Policy in code (part 5)

This commit does the following:
    - Moves default auth policies into code
    - Moves default domain_config policies into code
    - Moves default for_user policies into code
    - Moves default mapping policies into code
    - Moves default policy_association policies into code
    - Moves default protocol policies into code
    - Moves default revoke_event policies into code
    - Moves default service_provider policies into code

Partially-Implements: blueprint policy-in-code
Change-Id: Id6e3c0ac54b21d85e68625a5b52fe2559fb70f24

etc/policy.json

@@ -1,48 +1,2 @@
 {
-
-    "identity:create_protocol": "rule:admin_required",
-    "identity:update_protocol": "rule:admin_required",
-    "identity:get_protocol": "rule:admin_required",
-    "identity:list_protocols": "rule:admin_required",
-    "identity:delete_protocol": "rule:admin_required",
-
-    "identity:create_mapping": "rule:admin_required",
-    "identity:get_mapping": "rule:admin_required",
-    "identity:list_mappings": "rule:admin_required",
-    "identity:delete_mapping": "rule:admin_required",
-    "identity:update_mapping": "rule:admin_required",
-
-    "identity:create_service_provider": "rule:admin_required",
-    "identity:list_service_providers": "rule:admin_required",
-    "identity:get_service_provider": "rule:admin_required",
-    "identity:update_service_provider": "rule:admin_required",
-    "identity:delete_service_provider": "rule:admin_required",
-
-    "identity:get_auth_catalog": "",
-    "identity:get_auth_projects": "",
-    "identity:get_auth_domains": "",
-
-    "identity:list_projects_for_user": "",
-    "identity:list_domains_for_user": "",
-
-    "identity:list_revoke_events": "rule:service_or_admin",
-
-    "identity:create_policy_association_for_endpoint": "rule:admin_required",
-    "identity:check_policy_association_for_endpoint": "rule:admin_required",
-    "identity:delete_policy_association_for_endpoint": "rule:admin_required",
-    "identity:create_policy_association_for_service": "rule:admin_required",
-    "identity:check_policy_association_for_service": "rule:admin_required",
-    "identity:delete_policy_association_for_service": "rule:admin_required",
-    "identity:create_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:check_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
-    "identity:get_policy_for_endpoint": "rule:admin_required",
-    "identity:list_endpoints_for_policy": "rule:admin_required",
-
-    "identity:create_domain_config": "rule:admin_required",
-    "identity:get_domain_config": "rule:admin_required",
-    "identity:get_security_compliance_domain_config": "",
-    "identity:update_domain_config": "rule:admin_required",
-    "identity:delete_domain_config": "rule:admin_required",
-    "identity:get_domain_config_default": "rule:admin_required"
 }

keystone/common/policies/__init__.py

@@ -13,24 +13,32 @@
 import itertools
 
 from keystone.common.policies import access_token
+from keystone.common.policies import auth
 from keystone.common.policies import base
 from keystone.common.policies import consumer
 from keystone.common.policies import credential
 from keystone.common.policies import domain
+from keystone.common.policies import domain_config
 from keystone.common.policies import ec2_credential
 from keystone.common.policies import endpoint
 from keystone.common.policies import endpoint_group
+from keystone.common.policies import for_user
 from keystone.common.policies import grant
 from keystone.common.policies import group
 from keystone.common.policies import identity_provider
 from keystone.common.policies import implied_role
+from keystone.common.policies import mapping
 from keystone.common.policies import policy
+from keystone.common.policies import policy_association
 from keystone.common.policies import project
 from keystone.common.policies import project_endpoint
+from keystone.common.policies import protocol
 from keystone.common.policies import region
+from keystone.common.policies import revoke_event
 from keystone.common.policies import role
 from keystone.common.policies import role_assignment
 from keystone.common.policies import service
+from keystone.common.policies import service_provider
 from keystone.common.policies import token_revocation
 from keystone.common.policies import trust
 from keystone.common.policies import user
@@ -40,23 +48,31 @@ def list_rules():
     return itertools.chain(
         base.list_rules(),
         access_token.list_rules(),
+        auth.list_rules(),
         consumer.list_rules(),
         credential.list_rules(),
         domain.list_rules(),
+        domain_config.list_rules(),
         ec2_credential.list_rules(),
         endpoint.list_rules(),
         endpoint_group.list_rules(),
+        for_user.list_rules(),
         grant.list_rules(),
         group.list_rules(),
         identity_provider.list_rules(),
         implied_role.list_rules(),
+        mapping.list_rules(),
         policy.list_rules(),
+        policy_association.list_rules(),
         project.list_rules(),
         project_endpoint.list_rules(),
+        protocol.list_rules(),
         region.list_rules(),
+        revoke_event.list_rules(),
         role.list_rules(),
         role_assignment.list_rules(),
         service.list_rules(),
+        service_provider.list_rules(),
         token_revocation.list_rules(),
         trust.list_rules(),
         user.list_rules(),

keystone/common/policies/auth.py

@@ -0,0 +1,31 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+auth_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_auth_catalog',
+        check_str=''),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_auth_projects',
+        check_str=''),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_auth_domains',
+        check_str=''),
+]
+
+
+def list_rules():
+    return auth_policies

keystone/common/policies/base.py

@@ -13,16 +13,19 @@
 from oslo_policy import policy
 
 IDENTITY = 'identity:%s'
-RULE_ADMIN_REQUIRED = 'rule:admin_required'
-RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
 RULE_ADMIN_OR_CREDENTIAL_OWNER = (
     'rule:admin_required or '
     '(rule:owner and user_id:%(target.credential.user_id)s)')
-RULE_ADMIN_OR_TARGET_DOMAIN = ('rule:admin_required or '
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
-                               'token.project.domain.id:%(target.domain.id)s')
+RULE_ADMIN_OR_TARGET_DOMAIN = (
-RULE_ADMIN_OR_TARGET_PROJECT = ('rule:admin_required or '
+    'rule:admin_required or '
-                                'project_id:%(target.project.id)s')
+    'token.project.domain.id:%(target.domain.id)s')
+RULE_ADMIN_OR_TARGET_PROJECT = (
+    'rule:admin_required or '
+    'project_id:%(target.project.id)s')
 RULE_ADMIN_OR_TOKEN_SUBJECT = 'rule:admin_or_token_subject'
+RULE_ADMIN_REQUIRED = 'rule:admin_required'
+RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
 RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
 RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
 RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'

keystone/common/policies/domain_config.py

@@ -0,0 +1,40 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+domain_config_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_domain_config',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_domain_config',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_security_compliance_domain_config',
+        check_str=''),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_domain_config',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_domain_config',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_domain_config_default',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return domain_config_policies

keystone/common/policies/for_user.py

@@ -0,0 +1,28 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+service_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_projects_for_user',
+        check_str=''),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_domains_for_user',
+        check_str=''),
+]
+
+
+def list_rules():
+    return service_policies

keystone/common/policies/mapping.py

@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+mapping_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_mapping',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_mapping',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_mappings',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_mapping',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_mapping',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return mapping_policies

keystone/common/policies/policy_association.py

@@ -0,0 +1,57 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+policy_association_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_policy_association_for_endpoint',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'check_policy_association_for_endpoint',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_policy_association_for_endpoint',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_policy_association_for_service',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'check_policy_association_for_service',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_policy_association_for_service',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % (
+            'create_policy_association_for_region_and_service'),
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'check_policy_association_for_region_and_service',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % (
+            'delete_policy_association_for_region_and_service'),
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_policy_for_endpoint',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_endpoints_for_policy',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return policy_association_policies

keystone/common/policies/protocol.py

@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+protocol_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_protocol',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_protocol',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_protocol',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_protocols',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_protocol',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return protocol_policies

keystone/common/policies/revoke_event.py

@@ -0,0 +1,25 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+revoke_event_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_revoke_events',
+        check_str=base.RULE_SERVICE_OR_ADMIN)
+]
+
+
+def list_rules():
+    return revoke_event_policies

keystone/common/policies/service_provider.py

@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+service_provider_policies = [
+    policy.RuleDefault(
+        name=base.IDENTITY % 'create_service_provider',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'list_service_providers',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'get_service_provider',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'update_service_provider',
+        check_str=base.RULE_ADMIN_REQUIRED),
+    policy.RuleDefault(
+        name=base.IDENTITY % 'delete_service_provider',
+        check_str=base.RULE_ADMIN_REQUIRED)
+]
+
+
+def list_rules():
+    return service_provider_policies