diff --git a/etc/oslo-policy-generator/policy.conf b/etc/oslo-policy-generator/policy.conf new file mode 100644 index 000000000..ba2ba69b5 --- /dev/null +++ b/etc/oslo-policy-generator/policy.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/policy.yaml.sample +namespace = neutron-vpnaas diff --git a/neutron_vpnaas/policies/__init__.py b/neutron_vpnaas/policies/__init__.py new file mode 100644 index 000000000..b0399eb9b --- /dev/null +++ b/neutron_vpnaas/policies/__init__.py @@ -0,0 +1,29 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from neutron_vpnaas.policies import endpoint_group +from neutron_vpnaas.policies import ike_policy +from neutron_vpnaas.policies import ipsec_policy +from neutron_vpnaas.policies import ipsec_site_connection +from neutron_vpnaas.policies import vpnservice + + +def list_rules(): + return itertools.chain( + endpoint_group.list_rules(), + ike_policy.list_rules(), + ipsec_policy.list_rules(), + ipsec_site_connection.list_rules(), + vpnservice.list_rules(), + ) diff --git a/neutron_vpnaas/policies/base.py b/neutron_vpnaas/policies/base.py new file mode 100644 index 000000000..463ec829b --- /dev/null +++ b/neutron_vpnaas/policies/base.py @@ -0,0 +1,17 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# TODO(amotoki): Define these in neutron or neutron-lib +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_ONLY = 'rule:admin_only' +RULE_ANY = 'rule:regular_user' diff --git a/neutron_vpnaas/policies/endpoint_group.py b/neutron_vpnaas/policies/endpoint_group.py new file mode 100644 index 000000000..bbee69275 --- /dev/null +++ b/neutron_vpnaas/policies/endpoint_group.py @@ -0,0 +1,71 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_vpnaas.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_endpoint_group', + base.RULE_ANY, + 'Create a VPN endpoint group', + [ + { + 'method': 'POST', + 'path': '/vpn/endpoint-groups', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_endpoint_group', + base.RULE_ADMIN_OR_OWNER, + 'Update a VPN endpoint group', + [ + { + 'method': 'PUT', + 'path': '/vpn/endpoint-groups/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_endpoint_group', + base.RULE_ADMIN_OR_OWNER, + 'Delete a VPN endpoint group', + [ + { + 'method': 'DELETE', + 'path': '/vpn/endpoint-groups/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_endpoint_group', + base.RULE_ADMIN_OR_OWNER, + 'Get VPN endpoint groups', + [ + { + 'method': 'GET', + 'path': '/vpn/endpoint-groups', + }, + { + 'method': 'GET', + 'path': '/vpn/endpoint-groups/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_vpnaas/policies/ike_policy.py b/neutron_vpnaas/policies/ike_policy.py new file mode 100644 index 000000000..34a7b07e3 --- /dev/null +++ b/neutron_vpnaas/policies/ike_policy.py @@ -0,0 +1,71 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_vpnaas.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_ikepolicy', + base.RULE_ANY, + 'Create an IKE policy', + [ + { + 'method': 'POST', + 'path': '/vpn/ikepolicies', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_ikepolicy', + base.RULE_ADMIN_OR_OWNER, + 'Update an IKE policy', + [ + { + 'method': 'PUT', + 'path': '/vpn/ikepolicies/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_ikepolicy', + base.RULE_ADMIN_OR_OWNER, + 'Delete an IKE policy', + [ + { + 'method': 'DELETE', + 'path': '/vpn/ikepolicies/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_ikepolicy', + base.RULE_ADMIN_OR_OWNER, + 'Get IKE policyies', + [ + { + 'method': 'GET', + 'path': '/vpn/ikepolicies', + }, + { + 'method': 'GET', + 'path': '/vpn/ikepolicies/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_vpnaas/policies/ipsec_policy.py b/neutron_vpnaas/policies/ipsec_policy.py new file mode 100644 index 000000000..8a9b29605 --- /dev/null +++ b/neutron_vpnaas/policies/ipsec_policy.py @@ -0,0 +1,71 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_vpnaas.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_ipsecpolicy', + base.RULE_ANY, + 'Create an IPsec policy', + [ + { + 'method': 'POST', + 'path': '/vpn/ipsecpolicies', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_ipsecpolicy', + base.RULE_ADMIN_OR_OWNER, + 'Update an IPsec policy', + [ + { + 'method': 'PUT', + 'path': '/vpn/ipsecpolicies/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_ipsecpolicy', + base.RULE_ADMIN_OR_OWNER, + 'Delete an IPsec policy', + [ + { + 'method': 'DELETE', + 'path': '/vpn/ipsecpolicies/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_ipsecpolicy', + base.RULE_ADMIN_OR_OWNER, + 'Get IPsec policies', + [ + { + 'method': 'GET', + 'path': '/vpn/ipsecpolicies', + }, + { + 'method': 'GET', + 'path': '/vpn/ipsecpolicies/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_vpnaas/policies/ipsec_site_connection.py b/neutron_vpnaas/policies/ipsec_site_connection.py new file mode 100644 index 000000000..8935a87b5 --- /dev/null +++ b/neutron_vpnaas/policies/ipsec_site_connection.py @@ -0,0 +1,71 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_vpnaas.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_ipsec_site_connection', + base.RULE_ANY, + 'Create an IPsec site connection', + [ + { + 'method': 'POST', + 'path': '/vpn/ipsec-site-connections', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_ipsec_site_connection', + base.RULE_ADMIN_OR_OWNER, + 'Update an IPsec site connection', + [ + { + 'method': 'PUT', + 'path': '/vpn/ipsec-site-connections/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_ipsec_site_connection', + base.RULE_ADMIN_OR_OWNER, + 'Delete an IPsec site connection', + [ + { + 'method': 'DELETE', + 'path': '/vpn/ipsec-site-connections/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_ipsec_site_connection', + base.RULE_ADMIN_OR_OWNER, + 'Get IPsec site connections', + [ + { + 'method': 'GET', + 'path': '/vpn/ipsec-site-connections', + }, + { + 'method': 'GET', + 'path': '/vpn/ipsec-site-connections/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_vpnaas/policies/vpnservice.py b/neutron_vpnaas/policies/vpnservice.py new file mode 100644 index 000000000..a4d3578c1 --- /dev/null +++ b/neutron_vpnaas/policies/vpnservice.py @@ -0,0 +1,71 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_vpnaas.policies import base + + +rules = [ + policy.DocumentedRuleDefault( + 'create_vpnservice', + base.RULE_ANY, + 'Create a VPN service', + [ + { + 'method': 'POST', + 'path': '/vpn/vpnservices', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_vpnservice', + base.RULE_ADMIN_OR_OWNER, + 'Update a VPN service', + [ + { + 'method': 'PUT', + 'path': '/vpn/vpnservices/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_vpnservice', + base.RULE_ADMIN_OR_OWNER, + 'Delete a VPN service', + [ + { + 'method': 'DELETE', + 'path': '/vpn/vpnservices/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'get_vpnservice', + base.RULE_ADMIN_OR_OWNER, + 'Get VPN services', + [ + { + 'method': 'GET', + 'path': '/vpn/vpnservices', + }, + { + 'method': 'GET', + 'path': '/vpn/vpnservices/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/setup.cfg b/setup.cfg index 2e4e99fa1..17a4f6638 100644 --- a/setup.cfg +++ b/setup.cfg @@ -44,6 +44,10 @@ neutron.service_plugins = oslo.config.opts = neutron.vpnaas = neutron_vpnaas.opts:list_opts neutron.vpnaas.agent = neutron_vpnaas.opts:list_agent_opts +oslo.policy.policies = + neutron-vpnaas = neutron_vpnaas.policies:list_rules +neutron.policies = + neutron-vpnaas = neutron_vpnaas.policies:list_rules tempest.test_plugins = neutron_vpnaas_tests = neutron_vpnaas.tests.tempest.plugin:VPNTempestPlugin diff --git a/tox.ini b/tox.ini index d100a7718..53acb0df3 100644 --- a/tox.ini +++ b/tox.ini @@ -83,6 +83,7 @@ commands = {toxinidir}/tools/check_unit_test_structure.sh neutron-db-manage --subproject neutron-vpnaas --database-connection sqlite:// check_migration {[testenv:genconfig]commands} + {[testenv:genpolicy]commands} whitelist_externals = sh [testenv:pep8-dev] @@ -143,6 +144,9 @@ local-check-factory = neutron_lib.hacking.checks.factory [testenv:genconfig] commands = {toxinidir}/tools/generate_config_file_samples.sh +[testenv:genpolicy] +commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf + [testenv:lower-constraints] basepython = python3 deps =