,0 +1,17 @@
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystone.policy import controllers  # noqa
+from keystone.policy.core import *  # noqa
+from keystone.policy import routers  # noqa
diff --git a/keystone-moon/keystone/policy/backends/__init__.py b/keystone-moon/keystone/policy/backends/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/keystone-moon/keystone/policy/backends/__init__.py
diff --git a/keystone-moon/keystone/policy/backends/rules.py b/keystone-moon/keystone/policy/backends/rules.py
new file mode 100644
index 00000000..011dd542
--- /dev/null
+++ b/keystone-moon/keystone/policy/backends/rules.py
@@ -0,0 +1,92 @@
+# Copyright (c) 2011 OpenStack, LLC.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""Policy engine for keystone"""
+
+from oslo_config import cfg
+from oslo_log import log
+from oslo_policy import policy as common_policy
+
+from keystone import exception
+from keystone import policy
+
+
+CONF = cfg.CONF
+LOG = log.getLogger(__name__)
+
+
+_ENFORCER = None
+
+
+def reset():
+    global _ENFORCER
+    _ENFORCER = None
+
+
+def init():
+    global _ENFORCER
+    if not _ENFORCER:
+        _ENFORCER = common_policy.Enforcer(CONF)
+
+
+def enforce(credentials, action, target, do_raise=True):
+    """Verifies that the action is valid on the target in this context.
+
+       :param credentials: user credentials
+       :param action: string representing the action to be checked, which
+                      should be colon separated for clarity.
+       :param target: dictionary representing the object of the action
+                      for object creation this should be a dictionary
+                      representing the location of the object e.g.
+                      {'project_id': object.project_id}
+       :raises: `exception.Forbidden` if verification fails.
+
+       Actions should be colon separated for clarity. For example:
+
+        * identity:list_users
+
+    """
+    init()
+
+    # Add the exception arguments if asked to do a raise
+    extra = {}
+    if do_raise:
+        extra.update(exc=exception.ForbiddenAction, action=action,
+                     do_raise=do_raise)
+
+    return _ENFORCER.enforce(action, target, credentials, **extra)
+
+
+class Policy(policy.Driver):
+    def enforce(self, credentials, action, target):
+        LOG.debug('enforce %(action)s: %(credentials)s', {
+            'action': action,
+            'credentials': credentials})
+        enforce(credentials, action, target)
+
+    def create_policy(self, policy_id, policy):
+        raise exception.NotImplemented()
+
+    def list_policies(self):
+        raise exception.NotImplemented()
+
+    def get_policy(self, policy_id):
+        raise exception.NotImplemented()
+
+    def update_policy(self, policy_id, policy):
+        raise exception.NotImplemented()
+
+    def delete_policy(self, policy_id):
+        raise exception.NotImplemented()
diff --git a/keystone-moon/keystone/policy/backends/sql.py b/keystone-moon/keystone/policy/backends/sql.py
new file mode 100644
index 00000000..b2cccd01
--- /dev/null
+++ b/keystone-moon/keystone/policy/backends/sql.py
@@ -0,0 +1,79 @@
+# Copyright 2012 OpenStack LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystone.common import sql
+from keystone import exception
+from keystone.policy.backends import rules
+
+
+class PolicyModel(sql.ModelBase, sql.DictBase):
+    __tablename__ = 'policy'
+    attributes = ['id', 'blob', 'type']
+    id = sql.Column(sql.String(64), primary_key=True)
+    blob = sql.Column(sql.JsonBlob(), nullable=False)
+    type = sql.Column(sql.String(255), nullable=False)
+    extra = sql.Column(sql.JsonBlob())
+
+
+class Policy(rules.Policy):
+
+    @sql.handle_conflicts(conflict_type='policy')
+    def create_policy(self, policy_id, policy):
+        session = sql.get_session()
+
+        with session.begin():
+            ref = PolicyModel.from_dict(policy)
+            session.add(ref)
+
+        return ref.to_dict()
+
+    def list_policies(self):
+        session = sql.get_session()
+
+        refs = session.query(PolicyModel).all()
+        return [ref.to_dict() for ref in refs]
+
+    def _get_policy(self, session, policy_id):
+        """Private method to get a policy model object (NOT a dictionary)."""
+        ref = session.query(PolicyModel).get(policy_id)
+        if not ref:
+            raise exception.PolicyNotFound(policy_id=policy_id)
+        return ref
+
+    def get_policy(self, policy_id):
+        session = sql.get_session()
+
+        return self._get_policy(session, policy_id).to_dict()
+
+    @sql.handle_conflicts(conflict_type='policy')
+    def update_policy(self, policy_id, policy):
+        session = sql.get_session()
+
+        with session.begin():
+            ref = self._get_policy(session, policy_id)
+            old_dict = ref.to_dict()
+            old_dict.update(policy)
+            new_policy = PolicyModel.from_dict(old_dict)
+            ref.blob = new_policy.blob
+            ref.type = new_policy.type
+            ref.extra = new_policy.extra
+
+        return ref.to_dict()
+
+    def delete_policy(self, policy_id):
+        session = sql.get_session()
+
+        with session.begin():
+            ref = self._get_policy(session, policy_id)
+            session.delete(ref)
diff --git a/keystone-moon/keystone/policy/controllers.py b/keystone-moon/keystone/policy/controllers.py
new file mode 100644
index 00000000..e6eb9bca
--- /dev/null
+++ b/keystone-moon/keystone/policy/controllers.py
@@ -0,0 +1,56 @@
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from keystone.common import controller
+from keystone.common import dependency
+from keystone.common import validation
+from keystone import notifications
+from keystone.policy import schema
+
+
+@dependency.requires('policy_api')
+class PolicyV3(controller.V3Controller):
+    collection_name = 'policies'
+    member_name = 'policy'
+
+    @controller.protected()
+    @validation.validated(schema.policy_create, 'policy')
+    def create_policy(self, context, policy):
+        ref = self._assign_unique_id(self._normalize_dict(policy))
+        initiator = notifications._get_request_audit_info(context)
+        ref = self.policy_api.create_policy(ref['id'], ref, initiator)
+        return PolicyV3.wrap_member(context, ref)
+
+    @controller.filterprotected('type')
+    def list_policies(self, context, filters):
+        hints = PolicyV3.build_driver_hints(context, filters)
+        refs = self.policy_api.list_policies(hints=hints)
+        return PolicyV3.wrap_collection(context, refs, hints=hints)
+
+    @controller.protected()
+    def get_policy(self, context, policy_id):
+        ref = self.policy_api.get_policy(policy_id)
+        return PolicyV3.wrap_member(context, ref)
+
+    @controller.protected()
+    @validation.validated(schema.policy_update, 'policy')
+    def update_policy(self, context, policy_id, policy):
+        initiator = notifications._get_request_audit_info(context)
+        ref = self.policy_api.update_policy(policy_id, policy, initiator)
+        return PolicyV3.wrap_member(context, ref)
+
+    @controller.protected()
+    def delete_policy(self, context, policy_id):
+        initiator = notifications._get_request_audit_info(context)
+        return self.policy_api.delete_policy(policy_id, initiator)
diff --git a/keystone-moon/keystone/policy/core.py b/keystone-moon/keystone/policy/core.py
new file mode 100644
index 00000000..1f02803f
--- /dev/null
+++ b/keystone-moon/keystone/policy/core.py
@@ -0,0 +1,135 @@
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+"""Main entry point into the Policy service."""
+
+import abc
+
+from oslo_config import cfg
+import six
+
+from keystone.common import dependency
+from keystone.common import manager
+from keystone import exception
+from keystone import notifications
+
+
+CONF = cfg.CONF
+
+
+@dependency.provider('policy_api')
+class Manager(manager.Manager):
+    """Default pivot point for the Policy backend.
+
+    See :mod:`keystone.common.manager.Manager` for more details on how this
+    dynamically calls the backend.
+
+    """
+    _POLICY = 'policy'
+
+    def __init__(self):
+        super(Manager, self).__init__(CONF.policy.driver)
+
+    def create_policy(self, policy_id, policy, initiator=None):
+        ref = self.driver.create_policy(policy_id, policy)
+        notifications.Audit.created(self._POLICY, policy_id, initiator)
+        return ref
+
+    def get_policy(self, policy_id):
+        try:
+            return self.driver.get_policy(policy_id)
+        except exception.NotFound:
+            raise exception.PolicyNotFound(policy_id=policy_id)
+
+    def update_policy(self, policy_id, policy, initiator=None):
+        if 'id' in policy and policy_id != policy['id']:
+            raise exception.ValidationError('Cannot change policy ID')
+        try:
+            ref = self.driver.update_policy(policy_id, policy)
+        except exception.NotFound:
+            raise exception.PolicyNotFound(policy_id=policy_id)
+        notifications.Audit.updated(self._POLICY, policy_id, initiator)
+        return ref
+
+    @manager.response_truncated
+    def list_policies(self, hints=None):
+        # NOTE(henry-nash): Since the advantage of filtering or list limiting
+        # of policies at the driver level is minimal, we leave this to the
+        # caller.
+        return self.driver.list_policies()
+
+    def delete_policy(self, policy_id, initiator=None):
+        try:
+            ret = self.driver.delete_policy(policy_id)
+        except exception.NotFound:
+            raise exception.PolicyNotFound(policy_id=policy_id)
+        notifications.Audit.deleted(self._POLICY, policy_id, initiator)
+        return ret
+
+
+@six.add_metaclass(abc.ABCMeta)
+class Driver(object):
+
+    def _get_list_limit(self):
+        return CONF.policy.list_limit or CONF.list_limit
+
+    @abc.abstractmethod
+    def enforce(self, context, credentials, action, target):
+        """Verify that a user is authorized to perform action.
+
+        For more information on a full implementation of this see:
+        `keystone.policy.backends.rules.Policy.enforce`
+        """
+        raise exception.NotImplemented()  # pragma: no cover
+
+    @abc.abstractmethod
+    def create_policy(self, policy_id, policy):
+        """Store a policy blob.
+
+        :raises: keystone.exception.Conflict
+
+        """
+        raise exception.NotImplemented()  # pragma: no cover
+
+    @abc.abstractmethod
+    def list_policies(self):
+        """List all policies."""
+        raise exception.NotImplemented()  # pragma: no cover
+
+    @abc.abstractmethod
+    def get_policy(self, policy_id):
+        """Retrieve a specific policy blob.
+
+        :raises: keystone.exception.PolicyNotFound
+
+        """
+        raise exception.NotImplemented()  # pragma: no cover
+
+    @abc.abstractmethod
+    def update_policy(self, policy_id, policy):
+        """Update a policy blob.
+
+        :raises: keystone.exception.PolicyNotFound
+
+        """
+        raise exception.NotImplemented()  # pragma: no cover
+
+    @abc.abstractmethod
+    def delete_policy(self, policy_id):
+        """Remove a policy blob.
+
+        :raises: keystone.exception.PolicyNotFound
+
+        """
+        raise exception.NotImplemented()  # pragma: no cover
diff --git a/keystone-moon/keystone/policy/routers.py b/keystone-moon/keystone/policy/routers.py
new file mode 100644
index 00000000..5daadc81
--- /dev/null
+++ b/keystone-moon/keystone/policy/routers.py
@@ -0,0 +1,24 @@
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+from keystone.common import router
+from keystone.common import wsgi
+from keystone.policy import controllers
+
+
+class Routers(wsgi.RoutersBase):
+
+    def append_v3_routers(self, mapper, routers):
+        policy_controller = controllers.PolicyV3()
+        routers.append(router.Router(policy_controller, 'policies', 'policy',
+                                     resource_descriptions=self.v3_resources))
diff --git a/keystone-moon/keystone/policy/schema.py b/keystone-moon/keystone/policy/schema.py
new file mode 100644
index 00000000..512c4ce7
--- /dev/null
+++ b/keystone-moon/keystone/policy/schema.py
@@ -0,0 +1,36 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+_policy_properties = {
+    'blob': {
+        'type': 'string'
+    },
+    'type': {
+        'type': 'string',
+        'maxLength': 255
+    }
+}
+
+policy_create = {
+    'type': 'object',
+    'properties': _policy_properties,
+    'required': ['blob', 'type'],
+    'additionalProperties': True
+}
+
+policy_update = {
+    'type': 'object',
+    'properties': _policy_properties,
+    'minProperties': 1,
+    'additionalProperties': True
+}
author	WuKong <rebirthmonkey@gmail.com>	2015-06-30 18:47:29 +0200
committer	WuKong <rebirthmonkey@gmail.com>	2015-06-30 18:47:29 +0200
commit	b8c756ecdd7cced1db4300935484e8c83701c82e (patch)
tree	87e51107d82b217ede145de9d9d59e2100725bd7 /keystone-moon/keystone/policy
parent	c304c773bae68fb854ed9eab8fb35c4ef17cf136 (diff)