From e06004d9f5ffbf40f612da54924e87dfddbca529 Mon Sep 17 00:00:00 2001
From: Hieu LE <hieulq@vn.fujitsu.com>
Date: Tue, 3 Oct 2017 17:48:56 +0700
Subject: [PATCH] Implement basic policy module in code

This change prepares the magnum project to start implementing
policies in code. Subsequent patches will register more magnum
policies in code and remove the corresponding entry from the
policy file maintained in source.

This is part of a community effort to provide better user
experience for those having to maintain RBAC policy. More
information on this effort can be found below:
https://governance.openstack.org/tc/goals/queens/policy-in-code.html

Change-Id: I0e2b34067ea1e4d5868df544a9f65ae3f1944c43
Co-authored-By: Dai Dang-Van <daidv@vn.fujitsu.com>
Implements: blueprint policy-in-code
---
 .gitignore                              |  3 ++
 etc/magnum/magnum-policy-generator.conf |  3 ++
 etc/magnum/policy.json                  |  6 ---
 magnum/common/policies/__init__.py      | 23 +++++++++++
 magnum/common/policies/base.py          | 52 +++++++++++++++++++++++++
 magnum/common/policy.py                 |  3 ++
 magnum/tests/fake_policy.py             |  3 --
 setup.cfg                               |  3 ++
 tox.ini                                 |  4 ++
 9 files changed, 91 insertions(+), 9 deletions(-)
 create mode 100644 etc/magnum/magnum-policy-generator.conf
 create mode 100644 magnum/common/policies/__init__.py
 create mode 100644 magnum/common/policies/base.py

diff --git a/.gitignore b/.gitignore
index 9ce716b361..49755091b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,5 +62,8 @@ ChangeLog
 # generated config file
 etc/magnum/magnum.conf.sample
 
+# generated policy file
+etc/magnum/policy.yaml.sample
+
 # Files created by releasenotes build
 releasenotes/build
diff --git a/etc/magnum/magnum-policy-generator.conf b/etc/magnum/magnum-policy-generator.conf
new file mode 100644
index 0000000000..58eb366605
--- /dev/null
+++ b/etc/magnum/magnum-policy-generator.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/magnum/policy.yaml.sample
+namespace = magnum
\ No newline at end of file
diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json
index cb19ad7477..5d5c1cc4c4 100644
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@@ -1,11 +1,5 @@
 {
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",
-    "admin_or_user": "is_admin:True or user_id:%(user_id)s",
-    "cluster_user": "user_id:%(trustee_user_id)s",
-    "deny_cluster_user": "not domain_id:%(trustee_domain_id)s",
 
     "bay:create": "rule:deny_cluster_user",
     "bay:delete": "rule:deny_cluster_user",
diff --git a/magnum/common/policies/__init__.py b/magnum/common/policies/__init__.py
new file mode 100644
index 0000000000..8ad662efa4
--- /dev/null
+++ b/magnum/common/policies/__init__.py
@@ -0,0 +1,23 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import itertools
+
+from magnum.common.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )
diff --git a/magnum/common/policies/base.py b/magnum/common/policies/base.py
new file mode 100644
index 0000000000..44c75b7daf
--- /dev/null
+++ b/magnum/common/policies/base.py
@@ -0,0 +1,52 @@
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+from oslo_policy import policy
+
+ROLE_ADMIN = 'rule:context_is_admin'
+RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
+RULE_ADMIN_API = 'rule:admin_api'
+RULE_ADMIN_OR_USER = 'rule:admin_or_user'
+RULE_CLUSTER_USER = 'rule:cluster_user'
+RULE_DENY_CLUSTER_USER = 'rule:deny_cluster_user'
+
+rules = [
+    policy.RuleDefault(
+        name='context_is_admin',
+        check_str='role:admin'
+    ),
+    policy.RuleDefault(
+        name='admin_or_owner',
+        check_str='is_admin:True or project_id:%(project_id)s'
+    ),
+    policy.RuleDefault(
+        name='admin_api',
+        check_str='rule:context_is_admin'
+    ),
+    policy.RuleDefault(
+        name='admin_or_user',
+        check_str='is_admin:True or user_id:%(user_id)s'
+    ),
+    policy.RuleDefault(
+        name='cluster_user',
+        check_str='user_id:%(trustee_user_id)s'
+    ),
+    policy.RuleDefault(
+        name='deny_cluster_user',
+        check_str='not domain_id:%(trustee_domain_id)s'
+    )
+]
+
+
+def list_rules():
+    return rules
diff --git a/magnum/common/policy.py b/magnum/common/policy.py
index 74d9fb3f72..d00261bfa5 100644
--- a/magnum/common/policy.py
+++ b/magnum/common/policy.py
@@ -23,6 +23,7 @@ import pecan
 
 from magnum.common import clients
 from magnum.common import exception
+from magnum.common import policies
 
 
 _ENFORCER = None
@@ -60,6 +61,8 @@ def init(policy_file=None, rules=None,
                                     default_rule=default_rule,
                                     use_conf=use_conf,
                                     overwrite=overwrite)
+        _ENFORCER.register_defaults(policies.list_rules())
+
     return _ENFORCER
 
 
diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py
index b051e5cb15..b2d7987a0e 100644
--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@@ -15,10 +15,7 @@
 
 policy_data = """
 {
-    "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
-    "admin_api": "rule:context_is_admin",
 
     "bay:create": "",
     "bay:delete": "",
diff --git a/setup.cfg b/setup.cfg
index 74647552d8..a436a65a83 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -63,6 +63,9 @@ oslo.config.opts =
 oslo.config.opts.defaults =
     magnum = magnum.common.config:set_cors_middleware_defaults
 
+oslo.policy.policies =
+    magnum = magnum.common.policies:list_rules
+
 magnum.drivers =
     k8s_fedora_atomic_v1 = magnum.drivers.k8s_fedora_atomic_v1.driver:Driver
     k8s_coreos_v1 = magnum.drivers.k8s_coreos_v1.driver:Driver
diff --git a/tox.ini b/tox.ini
index 3ad304dc89..5a6d3d8835 100644
--- a/tox.ini
+++ b/tox.ini
@@ -141,6 +141,10 @@ commands =
 commands =
     oslo-config-generator --config-file etc/magnum/magnum-config-generator.conf
 
+[testenv:genpolicy]
+commands =
+    oslopolicy-sample-generator --config-file etc/magnum/magnum-policy-generator.conf
+
 [flake8]
 # H106 Don’t put vim configuration in source files
 # H203 Use assertIs(Not)None to check for None