diff --git a/keystone/access_rules_config/__init__.py b/keystone/access_rules_config/__init__.py index e69de29bb2..782aa80107 100644 --- a/keystone/access_rules_config/__init__.py +++ b/keystone/access_rules_config/__init__.py @@ -0,0 +1,15 @@ +# Copyright 2019 SUSE Linux GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone.access_rules_config.core import * # noqa diff --git a/keystone/access_rules_config/core.py b/keystone/access_rules_config/core.py new file mode 100644 index 0000000000..43fd2e5cf5 --- /dev/null +++ b/keystone/access_rules_config/core.py @@ -0,0 +1,59 @@ +# Copyright 2019 SUSE Linux GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +"""List access rules.""" + +from keystone.common import cache +from keystone.common import manager +import keystone.conf + + +CONF = keystone.conf.CONF +MEMOIZE = cache.get_memoization_decorator(group='access_rules_config') + + +class Manager(manager.Manager): + + driver_namespace = 'keystone.access_rules_config' + _provides_api = 'access_rules_config_api' + + def __init__(self): + super(Manager, self).__init__(CONF.access_rules_config.driver) + + def list_access_rules_config(self, service=None): + """List access rules config. + + :param str service: filter by service type + + :returns: a list of configured access rules. Access rules are + permission objects composing of a service, a URL path, and an + HTTP method. + + """ + return self.driver.list_access_rules_config(service) + + @MEMOIZE + def check_access_rule(self, service, request_path, request_method): + """Check access rule. + + :param str service: service type of rule to check + :param str request_path: endpoint path to check + :param str request_method: API HTTP method to check + + :returns: boolean indicating whether the rule matches one of the + configured access rules + + """ + return self.driver.check_access_rule(service, request_path, + request_method) diff --git a/keystone/server/backends.py b/keystone/server/backends.py index 04acfa540d..62809e8411 100644 --- a/keystone/server/backends.py +++ b/keystone/server/backends.py @@ -13,6 +13,7 @@ import sys from oslo_log import log +from keystone import access_rules_config from keystone import application_credential from keystone import assignment from keystone import auth @@ -48,7 +49,8 @@ def load_backends(): cache.configure_cache(region=identity.ID_MAPPING_REGION) cache.configure_invalidation_region() - managers = [application_credential.Manager, assignment.Manager, + managers = [access_rules_config.Manager, + application_credential.Manager, assignment.Manager, catalog.Manager, credential.Manager, credential.provider.Manager, resource.DomainConfigManager, endpoint_policy.Manager, federation.Manager, diff --git a/keystone/tests/unit/access_rules_config/test_backends.py b/keystone/tests/unit/access_rules_config/test_backends.py new file mode 100644 index 0000000000..ec0c7f20c9 --- /dev/null +++ b/keystone/tests/unit/access_rules_config/test_backends.py @@ -0,0 +1,45 @@ +# Copyright 2019 SUSE Linux GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone.common import provider_api +from keystone.tests import unit +from keystone.tests.unit.ksfixtures import access_rules_config + +PROVIDERS = provider_api.ProviderAPIs + + +class AccessRulesConfigTest(unit.TestCase): + + def setUp(self): + super(AccessRulesConfigTest, self).setUp() + rules_file = '%s/access_rules.json' % unit.TESTCONF + self.useFixture(access_rules_config.AccessRulesConfig( + self.config_fixture, rules_file=rules_file)) + self.load_backends() + + def test_list_access_rules_config(self): + rules = PROVIDERS.access_rules_config_api.list_access_rules_config() + self.assertIn('identity', rules) + self.assertIn('image', rules) + + def test_list_access_rules_config_for_service(self): + rules = PROVIDERS.access_rules_config_api.list_access_rules_config( + service='image') + self.assertNotIn('identity', rules) + self.assertIn('image', rules) + + def test_check_access_rule(self): + result = PROVIDERS.access_rules_config_api.check_access_rule( + 'identity', '/v3/users', 'GET') + self.assertTrue(result)