Hello community,
here is the log from the commit of package python-oslo.policy for openSUSE:Factory checked in at 2018-10-01 08:18:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-oslo.policy (Old)
and /work/SRC/openSUSE:Factory/.python-oslo.policy.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-oslo.policy"
Mon Oct 1 08:18:17 2018 rev:9 rq:638871 version:1.38.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-oslo.policy/python-oslo.policy.changes 2018-09-07 15:39:00.746561348 +0200
+++ /work/SRC/openSUSE:Factory/.python-oslo.policy.new/python-oslo.policy.changes 2018-10-01 08:18:23.209930680 +0200
@@ -1,0 +2,15 @@
+Wed Sep 19 23:17:37 UTC 2018 - cloud-devel@suse.de
+
+- update to version 1.38.1
+ - Pass dictionary as creds in policy tests
+ - fix tox python3 overrides
+ - trivial: Fix file permissions
+ - Add CLI usage documentation
+ - Add blueprints and releasenotes link to README
+ - Teach Enforcer.enforce to deal with context objects
+ - Avoid redundant policy syntax checks
+ - Add examples and clarification around scope_types
+ - Fix requirements and convert to stestr
+ - Clarify CLI documentation
+
+-------------------------------------------------------------------
Old:
----
oslo.policy-1.37.0.tar.gz
New:
----
oslo.policy-1.38.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-oslo.policy.spec ++++++
--- /var/tmp/diff_new_pack.om6s48/_old 2018-10-01 08:18:24.141930085 +0200
+++ /var/tmp/diff_new_pack.om6s48/_new 2018-10-01 08:18:24.145930082 +0200
@@ -12,39 +12,46 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: python-oslo.policy
-Version: 1.37.0
+Version: 1.38.1
Release: 0
Summary: OpenStack Oslo Policy library
License: Apache-2.0
Group: Development/Languages/Python
URL: https://launchpad.net/oslo.policy
-Source0: https://files.pythonhosted.org/packages/source/o/oslo.policy/oslo.policy-1.3...
+Source0: https://files.pythonhosted.org/packages/source/o/oslo.policy/oslo.policy-1.3...
BuildRequires: openstack-macros
BuildRequires: python-devel
BuildRequires: python2-PyYAML >= 3.12
+BuildRequires: python2-docutils
BuildRequires: python2-oslo.config >= 5.2.0
+BuildRequires: python2-oslo.context >= 2.21.0
BuildRequires: python2-oslo.i18n >= 3.15.3
BuildRequires: python2-oslo.serialization >= 2.18.0
BuildRequires: python2-oslotest
BuildRequires: python2-pbr
BuildRequires: python2-requests >= 2.14.2
BuildRequires: python2-requests-mock
+BuildRequires: python2-stestr
BuildRequires: python3-PyYAML >= 3.12
BuildRequires: python3-devel
+BuildRequires: python3-docutils
BuildRequires: python3-oslo.config >= 5.2.0
+BuildRequires: python3-oslo.context >= 2.21.0
BuildRequires: python3-oslo.i18n >= 3.15.3
BuildRequires: python3-oslo.serialization >= 2.18.0
BuildRequires: python3-oslotest
BuildRequires: python3-pbr
BuildRequires: python3-requests >= 2.14.2
BuildRequires: python3-requests-mock
+BuildRequires: python3-stestr
Requires: python-PyYAML >= 3.12
Requires: python-oslo.config >= 5.2.0
+Requires: python-oslo.context >= 2.21.0
Requires: python-oslo.i18n >= 3.15.3
Requires: python-oslo.serialization >= 2.18.0
Requires: python-requests >= 2.14.2
@@ -68,14 +75,16 @@
%package -n python-oslo.policy-doc
Summary: Documentation for the Oslo Policy library
Group: Documentation/HTML
-BuildRequires: python-Sphinx
-BuildRequires: python-openstackdocstheme
+BuildRequires: python2-Sphinx
+BuildRequires: python2-openstackdocstheme
+BuildRequires: python3-Sphinx
+BuildRequires: python3-openstackdocstheme
%description -n python-oslo.policy-doc
Documentation for the Oslo Policy library.
%prep
-%autosetup -p1 -n oslo.policy-1.37.0
+%autosetup -p1 -n oslo.policy-1.38.1
%py_req_cleanup
sed -i 's/^warning-is-error.*/warning-is-error = 0/g' setup.cfg
@@ -101,9 +110,7 @@
%python_uninstall_alternative oslopolicy-checker
%check
-%{python_expand rm -rf .testrepository
-python setup.py testr
-}
+%python_exec -m stestr.cli run
%files %{python_files}
%license LICENSE
++++++ oslo.policy-1.37.0.tar.gz -> oslo.policy-1.38.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/.stestr.conf new/oslo.policy-1.38.1/.stestr.conf
--- old/oslo.policy-1.37.0/.stestr.conf 1970-01-01 01:00:00.000000000 +0100
+++ new/oslo.policy-1.38.1/.stestr.conf 2018-07-20 03:10:38.000000000 +0200
@@ -0,0 +1,3 @@
+[DEFAULT]
+test_path=./oslo_policy/tests
+top_path=./
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/.testr.conf new/oslo.policy-1.38.1/.testr.conf
--- old/oslo.policy-1.37.0/.testr.conf 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/.testr.conf 1970-01-01 01:00:00.000000000 +0100
@@ -1,7 +0,0 @@
-[DEFAULT]
-test_command=OS_STDOUT_CAPTURE=${OS_STDOUT_CAPTURE:-1} \
- OS_STDERR_CAPTURE=${OS_STDERR_CAPTURE:-1} \
- OS_TEST_TIMEOUT=${OS_TEST_TIMEOUT:-60} \
- ${PYTHON:-python} -m subunit.run discover -t ./ ./oslo_policy $LISTOPT $IDOPTION
-test_id_option=--load-list $IDFILE
-test_list_option=--list
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/AUTHORS new/oslo.policy-1.38.1/AUTHORS
--- old/oslo.policy-1.37.0/AUTHORS 2018-06-05 20:06:26.000000000 +0200
+++ new/oslo.policy-1.38.1/AUTHORS 2018-07-20 03:13:42.000000000 +0200
@@ -56,6 +56,7 @@
Mark McClain
Mark McLoughlin
Maruti
+Mateusz Kowalski
Michael McCune
Monty Taylor
Nathan Kinder
@@ -99,4 +100,5 @@
ricolin
sonu.kumar
vponomaryov
+zhangbailin
zhangyanxian
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/ChangeLog new/oslo.policy-1.38.1/ChangeLog
--- old/oslo.policy-1.37.0/ChangeLog 2018-06-05 20:06:26.000000000 +0200
+++ new/oslo.policy-1.38.1/ChangeLog 2018-07-20 03:13:42.000000000 +0200
@@ -1,9 +1,25 @@
CHANGES
=======
+1.38.1
+------
+
+* Avoid redundant policy syntax checks
+
+1.38.0
+------
+
+* Teach Enforcer.enforce to deal with context objects
+* Pass dictionary as creds in policy tests
+* Fix requirements and convert to stestr
+* Add blueprints and releasenotes link to README
+* fix tox python3 overrides
+
1.37.0
------
+* Add CLI usage documentation
+* Clarify CLI documentation
* Remove erroneous newline in sample generation
* Update sphinxext to include scope\_types in docs
@@ -11,8 +27,10 @@
------
* Fix document formatting
+* Add examples and clarification around scope\_types
* Include deprecated\_reason when deprecated\_rule is set
* Include both new and deprecated rules in generated sample
+* trivial: Fix file permissions
1.35.0
------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/PKG-INFO new/oslo.policy-1.38.1/PKG-INFO
--- old/oslo.policy-1.37.0/PKG-INFO 2018-06-05 20:06:27.000000000 +0200
+++ new/oslo.policy-1.38.1/PKG-INFO 2018-07-20 03:13:43.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: oslo.policy
-Version: 1.37.0
+Version: 1.38.1
Summary: Oslo Policy library
Home-page: https://docs.openstack.org/oslo.policy/latest/
Author: OpenStack
@@ -34,6 +34,8 @@
* Documentation: https://docs.openstack.org/oslo.policy/latest/
* Source: https://git.openstack.org/cgit/openstack/oslo.policy
* Bugs: https://bugs.launchpad.net/oslo.policy
+ * Blueprints: https://blueprints.launchpad.net/oslo.policy
+ * Release Notes: https://docs.openstack.org/releasenotes/oslo.policy
Platform: UNKNOWN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/README.rst new/oslo.policy-1.38.1/README.rst
--- old/oslo.policy-1.37.0/README.rst 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/README.rst 2018-07-20 03:10:38.000000000 +0200
@@ -26,4 +26,5 @@
* Documentation: https://docs.openstack.org/oslo.policy/latest/
* Source: https://git.openstack.org/cgit/openstack/oslo.policy
* Bugs: https://bugs.launchpad.net/oslo.policy
-
+* Blueprints: https://blueprints.launchpad.net/oslo.policy
+* Release Notes: https://docs.openstack.org/releasenotes/oslo.policy
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/RELEASENOTES.rst new/oslo.policy-1.38.1/RELEASENOTES.rst
--- old/oslo.policy-1.37.0/RELEASENOTES.rst 2018-06-05 20:06:27.000000000 +0200
+++ new/oslo.policy-1.38.1/RELEASENOTES.rst 2018-07-20 03:13:43.000000000 +0200
@@ -2,6 +2,66 @@
oslo.policy
===========
+.. _oslo.policy_1.38.1:
+
+1.38.1
+======
+
+.. _oslo.policy_1.38.1_Bug Fixes:
+
+Bug Fixes
+---------
+
+.. releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml @ b'909a1ea3a7aceb6e0637058b9c6a53d14043d6d1'
+
+- As reported in launchpad bug 1723030, under some circumstances policy
+ checks caused a significant performance degradation. This release includes
+ improved logic around rule validation to prevent that.
+
+
+.. _oslo.policy_1.38.0:
+
+1.38.0
+======
+
+.. _oslo.policy_1.38.0_New Features:
+
+New Features
+------------
+
+.. releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml @ b'775641a5fc549c20be37cf862deca394bf7f2d21'
+
+- [`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_]
+ The ``enforce()`` method now supports the ability to parse ``oslo.context``
+ objects if passed into ``enforce()`` as ``creds``. This provides more
+ consistent policy enforcement for service developers by ensuring the
+ attributes provided in policy enforcement are standardized. In this case
+ they are being standardized through the
+ ``oslo_context.context.RequestContext.to_policy_values()`` method.
+
+
+.. _oslo.policy_1.38.0_Bug Fixes:
+
+Bug Fixes
+---------
+
+.. releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml @ b'775641a5fc549c20be37cf862deca394bf7f2d21'
+
+- [`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_]
+ The ``enforce()`` method now supports the ability to parse ``oslo.context``
+ objects if passed into ``enforce()`` as ``creds``. This provides more
+ consistent policy enforcement for service developers by ensuring the
+ attributes provided in policy enforcement are standardized. In this case
+ they are being standardized through the
+ ``oslo_context.context.RequestContext.to_policy_values()`` method.
+
+.. releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml @ b'3fe95b2aebde226bab0d710885f60a1862499b16'
+
+- [`bug 1741073 https://bugs.launchpad.net/oslo.policy/+bug/1741073`_]
+ Documentation has been improved to include ``oslopolicy-sample-generator``
+ and ``oslopolicy-list-redundant`` usage.
+
+
.. _oslo.policy_1.37.0:
1.37.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/doc/source/cli/index.rst new/oslo.policy-1.38.1/doc/source/cli/index.rst
--- old/oslo.policy-1.37.0/doc/source/cli/index.rst 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/doc/source/cli/index.rst 2018-07-20 03:10:38.000000000 +0200
@@ -2,6 +2,12 @@
Command Line Interface
======================
+This document describes the various command line tools exposed by
+``oslo.policy`` to manage policies and policy files.
+
+oslopolicy-checker
+==================
+
Run the command line ``oslopolicy-checker`` to check policy against the
OpenStack Identity API access information.
@@ -44,3 +50,67 @@
--policy /opt/stack/nova/etc/nova/policy.json \
--access sample_data/auth_v3_token_member.json \
--rule compute_extension:flavorextraspecs:index
+
+oslopolicy-sample-generator
+===========================
+
+The ``oslopolicy-sample-generator`` command can be used to generate a sample
+policy file based on the default policies in a given namespace. This tool
+requires a namespace to query for policies and supports output in JSON or YAML.
+
+Examples
+--------
+
+To generate sample policies for a namespace called ``keystone``:
+
+.. code-block:: bash
+
+ oslopolicy-sample-generator --namespace keystone
+
+
+To generate sample policies in JSON use:
+
+.. code-block:: bash
+
+ oslopolicy-sample-generator --namespace nova --format json
+
+To generate a sample policy file and output directly to a file:
+
+.. code-block:: bash
+
+ oslopolicy-sample-generator --namespace keystone \
+ --format yaml \
+ --output-file keystone-policy.yaml
+
+Use the following to generate help text for additional options and arguments
+supported by ``oslopolicy-sample-generator``:
+
+.. code-block:: bash
+
+ oslopolicy-sample-generator --help
+
+oslopolicy-list-redundant
+=========================
+
+The ``oslopolicy-list-redundant`` tool is useful for detecting policies that
+are specified in policy files that are the same as the defaults provided by the
+service. Operators can use this tool to find policies that they can remove from
+their policy files, making maintenance easier.
+
+This tool assumes a policy file containing overrides exists and is specified
+through configuration.
+
+Examples
+--------
+
+To list redundant default policies:
+
+.. code-block:: bash
+
+ oslopolicy-list-redundant --namespace keystone --config-dir /etc/keystone
+
+For more information regarding the options supported by this tool:
+
+.. code-block:: bash
+
+ oslopolicy-list-redundant --help
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/doc/source/user/usage.rst new/oslo.policy-1.38.1/doc/source/user/usage.rst
--- old/oslo.policy-1.37.0/doc/source/user/usage.rst 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/doc/source/user/usage.rst 2018-07-20 03:10:38.000000000 +0200
@@ -188,7 +188,56 @@
attribute can only be set at rule definition and never overridden via a policy
file. This variable is designed to save the scope at which a policy should
operate. During enforcement, the information in `scope_types` is compared to
-the scope of the token used in the request.
+the scope of the token used in the request. It is designed to match the
+available token scopes available from keystone, which are `system`, `domain`,
+and `project`. The examples highlighted here will show the usage with system
+and project APIs. Setting `scope_types` to anything but these three values is
+unsupported.
+
+For example, a policy that is used to protect a resource tracked in a project
+should require a project-scoped token. This can be expressed with `scope_types`
+as follows::
+
+ policy.DocumentedRuleDefault(
+ name='service:create_foo',
+ check_str='role:admin',
+ scope_types=['project'],
+ description='Creates a foo resource',
+ operations=[
+ {
+ 'path': '/v1/foos/',
+ 'method': 'POST'
+ }
+ ]
+ )
+
+A policy that is used to protect system-level resources can follow the same
+pattern::
+
+ policy.DocumentedRuleDefault(
+ name='service:update_bar',
+ check_str='role:admin',
+ scope_types=['system'],
+ description='Updates a bar resource',
+ operations=[
+ {
+ 'path': '/v1/bars/{bar_id}',
+ 'method': 'PATCH'
+ }
+ ]
+ )
+
+The `scope_types` attribute makes sure the token used to make the request is
+scoped properly and passes the `check_str`. This is powerful because it allows
+roles to be reused across different authorization levels without compromising
+APIs. For example, the `admin` role in the above example is used at the
+project-level and the system-level to protect two different resources. If we
+only checked that the token contained the `admin` role, it would be possible
+for a user with a project-scoped token to access a system-level API.
+
+Developers incorporating `scope_types` into OpenStack services should be
+mindful of the relationship between the API they are protecting with a policy
+and if it operates on system-level resources or project-level resources.
Sample file generation
----------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/lower-constraints.txt new/oslo.policy-1.38.1/lower-constraints.txt
--- old/oslo.policy-1.37.0/lower-constraints.txt 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/lower-constraints.txt 2018-07-20 03:10:38.000000000 +0200
@@ -28,6 +28,7 @@
openstackdocstheme==1.18.1
os-client-config==1.28.0
oslo.config==5.2.0
+oslo.context==2.21.0
oslo.i18n==3.15.3
oslo.serialization==2.18.0
oslo.utils==3.33.0
@@ -47,6 +48,7 @@
requestsexceptions==1.2.0
rfc3986==0.3.1
six==1.10.0
+stestr==2.0.0
smmap==0.9.0
snowballstemmer==1.2.1
Sphinx==1.6.5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo.policy.egg-info/PKG-INFO new/oslo.policy-1.38.1/oslo.policy.egg-info/PKG-INFO
--- old/oslo.policy-1.37.0/oslo.policy.egg-info/PKG-INFO 2018-06-05 20:06:26.000000000 +0200
+++ new/oslo.policy-1.38.1/oslo.policy.egg-info/PKG-INFO 2018-07-20 03:13:42.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: oslo.policy
-Version: 1.37.0
+Version: 1.38.1
Summary: Oslo Policy library
Home-page: https://docs.openstack.org/oslo.policy/latest/
Author: OpenStack
@@ -34,6 +34,8 @@
* Documentation: https://docs.openstack.org/oslo.policy/latest/
* Source: https://git.openstack.org/cgit/openstack/oslo.policy
* Bugs: https://bugs.launchpad.net/oslo.policy
+ * Blueprints: https://blueprints.launchpad.net/oslo.policy
+ * Release Notes: https://docs.openstack.org/releasenotes/oslo.policy
Platform: UNKNOWN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo.policy.egg-info/SOURCES.txt new/oslo.policy-1.38.1/oslo.policy.egg-info/SOURCES.txt
--- old/oslo.policy-1.37.0/oslo.policy.egg-info/SOURCES.txt 2018-06-05 20:06:26.000000000 +0200
+++ new/oslo.policy-1.38.1/oslo.policy.egg-info/SOURCES.txt 2018-07-20 03:13:43.000000000 +0200
@@ -1,6 +1,6 @@
.coveragerc
.mailmap
-.testr.conf
+.stestr.conf
.zuul.yaml
AUTHORS
CONTRIBUTING.rst
@@ -69,9 +69,12 @@
releasenotes/notes/add-sphinxpolicygen-39e2f8fa24930b0c.yaml
releasenotes/notes/add_custom_rule_check_plugins-3c15c2c7ca5e.yaml
releasenotes/notes/add_reno-3b4ae0789e9c45b4.yaml
+releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml
releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml
+releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml
releasenotes/notes/fix-rendering-for-deprecated-rules-d465292e4155f483.yaml
releasenotes/notes/oslo-policy-descriptive-support-3ee688c5fa48d751.yaml
+releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml
releasenotes/source/conf.py
releasenotes/source/index.rst
releasenotes/source/newton.rst
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo.policy.egg-info/pbr.json new/oslo.policy-1.38.1/oslo.policy.egg-info/pbr.json
--- old/oslo.policy-1.37.0/oslo.policy.egg-info/pbr.json 2018-06-05 20:06:26.000000000 +0200
+++ new/oslo.policy-1.38.1/oslo.policy.egg-info/pbr.json 2018-07-20 03:13:42.000000000 +0200
@@ -1 +1 @@
-{"git_version": "7a50c85", "is_release": true}
\ No newline at end of file
+{"git_version": "0fc941f", "is_release": true}
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo.policy.egg-info/requires.txt new/oslo.policy-1.38.1/oslo.policy.egg-info/requires.txt
--- old/oslo.policy-1.37.0/oslo.policy.egg-info/requires.txt 2018-06-05 20:06:26.000000000 +0200
+++ new/oslo.policy-1.38.1/oslo.policy.egg-info/requires.txt 2018-07-20 03:13:42.000000000 +0200
@@ -1,5 +1,6 @@
requests>=2.14.2
oslo.config>=5.2.0
+oslo.context>=2.21.0
oslo.i18n>=3.15.3
oslo.serialization!=2.19.1,>=2.18.0
PyYAML>=3.12
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo_policy/policy.py new/oslo.policy-1.38.1/oslo_policy/policy.py
--- old/oslo.policy-1.37.0/oslo_policy/policy.py 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/oslo_policy/policy.py 2018-07-20 03:10:38.000000000 +0200
@@ -221,12 +221,14 @@
desired rule name.
"""
+import collections
import copy
import logging
import os
import warnings
from oslo_config import cfg
+from oslo_context import context
from oslo_serialization import jsonutils
import six
import yaml
@@ -342,6 +344,13 @@
super(InvalidRuleDefault, self).__init__(msg)
+class InvalidContextObject(Exception):
+ def __init__(self, error):
+ msg = (_('Invalid context object: '
+ '%(error)s.') % {'error': error})
+ super(InvalidContextObject, self).__init__(msg)
+
+
def parse_file_contents(data):
"""Parse the raw contents of a policy file.
@@ -487,6 +496,7 @@
self.policy_file = policy_file or self.conf.oslo_policy.policy_file
self.use_conf = use_conf
+ self._need_check_rule = True
self.overwrite = overwrite
self._loaded_files = []
self._policy_dir_mtimes = {}
@@ -506,6 +516,7 @@
raise TypeError(_('Rules must be an instance of dict or Rules, '
'got %s instead') % type(rules))
self.use_conf = use_conf
+ self._need_check_rule = True
if overwrite:
self.rules = Rules(rules, self.default_rule)
else:
@@ -627,7 +638,9 @@
self.rules[default.name] = default.check
# Detect and log obvious incorrect rule definitions
- self.check_rules()
+ if self._need_check_rule:
+ self.check_rules()
+ self._need_check_rule = False
def check_rules(self, raise_on_violation=False):
"""Look for rule definitions that are obviously incorrect."""
@@ -789,7 +802,8 @@
the Mapping abstract base class and deep
copying.
:param dict creds: As much information about the user performing the
- action as possible.
+ action as possible. This parameter can also be an
+ instance of ``oslo_context.context.RequestContext``.
:param do_raise: Whether to raise an exception or not if check
fails.
:param exc: Class of the exception to raise if the check fails.
@@ -807,6 +821,23 @@
self.load_rules()
+ if isinstance(creds, context.RequestContext):
+ creds = self._map_context_attributes_into_creds(creds)
+ # NOTE(lbragstad): The oslo.context library exposes the ability to call
+ # a method on RequestContext objects that converts attributes of the
+ # context object to policy values. However, ``to_policy_values()``
+ # doesn't actually return a dictionary, it's a subclass of
+ # collections.MutableMapping, which behaves like a dictionary but
+ # doesn't pass the type check.
+ elif not isinstance(creds, collections.MutableMapping):
+ msg = (
+ 'Expected type oslo_context.context.RequestContext, dict, or '
+ 'the output of '
+ 'oslo_context.context.RequestContext.to_policy_values but '
+ 'got %(creds_type)s instead' % {'creds_type': type(creds)}
+ )
+ raise InvalidContextObject(msg)
+
# Allow the rule to be a Check tree
if isinstance(rule, _checks.BaseCheck):
# If the thing we're given is a Check, we don't know the
@@ -881,6 +912,27 @@
return result
+ def _map_context_attributes_into_creds(self, context):
+ creds = {}
+ # port public context attributes into the creds dictionary so long as
+ # the attribute isn't callable
+ context_values = context.to_policy_values()
+ for k, v in context_values.items():
+ creds[k] = v
+
+ # NOTE(lbragstad): We unfortunately have to special case this
+ # attribute. Originally when the system scope when into oslo.policy, we
+ # checked for a key called 'system' in creds. The oslo.context library
+ # uses `system_scope` instead, and the compatibility between
+ # oslo.policy and oslo.context was an afterthought. We'll have to
+ # support services who've been setting creds['system'], but we can do
+ # that by making sure we populate it with what's in the context object
+ # if it has a system_scope attribute.
+ if context.system_scope:
+ creds['system'] = context.system_scope
+
+ return creds
+
def register_default(self, default):
"""Registers a RuleDefault.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo_policy/tests/test_policy.py new/oslo.policy-1.38.1/oslo_policy/tests/test_policy.py
--- old/oslo.policy-1.37.0/oslo_policy/tests/test_policy.py 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/oslo_policy/tests/test_policy.py 2018-07-20 03:10:38.000000000 +0200
@@ -19,6 +19,7 @@
import mock
from oslo_config import cfg
+from oslo_context import context
from oslo_serialization import jsonutils
from oslotest import base as test_base
import six
@@ -390,6 +391,66 @@
group='oslo_policy')
self.assertRaises(ValueError, self.enforcer.load_rules, True)
+ @mock.patch('oslo_policy.policy.Enforcer.check_rules')
+ def test_load_rules_twice(self, mock_check_rules):
+ self.enforcer.load_rules()
+ self.enforcer.load_rules()
+ self.assertEqual(1, mock_check_rules.call_count)
+
+ @mock.patch('oslo_policy.policy.Enforcer.check_rules')
+ def test_load_rules_twice_force(self, mock_check_rules):
+ self.enforcer.load_rules(True)
+ self.enforcer.load_rules(True)
+ self.assertEqual(2, mock_check_rules.call_count)
+
+ @mock.patch('oslo_policy.policy.Enforcer.check_rules')
+ def test_load_rules_twice_clear(self, mock_check_rules):
+ self.enforcer.load_rules()
+ self.enforcer.clear()
+ # NOTE(bnemec): It's weird that we have to pass True here, but clear
+ # sets enforcer.use_conf to False, which causes load_rules to be a
+ # noop when called with no parameters. This is probably a bug.
+ self.enforcer.load_rules(True)
+ self.assertEqual(2, mock_check_rules.call_count)
+
+ @mock.patch('oslo_policy.policy.Enforcer.check_rules')
+ def test_load_directory_twice(self, mock_check_rules):
+ self.create_config_file(
+ os.path.join('policy.d', 'a.conf'), POLICY_A_CONTENTS)
+ self.create_config_file(
+ os.path.join('policy.d', 'b.conf'), POLICY_B_CONTENTS)
+ self.enforcer.load_rules()
+ self.enforcer.load_rules()
+ self.assertEqual(1, mock_check_rules.call_count)
+ self.assertIsNotNone(self.enforcer.rules)
+
+ @mock.patch('oslo_policy.policy.Enforcer.check_rules')
+ def test_load_directory_twice_force(self, mock_check_rules):
+ self.create_config_file(
+ os.path.join('policy.d', 'a.conf'), POLICY_A_CONTENTS)
+ self.create_config_file(
+ os.path.join('policy.d', 'b.conf'), POLICY_B_CONTENTS)
+ self.enforcer.load_rules(True)
+ self.enforcer.load_rules(True)
+ self.assertEqual(2, mock_check_rules.call_count)
+ self.assertIsNotNone(self.enforcer.rules)
+
+ @mock.patch('oslo_policy.policy.Enforcer.check_rules')
+ def test_load_directory_twice_changed(self, mock_check_rules):
+ self.create_config_file(
+ os.path.join('policy.d', 'a.conf'), POLICY_A_CONTENTS)
+ self.enforcer.load_rules()
+
+ # Touch the file
+ conf_path = os.path.join(self.config_dir, os.path.join(
+ 'policy.d', 'a.conf'))
+ stinfo = os.stat(conf_path)
+ os.utime(conf_path, (stinfo.st_atime + 10, stinfo.st_mtime + 10))
+
+ self.enforcer.load_rules()
+ self.assertEqual(2, mock_check_rules.call_count)
+ self.assertIsNotNone(self.enforcer.rules)
+
def test_set_rules_type(self):
self.assertRaises(TypeError,
self.enforcer.set_rules,
@@ -646,6 +707,89 @@
self.enforcer.authorize, 'test', {},
{'roles': ['test']})
+ def test_enforcer_accepts_context_objects(self):
+ rule = policy.RuleDefault(name='fake_rule', check_str='role:test')
+ self.enforcer.register_default(rule)
+
+ request_context = context.RequestContext()
+ target_dict = {}
+ self.enforcer.enforce('fake_rule', target_dict, request_context)
+
+ def test_enforcer_accepts_subclassed_context_objects(self):
+ rule = policy.RuleDefault(name='fake_rule', check_str='role:test')
+ self.enforcer.register_default(rule)
+
+ class SpecializedContext(context.RequestContext):
+ pass
+
+ request_context = SpecializedContext()
+ target_dict = {}
+ self.enforcer.enforce('fake_rule', target_dict, request_context)
+
+ def test_enforcer_rejects_non_context_objects(self):
+ rule = policy.RuleDefault(name='fake_rule', check_str='role:test')
+ self.enforcer.register_default(rule)
+
+ class InvalidContext(object):
+ pass
+
+ request_context = InvalidContext()
+ target_dict = {}
+ self.assertRaises(
+ policy.InvalidContextObject, self.enforcer.enforce, 'fake_rule',
+ target_dict, request_context
+ )
+
+ @mock.patch.object(policy.Enforcer, '_map_context_attributes_into_creds')
+ def test_enforcer_call_map_context_attributes(self, map_mock):
+ rule = policy.RuleDefault(name='fake_rule', check_str='role:test')
+ self.enforcer.register_default(rule)
+
+ request_context = context.RequestContext()
+ target_dict = {}
+ self.enforcer.enforce('fake_rule', target_dict, request_context)
+ map_mock.assert_called_once_with(request_context)
+
+ def test_enforcer_consolidates_context_attributes_with_creds(self):
+ request_context = context.RequestContext()
+ expected_creds = request_context.to_policy_values()
+
+ creds = self.enforcer._map_context_attributes_into_creds(
+ request_context
+ )
+
+ # We don't use self.assertDictEqual here because to_policy_values
+ # actaully returns a non-dict object that just behaves like a
+ # dictionary, but does some special handling when people access
+ # deprecated policy values.
+ for k, v in expected_creds.items():
+ self.assertEqual(expected_creds[k], creds[k])
+
+ def test_map_context_attributes_populated_system(self):
+ request_context = context.RequestContext(system_scope='all')
+ expected_creds = request_context.to_policy_values()
+ expected_creds['system'] = 'all'
+
+ creds = self.enforcer._map_context_attributes_into_creds(
+ request_context
+ )
+
+ # We don't use self.assertDictEqual here because to_policy_values
+ # actaully returns a non-dict object that just behaves like a
+ # dictionary, but does some special handling when people access
+ # deprecated policy values.
+ for k, v in expected_creds.items():
+ self.assertEqual(expected_creds[k], creds[k])
+
+ def test_enforcer_accepts_policy_values_from_context(self):
+ rule = policy.RuleDefault(name='fake_rule', check_str='role:test')
+ self.enforcer.register_default(rule)
+
+ request_context = context.RequestContext()
+ policy_values = request_context.to_policy_values()
+ target_dict = {}
+ self.enforcer.enforce('fake_rule', target_dict, policy_values)
+
class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase):
def setUp(self):
@@ -697,15 +841,17 @@
def test_check_explicit(self):
rule = base.FakeCheck()
- result = self.enforcer.enforce(rule, 'target', 'creds')
- self.assertEqual(('target', 'creds', self.enforcer), result)
+ creds = {}
+ result = self.enforcer.enforce(rule, 'target', creds)
+ self.assertEqual(('target', creds, self.enforcer), result)
def test_check_no_rules(self):
# Clear the policy.json file created in setUp()
self.create_config_file('policy.json', "{}")
self.enforcer.default_rule = None
self.enforcer.load_rules()
- result = self.enforcer.enforce('rule', 'target', 'creds')
+ creds = {}
+ result = self.enforcer.enforce('rule', 'target', creds)
self.assertFalse(result)
def test_check_with_rule(self):
@@ -722,7 +868,8 @@
self.create_config_file('policy.json', jsonutils.dumps({"a_rule": []}))
self.enforcer.default_rule = None
self.enforcer.load_rules()
- result = self.enforcer.enforce('rule', 'target', 'creds')
+ creds = {}
+ result = self.enforcer.enforce('rule', 'target', creds)
self.assertFalse(result)
def test_check_raise_default(self):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml new/oslo.policy-1.38.1/releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml
--- old/oslo.policy-1.37.0/releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml 1970-01-01 01:00:00.000000000 +0100
+++ new/oslo.policy-1.38.1/releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml 2018-07-20 03:10:38.000000000 +0200
@@ -0,0 +1,19 @@
+---
+features:
+ - |
+ [`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_]
+ The ``enforce()`` method now supports the ability to parse ``oslo.context``
+ objects if passed into ``enforce()`` as ``creds``. This provides more
+ consistent policy enforcement for service developers by ensuring the
+ attributes provided in policy enforcement are standardized. In this case
+ they are being standardized through the
+ ``oslo_context.context.RequestContext.to_policy_values()`` method.
+fixes:
+ - |
+ [`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_]
+ The ``enforce()`` method now supports the ability to parse ``oslo.context``
+ objects if passed into ``enforce()`` as ``creds``. This provides more
+ consistent policy enforcement for service developers by ensuring the
+ attributes provided in policy enforcement are standardized. In this case
+ they are being standardized through the
+ ``oslo_context.context.RequestContext.to_policy_values()`` method.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml new/oslo.policy-1.38.1/releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml
--- old/oslo.policy-1.37.0/releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml 1970-01-01 01:00:00.000000000 +0100
+++ new/oslo.policy-1.38.1/releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml 2018-07-20 03:10:38.000000000 +0200
@@ -0,0 +1,6 @@
+---
+fixes:
+ - |
+ [`bug 1741073 https://bugs.launchpad.net/oslo.policy/+bug/1741073`_]
+ Documentation has been improved to include ``oslopolicy-sample-generator``
+ and ``oslopolicy-list-redundant`` usage.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml new/oslo.policy-1.38.1/releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml
--- old/oslo.policy-1.37.0/releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml 1970-01-01 01:00:00.000000000 +0100
+++ new/oslo.policy-1.38.1/releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml 2018-07-20 03:10:38.000000000 +0200
@@ -0,0 +1,7 @@
+---
+fixes:
+ - |
+ As reported in launchpad bug 1723030, under some circumstances policy
+ checks caused a significant performance degradation. This release includes
+ improved logic around rule validation to prevent that.
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/releasenotes/notes/reno.cache new/oslo.policy-1.38.1/releasenotes/notes/reno.cache
--- old/oslo.policy-1.37.0/releasenotes/notes/reno.cache 2018-06-05 20:06:27.000000000 +0200
+++ new/oslo.policy-1.38.1/releasenotes/notes/reno.cache 2018-07-20 03:13:43.000000000 +0200
@@ -8,6 +8,45 @@
``scope_types`` attributes.
']
+ releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml:
+ features: ['[`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_]
+
+ The ``enforce()`` method now supports the ability to parse ``oslo.context``
+
+ objects if passed into ``enforce()`` as ``creds``. This provides more
+
+ consistent policy enforcement for service developers by ensuring the
+
+ attributes provided in policy enforcement are standardized. In this case
+
+ they are being standardized through the
+
+ ``oslo_context.context.RequestContext.to_policy_values()`` method.
+
+ ']
+ fixes: ['[`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_]
+
+ The ``enforce()`` method now supports the ability to parse ``oslo.context``
+
+ objects if passed into ``enforce()`` as ``creds``. This provides more
+
+ consistent policy enforcement for service developers by ensuring the
+
+ attributes provided in policy enforcement are standardized. In this case
+
+ they are being standardized through the
+
+ ``oslo_context.context.RequestContext.to_policy_values()`` method.
+
+ ']
+ releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml:
+ fixes: ['[`bug 1741073 https://bugs.launchpad.net/oslo.policy/+bug/1741073`_]
+
+ Documentation has been improved to include ``oslopolicy-sample-generator``
+
+ and ``oslopolicy-list-redundant`` usage.
+
+ ']
releasenotes/notes/fix-rendering-for-deprecated-rules-d465292e4155f483.yaml:
fixes: ['[`bug 1771442 https://bugs.launchpad.net/oslo.policy/+bug/1771442`_]
@@ -16,8 +55,29 @@
when rendering sample policy files for documentation.
']
+ releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml:
+ fixes: ['As reported in launchpad bug 1723030, under some circumstances policy
+
+ checks caused a significant performance degradation. This release includes
+
+ improved logic around rule validation to prevent that.
+
+ ']
notes:
- files:
+ - - releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml
+ - !!binary |
+ OTA5YTFlYTNhN2FjZWI2ZTA2MzcwNThiOWM2YTUzZDE0MDQzZDZkMQ==
+ version: 1.38.1
+- files:
+ - - releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml
+ - !!binary |
+ Nzc1NjQxYTVmYzU0OWMyMGJlMzdjZjg2MmRlY2EzOTRiZjdmMmQyMQ==
+ - - releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml
+ - !!binary |
+ M2ZlOTViMmFlYmRlMjI2YmFiMGQ3MTA4ODVmNjBhMTg2MjQ5OWIxNg==
+ version: 1.38.0
+- files:
- - releasenotes/notes/add-scope-types-to-sphinxext-cacd845c4575e965.yaml
- !!binary |
ZWIxNTQ2ZmRmYzE1N2ViY2UwZDUyY2JlZTU0ZTI4OThkMTNkZTI0NQ==
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/requirements.txt new/oslo.policy-1.38.1/requirements.txt
--- old/oslo.policy-1.37.0/requirements.txt 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/requirements.txt 2018-07-20 03:10:38.000000000 +0200
@@ -4,6 +4,7 @@
requests>=2.14.2 # Apache-2.0
oslo.config>=5.2.0 # Apache-2.0
+oslo.context>=2.21.0 # Apache-2.0
oslo.i18n>=3.15.3 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
PyYAML>=3.12 # MIT
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/test-requirements.txt new/oslo.policy-1.38.1/test-requirements.txt
--- old/oslo.policy-1.37.0/test-requirements.txt 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/test-requirements.txt 2018-07-20 03:10:38.000000000 +0200
@@ -4,13 +4,15 @@
hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
oslotest>=3.2.0 # Apache-2.0
requests-mock>=1.1.0 # Apache-2.0
+stestr>=2.0.0 # Apache-2.0
+oslo.context>=2.21.0 # Apache-2.0
# computes code coverage percentages
coverage!=4.4,>=4.0 # Apache-2.0
# These are needed for docs generation
openstackdocstheme>=1.18.1 # Apache-2.0
-sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD
+sphinx!=1.6.6,!=1.6.7,>=1.6.5 # BSD
reno>=2.5.0 # Apache-2.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/tox.ini new/oslo.policy-1.38.1/tox.ini
--- old/oslo.policy-1.37.0/tox.ini 2018-06-05 20:03:29.000000000 +0200
+++ new/oslo.policy-1.38.1/tox.ini 2018-07-20 03:10:38.000000000 +0200
@@ -3,18 +3,18 @@
envlist = py35,py27,pep8,docs
[testenv]
-basepython = python3
install_command = pip install {opts} {packages}
deps =
-c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt}
-r{toxinidir}/test-requirements.txt
-r{toxinidir}/requirements.txt
-commands = python setup.py testr --slowest --testr-args='{posargs}'
+commands = stestr run --slowest {posargs}
[testenv:py27]
basepython = python2.7
[testenv:pep8]
+basepython = python3
deps =
-r{toxinidir}/test-requirements.txt
commands =
@@ -23,12 +23,15 @@
bandit -r oslo_policy tests -n5
[testenv:venv]
+basepython = python3
commands = {posargs}
[testenv:docs]
+basepython = python3
commands = python setup.py build_sphinx
[testenv:cover]
+basepython = python3
commands = python setup.py test --coverage --coverage-package-name=oslo_policy --testr-args='{posargs}'
[flake8]
@@ -42,9 +45,11 @@
import_exceptions = oslo_policy._i18n
[testenv:releasenotes]
+basepython = python3
commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html
[testenv:lower-constraints]
+basepython = python3
deps =
-c{toxinidir}/lower-constraints.txt
-r{toxinidir}/test-requirements.txt