commit python-oslo.policy for openSUSE:Factory

Hello community, here is the log from the commit of package python-oslo.policy for openSUSE:Factory checked in at 2018-10-01 08:18:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-oslo.policy (Old) and /work/SRC/openSUSE:Factory/.python-oslo.policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-oslo.policy" Mon Oct 1 08:18:17 2018 rev:9 rq:638871 version:1.38.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-oslo.policy/python-oslo.policy.changes 2018-09-07 15:39:00.746561348 +0200 +++ /work/SRC/openSUSE:Factory/.python-oslo.policy.new/python-oslo.policy.changes 2018-10-01 08:18:23.209930680 +0200 @@ -1,0 +2,15 @@ +Wed Sep 19 23:17:37 UTC 2018 - cloud-devel@suse.de + +- update to version 1.38.1 + - Pass dictionary as creds in policy tests + - fix tox python3 overrides + - trivial: Fix file permissions + - Add CLI usage documentation + - Add blueprints and releasenotes link to README + - Teach Enforcer.enforce to deal with context objects + - Avoid redundant policy syntax checks + - Add examples and clarification around scope_types + - Fix requirements and convert to stestr + - Clarify CLI documentation + +------------------------------------------------------------------- Old: ---- oslo.policy-1.37.0.tar.gz New: ---- oslo.policy-1.38.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-oslo.policy.spec ++++++ --- /var/tmp/diff_new_pack.om6s48/_old 2018-10-01 08:18:24.141930085 +0200 +++ /var/tmp/diff_new_pack.om6s48/_new 2018-10-01 08:18:24.145930082 +0200 @@ -12,39 +12,46 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: python-oslo.policy -Version: 1.37.0 +Version: 1.38.1 Release: 0 Summary: OpenStack Oslo Policy library License: Apache-2.0 Group: Development/Languages/Python URL: https://launchpad.net/oslo.policy -Source0: https://files.pythonhosted.org/packages/source/o/oslo.policy/oslo.policy-1.3... +Source0: https://files.pythonhosted.org/packages/source/o/oslo.policy/oslo.policy-1.3... BuildRequires: openstack-macros BuildRequires: python-devel BuildRequires: python2-PyYAML >= 3.12 +BuildRequires: python2-docutils BuildRequires: python2-oslo.config >= 5.2.0 +BuildRequires: python2-oslo.context >= 2.21.0 BuildRequires: python2-oslo.i18n >= 3.15.3 BuildRequires: python2-oslo.serialization >= 2.18.0 BuildRequires: python2-oslotest BuildRequires: python2-pbr BuildRequires: python2-requests >= 2.14.2 BuildRequires: python2-requests-mock +BuildRequires: python2-stestr BuildRequires: python3-PyYAML >= 3.12 BuildRequires: python3-devel +BuildRequires: python3-docutils BuildRequires: python3-oslo.config >= 5.2.0 +BuildRequires: python3-oslo.context >= 2.21.0 BuildRequires: python3-oslo.i18n >= 3.15.3 BuildRequires: python3-oslo.serialization >= 2.18.0 BuildRequires: python3-oslotest BuildRequires: python3-pbr BuildRequires: python3-requests >= 2.14.2 BuildRequires: python3-requests-mock +BuildRequires: python3-stestr Requires: python-PyYAML >= 3.12 Requires: python-oslo.config >= 5.2.0 +Requires: python-oslo.context >= 2.21.0 Requires: python-oslo.i18n >= 3.15.3 Requires: python-oslo.serialization >= 2.18.0 Requires: python-requests >= 2.14.2 @@ -68,14 +75,16 @@ %package -n python-oslo.policy-doc Summary: Documentation for the Oslo Policy library Group: Documentation/HTML -BuildRequires: python-Sphinx -BuildRequires: python-openstackdocstheme +BuildRequires: python2-Sphinx +BuildRequires: python2-openstackdocstheme +BuildRequires: python3-Sphinx +BuildRequires: python3-openstackdocstheme %description -n python-oslo.policy-doc Documentation for the Oslo Policy library. %prep -%autosetup -p1 -n oslo.policy-1.37.0 +%autosetup -p1 -n oslo.policy-1.38.1 %py_req_cleanup sed -i 's/^warning-is-error.*/warning-is-error = 0/g' setup.cfg @@ -101,9 +110,7 @@ %python_uninstall_alternative oslopolicy-checker %check -%{python_expand rm -rf .testrepository -python setup.py testr -} +%python_exec -m stestr.cli run %files %{python_files} %license LICENSE ++++++ oslo.policy-1.37.0.tar.gz -> oslo.policy-1.38.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/.stestr.conf new/oslo.policy-1.38.1/.stestr.conf --- old/oslo.policy-1.37.0/.stestr.conf 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-1.38.1/.stestr.conf 2018-07-20 03:10:38.000000000 +0200 @@ -0,0 +1,3 @@ +[DEFAULT] +test_path=./oslo_policy/tests +top_path=./ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/.testr.conf new/oslo.policy-1.38.1/.testr.conf --- old/oslo.policy-1.37.0/.testr.conf 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/.testr.conf 1970-01-01 01:00:00.000000000 +0100 @@ -1,7 +0,0 @@ -[DEFAULT] -test_command=OS_STDOUT_CAPTURE=${OS_STDOUT_CAPTURE:-1} \ - OS_STDERR_CAPTURE=${OS_STDERR_CAPTURE:-1} \ - OS_TEST_TIMEOUT=${OS_TEST_TIMEOUT:-60} \ - ${PYTHON:-python} -m subunit.run discover -t ./ ./oslo_policy $LISTOPT $IDOPTION -test_id_option=--load-list $IDFILE -test_list_option=--list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/AUTHORS new/oslo.policy-1.38.1/AUTHORS --- old/oslo.policy-1.37.0/AUTHORS 2018-06-05 20:06:26.000000000 +0200 +++ new/oslo.policy-1.38.1/AUTHORS 2018-07-20 03:13:42.000000000 +0200 @@ -56,6 +56,7 @@ Mark McClain Mark McLoughlin Maruti +Mateusz Kowalski Michael McCune Monty Taylor Nathan Kinder @@ -99,4 +100,5 @@ ricolin sonu.kumar vponomaryov +zhangbailin zhangyanxian diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/ChangeLog new/oslo.policy-1.38.1/ChangeLog --- old/oslo.policy-1.37.0/ChangeLog 2018-06-05 20:06:26.000000000 +0200 +++ new/oslo.policy-1.38.1/ChangeLog 2018-07-20 03:13:42.000000000 +0200 @@ -1,9 +1,25 @@ CHANGES ======= +1.38.1 +------ + +* Avoid redundant policy syntax checks + +1.38.0 +------ + +* Teach Enforcer.enforce to deal with context objects +* Pass dictionary as creds in policy tests +* Fix requirements and convert to stestr +* Add blueprints and releasenotes link to README +* fix tox python3 overrides + 1.37.0 ------ +* Add CLI usage documentation +* Clarify CLI documentation * Remove erroneous newline in sample generation * Update sphinxext to include scope\_types in docs @@ -11,8 +27,10 @@ ------ * Fix document formatting +* Add examples and clarification around scope\_types * Include deprecated\_reason when deprecated\_rule is set * Include both new and deprecated rules in generated sample +* trivial: Fix file permissions 1.35.0 ------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/PKG-INFO new/oslo.policy-1.38.1/PKG-INFO --- old/oslo.policy-1.37.0/PKG-INFO 2018-06-05 20:06:27.000000000 +0200 +++ new/oslo.policy-1.38.1/PKG-INFO 2018-07-20 03:13:43.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: oslo.policy -Version: 1.37.0 +Version: 1.38.1 Summary: Oslo Policy library Home-page: https://docs.openstack.org/oslo.policy/latest/ Author: OpenStack @@ -34,6 +34,8 @@ * Documentation: https://docs.openstack.org/oslo.policy/latest/ * Source: https://git.openstack.org/cgit/openstack/oslo.policy * Bugs: https://bugs.launchpad.net/oslo.policy + * Blueprints: https://blueprints.launchpad.net/oslo.policy + * Release Notes: https://docs.openstack.org/releasenotes/oslo.policy Platform: UNKNOWN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/README.rst new/oslo.policy-1.38.1/README.rst --- old/oslo.policy-1.37.0/README.rst 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/README.rst 2018-07-20 03:10:38.000000000 +0200 @@ -26,4 +26,5 @@ * Documentation: https://docs.openstack.org/oslo.policy/latest/ * Source: https://git.openstack.org/cgit/openstack/oslo.policy * Bugs: https://bugs.launchpad.net/oslo.policy - +* Blueprints: https://blueprints.launchpad.net/oslo.policy +* Release Notes: https://docs.openstack.org/releasenotes/oslo.policy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/RELEASENOTES.rst new/oslo.policy-1.38.1/RELEASENOTES.rst --- old/oslo.policy-1.37.0/RELEASENOTES.rst 2018-06-05 20:06:27.000000000 +0200 +++ new/oslo.policy-1.38.1/RELEASENOTES.rst 2018-07-20 03:13:43.000000000 +0200 @@ -2,6 +2,66 @@ oslo.policy =========== +.. _oslo.policy_1.38.1: + +1.38.1 +====== + +.. _oslo.policy_1.38.1_Bug Fixes: + +Bug Fixes +--------- + +.. releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml @ b'909a1ea3a7aceb6e0637058b9c6a53d14043d6d1' + +- As reported in launchpad bug 1723030, under some circumstances policy + checks caused a significant performance degradation. This release includes + improved logic around rule validation to prevent that. + + +.. _oslo.policy_1.38.0: + +1.38.0 +====== + +.. _oslo.policy_1.38.0_New Features: + +New Features +------------ + +.. releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml @ b'775641a5fc549c20be37cf862deca394bf7f2d21' + +- [`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_] + The ``enforce()`` method now supports the ability to parse ``oslo.context`` + objects if passed into ``enforce()`` as ``creds``. This provides more + consistent policy enforcement for service developers by ensuring the + attributes provided in policy enforcement are standardized. In this case + they are being standardized through the + ``oslo_context.context.RequestContext.to_policy_values()`` method. + + +.. _oslo.policy_1.38.0_Bug Fixes: + +Bug Fixes +--------- + +.. releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml @ b'775641a5fc549c20be37cf862deca394bf7f2d21' + +- [`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_] + The ``enforce()`` method now supports the ability to parse ``oslo.context`` + objects if passed into ``enforce()`` as ``creds``. This provides more + consistent policy enforcement for service developers by ensuring the + attributes provided in policy enforcement are standardized. In this case + they are being standardized through the + ``oslo_context.context.RequestContext.to_policy_values()`` method. + +.. releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml @ b'3fe95b2aebde226bab0d710885f60a1862499b16' + +- [`bug 1741073 https://bugs.launchpad.net/oslo.policy/+bug/1741073`_] + Documentation has been improved to include ``oslopolicy-sample-generator`` + and ``oslopolicy-list-redundant`` usage. + + .. _oslo.policy_1.37.0: 1.37.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/doc/source/cli/index.rst new/oslo.policy-1.38.1/doc/source/cli/index.rst --- old/oslo.policy-1.37.0/doc/source/cli/index.rst 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/doc/source/cli/index.rst 2018-07-20 03:10:38.000000000 +0200 @@ -2,6 +2,12 @@ Command Line Interface ====================== +This document describes the various command line tools exposed by +``oslo.policy`` to manage policies and policy files. + +oslopolicy-checker +================== + Run the command line ``oslopolicy-checker`` to check policy against the OpenStack Identity API access information. @@ -44,3 +50,67 @@ --policy /opt/stack/nova/etc/nova/policy.json \ --access sample_data/auth_v3_token_member.json \ --rule compute_extension:flavorextraspecs:index + +oslopolicy-sample-generator +=========================== + +The ``oslopolicy-sample-generator`` command can be used to generate a sample +policy file based on the default policies in a given namespace. This tool +requires a namespace to query for policies and supports output in JSON or YAML. + +Examples +-------- + +To generate sample policies for a namespace called ``keystone``: + +.. code-block:: bash + + oslopolicy-sample-generator --namespace keystone + + +To generate sample policies in JSON use: + +.. code-block:: bash + + oslopolicy-sample-generator --namespace nova --format json + +To generate a sample policy file and output directly to a file: + +.. code-block:: bash + + oslopolicy-sample-generator --namespace keystone \ + --format yaml \ + --output-file keystone-policy.yaml + +Use the following to generate help text for additional options and arguments +supported by ``oslopolicy-sample-generator``: + +.. code-block:: bash + + oslopolicy-sample-generator --help + +oslopolicy-list-redundant +========================= + +The ``oslopolicy-list-redundant`` tool is useful for detecting policies that +are specified in policy files that are the same as the defaults provided by the +service. Operators can use this tool to find policies that they can remove from +their policy files, making maintenance easier. + +This tool assumes a policy file containing overrides exists and is specified +through configuration. + +Examples +-------- + +To list redundant default policies: + +.. code-block:: bash + + oslopolicy-list-redundant --namespace keystone --config-dir /etc/keystone + +For more information regarding the options supported by this tool: + +.. code-block:: bash + + oslopolicy-list-redundant --help diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/doc/source/user/usage.rst new/oslo.policy-1.38.1/doc/source/user/usage.rst --- old/oslo.policy-1.37.0/doc/source/user/usage.rst 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/doc/source/user/usage.rst 2018-07-20 03:10:38.000000000 +0200 @@ -188,7 +188,56 @@ attribute can only be set at rule definition and never overridden via a policy file. This variable is designed to save the scope at which a policy should operate. During enforcement, the information in `scope_types` is compared to -the scope of the token used in the request. +the scope of the token used in the request. It is designed to match the +available token scopes available from keystone, which are `system`, `domain`, +and `project`. The examples highlighted here will show the usage with system +and project APIs. Setting `scope_types` to anything but these three values is +unsupported. + +For example, a policy that is used to protect a resource tracked in a project +should require a project-scoped token. This can be expressed with `scope_types` +as follows:: + + policy.DocumentedRuleDefault( + name='service:create_foo', + check_str='role:admin', + scope_types=['project'], + description='Creates a foo resource', + operations=[ + { + 'path': '/v1/foos/', + 'method': 'POST' + } + ] + ) + +A policy that is used to protect system-level resources can follow the same +pattern:: + + policy.DocumentedRuleDefault( + name='service:update_bar', + check_str='role:admin', + scope_types=['system'], + description='Updates a bar resource', + operations=[ + { + 'path': '/v1/bars/{bar_id}', + 'method': 'PATCH' + } + ] + ) + +The `scope_types` attribute makes sure the token used to make the request is +scoped properly and passes the `check_str`. This is powerful because it allows +roles to be reused across different authorization levels without compromising +APIs. For example, the `admin` role in the above example is used at the +project-level and the system-level to protect two different resources. If we +only checked that the token contained the `admin` role, it would be possible +for a user with a project-scoped token to access a system-level API. + +Developers incorporating `scope_types` into OpenStack services should be +mindful of the relationship between the API they are protecting with a policy +and if it operates on system-level resources or project-level resources. Sample file generation ---------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/lower-constraints.txt new/oslo.policy-1.38.1/lower-constraints.txt --- old/oslo.policy-1.37.0/lower-constraints.txt 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/lower-constraints.txt 2018-07-20 03:10:38.000000000 +0200 @@ -28,6 +28,7 @@ openstackdocstheme==1.18.1 os-client-config==1.28.0 oslo.config==5.2.0 +oslo.context==2.21.0 oslo.i18n==3.15.3 oslo.serialization==2.18.0 oslo.utils==3.33.0 @@ -47,6 +48,7 @@ requestsexceptions==1.2.0 rfc3986==0.3.1 six==1.10.0 +stestr==2.0.0 smmap==0.9.0 snowballstemmer==1.2.1 Sphinx==1.6.5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo.policy.egg-info/PKG-INFO new/oslo.policy-1.38.1/oslo.policy.egg-info/PKG-INFO --- old/oslo.policy-1.37.0/oslo.policy.egg-info/PKG-INFO 2018-06-05 20:06:26.000000000 +0200 +++ new/oslo.policy-1.38.1/oslo.policy.egg-info/PKG-INFO 2018-07-20 03:13:42.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: oslo.policy -Version: 1.37.0 +Version: 1.38.1 Summary: Oslo Policy library Home-page: https://docs.openstack.org/oslo.policy/latest/ Author: OpenStack @@ -34,6 +34,8 @@ * Documentation: https://docs.openstack.org/oslo.policy/latest/ * Source: https://git.openstack.org/cgit/openstack/oslo.policy * Bugs: https://bugs.launchpad.net/oslo.policy + * Blueprints: https://blueprints.launchpad.net/oslo.policy + * Release Notes: https://docs.openstack.org/releasenotes/oslo.policy Platform: UNKNOWN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo.policy.egg-info/SOURCES.txt new/oslo.policy-1.38.1/oslo.policy.egg-info/SOURCES.txt --- old/oslo.policy-1.37.0/oslo.policy.egg-info/SOURCES.txt 2018-06-05 20:06:26.000000000 +0200 +++ new/oslo.policy-1.38.1/oslo.policy.egg-info/SOURCES.txt 2018-07-20 03:13:43.000000000 +0200 @@ -1,6 +1,6 @@ .coveragerc .mailmap -.testr.conf +.stestr.conf .zuul.yaml AUTHORS CONTRIBUTING.rst @@ -69,9 +69,12 @@ releasenotes/notes/add-sphinxpolicygen-39e2f8fa24930b0c.yaml releasenotes/notes/add_custom_rule_check_plugins-3c15c2c7ca5e.yaml releasenotes/notes/add_reno-3b4ae0789e9c45b4.yaml +releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml +releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml releasenotes/notes/fix-rendering-for-deprecated-rules-d465292e4155f483.yaml releasenotes/notes/oslo-policy-descriptive-support-3ee688c5fa48d751.yaml +releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml releasenotes/source/conf.py releasenotes/source/index.rst releasenotes/source/newton.rst diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo.policy.egg-info/pbr.json new/oslo.policy-1.38.1/oslo.policy.egg-info/pbr.json --- old/oslo.policy-1.37.0/oslo.policy.egg-info/pbr.json 2018-06-05 20:06:26.000000000 +0200 +++ new/oslo.policy-1.38.1/oslo.policy.egg-info/pbr.json 2018-07-20 03:13:42.000000000 +0200 @@ -1 +1 @@ -{"git_version": "7a50c85", "is_release": true} \ No newline at end of file +{"git_version": "0fc941f", "is_release": true} \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo.policy.egg-info/requires.txt new/oslo.policy-1.38.1/oslo.policy.egg-info/requires.txt --- old/oslo.policy-1.37.0/oslo.policy.egg-info/requires.txt 2018-06-05 20:06:26.000000000 +0200 +++ new/oslo.policy-1.38.1/oslo.policy.egg-info/requires.txt 2018-07-20 03:13:42.000000000 +0200 @@ -1,5 +1,6 @@ requests>=2.14.2 oslo.config>=5.2.0 +oslo.context>=2.21.0 oslo.i18n>=3.15.3 oslo.serialization!=2.19.1,>=2.18.0 PyYAML>=3.12 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo_policy/policy.py new/oslo.policy-1.38.1/oslo_policy/policy.py --- old/oslo.policy-1.37.0/oslo_policy/policy.py 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/oslo_policy/policy.py 2018-07-20 03:10:38.000000000 +0200 @@ -221,12 +221,14 @@ desired rule name. """ +import collections import copy import logging import os import warnings from oslo_config import cfg +from oslo_context import context from oslo_serialization import jsonutils import six import yaml @@ -342,6 +344,13 @@ super(InvalidRuleDefault, self).__init__(msg) +class InvalidContextObject(Exception): + def __init__(self, error): + msg = (_('Invalid context object: ' + '%(error)s.') % {'error': error}) + super(InvalidContextObject, self).__init__(msg) + + def parse_file_contents(data): """Parse the raw contents of a policy file. @@ -487,6 +496,7 @@ self.policy_file = policy_file or self.conf.oslo_policy.policy_file self.use_conf = use_conf + self._need_check_rule = True self.overwrite = overwrite self._loaded_files = [] self._policy_dir_mtimes = {} @@ -506,6 +516,7 @@ raise TypeError(_('Rules must be an instance of dict or Rules, ' 'got %s instead') % type(rules)) self.use_conf = use_conf + self._need_check_rule = True if overwrite: self.rules = Rules(rules, self.default_rule) else: @@ -627,7 +638,9 @@ self.rules[default.name] = default.check # Detect and log obvious incorrect rule definitions - self.check_rules() + if self._need_check_rule: + self.check_rules() + self._need_check_rule = False def check_rules(self, raise_on_violation=False): """Look for rule definitions that are obviously incorrect.""" @@ -789,7 +802,8 @@ the Mapping abstract base class and deep copying. :param dict creds: As much information about the user performing the - action as possible. + action as possible. This parameter can also be an + instance of ``oslo_context.context.RequestContext``. :param do_raise: Whether to raise an exception or not if check fails. :param exc: Class of the exception to raise if the check fails. @@ -807,6 +821,23 @@ self.load_rules() + if isinstance(creds, context.RequestContext): + creds = self._map_context_attributes_into_creds(creds) + # NOTE(lbragstad): The oslo.context library exposes the ability to call + # a method on RequestContext objects that converts attributes of the + # context object to policy values. However, ``to_policy_values()`` + # doesn't actually return a dictionary, it's a subclass of + # collections.MutableMapping, which behaves like a dictionary but + # doesn't pass the type check. + elif not isinstance(creds, collections.MutableMapping): + msg = ( + 'Expected type oslo_context.context.RequestContext, dict, or ' + 'the output of ' + 'oslo_context.context.RequestContext.to_policy_values but ' + 'got %(creds_type)s instead' % {'creds_type': type(creds)} + ) + raise InvalidContextObject(msg) + # Allow the rule to be a Check tree if isinstance(rule, _checks.BaseCheck): # If the thing we're given is a Check, we don't know the @@ -881,6 +912,27 @@ return result + def _map_context_attributes_into_creds(self, context): + creds = {} + # port public context attributes into the creds dictionary so long as + # the attribute isn't callable + context_values = context.to_policy_values() + for k, v in context_values.items(): + creds[k] = v + + # NOTE(lbragstad): We unfortunately have to special case this + # attribute. Originally when the system scope when into oslo.policy, we + # checked for a key called 'system' in creds. The oslo.context library + # uses `system_scope` instead, and the compatibility between + # oslo.policy and oslo.context was an afterthought. We'll have to + # support services who've been setting creds['system'], but we can do + # that by making sure we populate it with what's in the context object + # if it has a system_scope attribute. + if context.system_scope: + creds['system'] = context.system_scope + + return creds + def register_default(self, default): """Registers a RuleDefault. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/oslo_policy/tests/test_policy.py new/oslo.policy-1.38.1/oslo_policy/tests/test_policy.py --- old/oslo.policy-1.37.0/oslo_policy/tests/test_policy.py 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/oslo_policy/tests/test_policy.py 2018-07-20 03:10:38.000000000 +0200 @@ -19,6 +19,7 @@ import mock from oslo_config import cfg +from oslo_context import context from oslo_serialization import jsonutils from oslotest import base as test_base import six @@ -390,6 +391,66 @@ group='oslo_policy') self.assertRaises(ValueError, self.enforcer.load_rules, True) + @mock.patch('oslo_policy.policy.Enforcer.check_rules') + def test_load_rules_twice(self, mock_check_rules): + self.enforcer.load_rules() + self.enforcer.load_rules() + self.assertEqual(1, mock_check_rules.call_count) + + @mock.patch('oslo_policy.policy.Enforcer.check_rules') + def test_load_rules_twice_force(self, mock_check_rules): + self.enforcer.load_rules(True) + self.enforcer.load_rules(True) + self.assertEqual(2, mock_check_rules.call_count) + + @mock.patch('oslo_policy.policy.Enforcer.check_rules') + def test_load_rules_twice_clear(self, mock_check_rules): + self.enforcer.load_rules() + self.enforcer.clear() + # NOTE(bnemec): It's weird that we have to pass True here, but clear + # sets enforcer.use_conf to False, which causes load_rules to be a + # noop when called with no parameters. This is probably a bug. + self.enforcer.load_rules(True) + self.assertEqual(2, mock_check_rules.call_count) + + @mock.patch('oslo_policy.policy.Enforcer.check_rules') + def test_load_directory_twice(self, mock_check_rules): + self.create_config_file( + os.path.join('policy.d', 'a.conf'), POLICY_A_CONTENTS) + self.create_config_file( + os.path.join('policy.d', 'b.conf'), POLICY_B_CONTENTS) + self.enforcer.load_rules() + self.enforcer.load_rules() + self.assertEqual(1, mock_check_rules.call_count) + self.assertIsNotNone(self.enforcer.rules) + + @mock.patch('oslo_policy.policy.Enforcer.check_rules') + def test_load_directory_twice_force(self, mock_check_rules): + self.create_config_file( + os.path.join('policy.d', 'a.conf'), POLICY_A_CONTENTS) + self.create_config_file( + os.path.join('policy.d', 'b.conf'), POLICY_B_CONTENTS) + self.enforcer.load_rules(True) + self.enforcer.load_rules(True) + self.assertEqual(2, mock_check_rules.call_count) + self.assertIsNotNone(self.enforcer.rules) + + @mock.patch('oslo_policy.policy.Enforcer.check_rules') + def test_load_directory_twice_changed(self, mock_check_rules): + self.create_config_file( + os.path.join('policy.d', 'a.conf'), POLICY_A_CONTENTS) + self.enforcer.load_rules() + + # Touch the file + conf_path = os.path.join(self.config_dir, os.path.join( + 'policy.d', 'a.conf')) + stinfo = os.stat(conf_path) + os.utime(conf_path, (stinfo.st_atime + 10, stinfo.st_mtime + 10)) + + self.enforcer.load_rules() + self.assertEqual(2, mock_check_rules.call_count) + self.assertIsNotNone(self.enforcer.rules) + def test_set_rules_type(self): self.assertRaises(TypeError, self.enforcer.set_rules, @@ -646,6 +707,89 @@ self.enforcer.authorize, 'test', {}, {'roles': ['test']}) + def test_enforcer_accepts_context_objects(self): + rule = policy.RuleDefault(name='fake_rule', check_str='role:test') + self.enforcer.register_default(rule) + + request_context = context.RequestContext() + target_dict = {} + self.enforcer.enforce('fake_rule', target_dict, request_context) + + def test_enforcer_accepts_subclassed_context_objects(self): + rule = policy.RuleDefault(name='fake_rule', check_str='role:test') + self.enforcer.register_default(rule) + + class SpecializedContext(context.RequestContext): + pass + + request_context = SpecializedContext() + target_dict = {} + self.enforcer.enforce('fake_rule', target_dict, request_context) + + def test_enforcer_rejects_non_context_objects(self): + rule = policy.RuleDefault(name='fake_rule', check_str='role:test') + self.enforcer.register_default(rule) + + class InvalidContext(object): + pass + + request_context = InvalidContext() + target_dict = {} + self.assertRaises( + policy.InvalidContextObject, self.enforcer.enforce, 'fake_rule', + target_dict, request_context + ) + + @mock.patch.object(policy.Enforcer, '_map_context_attributes_into_creds') + def test_enforcer_call_map_context_attributes(self, map_mock): + rule = policy.RuleDefault(name='fake_rule', check_str='role:test') + self.enforcer.register_default(rule) + + request_context = context.RequestContext() + target_dict = {} + self.enforcer.enforce('fake_rule', target_dict, request_context) + map_mock.assert_called_once_with(request_context) + + def test_enforcer_consolidates_context_attributes_with_creds(self): + request_context = context.RequestContext() + expected_creds = request_context.to_policy_values() + + creds = self.enforcer._map_context_attributes_into_creds( + request_context + ) + + # We don't use self.assertDictEqual here because to_policy_values + # actaully returns a non-dict object that just behaves like a + # dictionary, but does some special handling when people access + # deprecated policy values. + for k, v in expected_creds.items(): + self.assertEqual(expected_creds[k], creds[k]) + + def test_map_context_attributes_populated_system(self): + request_context = context.RequestContext(system_scope='all') + expected_creds = request_context.to_policy_values() + expected_creds['system'] = 'all' + + creds = self.enforcer._map_context_attributes_into_creds( + request_context + ) + + # We don't use self.assertDictEqual here because to_policy_values + # actaully returns a non-dict object that just behaves like a + # dictionary, but does some special handling when people access + # deprecated policy values. + for k, v in expected_creds.items(): + self.assertEqual(expected_creds[k], creds[k]) + + def test_enforcer_accepts_policy_values_from_context(self): + rule = policy.RuleDefault(name='fake_rule', check_str='role:test') + self.enforcer.register_default(rule) + + request_context = context.RequestContext() + policy_values = request_context.to_policy_values() + target_dict = {} + self.enforcer.enforce('fake_rule', target_dict, policy_values) + class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase): def setUp(self): @@ -697,15 +841,17 @@ def test_check_explicit(self): rule = base.FakeCheck() - result = self.enforcer.enforce(rule, 'target', 'creds') - self.assertEqual(('target', 'creds', self.enforcer), result) + creds = {} + result = self.enforcer.enforce(rule, 'target', creds) + self.assertEqual(('target', creds, self.enforcer), result) def test_check_no_rules(self): # Clear the policy.json file created in setUp() self.create_config_file('policy.json', "{}") self.enforcer.default_rule = None self.enforcer.load_rules() - result = self.enforcer.enforce('rule', 'target', 'creds') + creds = {} + result = self.enforcer.enforce('rule', 'target', creds) self.assertFalse(result) def test_check_with_rule(self): @@ -722,7 +868,8 @@ self.create_config_file('policy.json', jsonutils.dumps({"a_rule": []})) self.enforcer.default_rule = None self.enforcer.load_rules() - result = self.enforcer.enforce('rule', 'target', 'creds') + creds = {} + result = self.enforcer.enforce('rule', 'target', creds) self.assertFalse(result) def test_check_raise_default(self): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml new/oslo.policy-1.38.1/releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml --- old/oslo.policy-1.37.0/releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-1.38.1/releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml 2018-07-20 03:10:38.000000000 +0200 @@ -0,0 +1,19 @@ +--- +features: + - | + [`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_] + The ``enforce()`` method now supports the ability to parse ``oslo.context`` + objects if passed into ``enforce()`` as ``creds``. This provides more + consistent policy enforcement for service developers by ensuring the + attributes provided in policy enforcement are standardized. In this case + they are being standardized through the + ``oslo_context.context.RequestContext.to_policy_values()`` method. +fixes: + - | + [`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_] + The ``enforce()`` method now supports the ability to parse ``oslo.context`` + objects if passed into ``enforce()`` as ``creds``. This provides more + consistent policy enforcement for service developers by ensuring the + attributes provided in policy enforcement are standardized. In this case + they are being standardized through the + ``oslo_context.context.RequestContext.to_policy_values()`` method. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml new/oslo.policy-1.38.1/releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml --- old/oslo.policy-1.37.0/releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-1.38.1/releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml 2018-07-20 03:10:38.000000000 +0200 @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 1741073 https://bugs.launchpad.net/oslo.policy/+bug/1741073`_] + Documentation has been improved to include ``oslopolicy-sample-generator`` + and ``oslopolicy-list-redundant`` usage. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml new/oslo.policy-1.38.1/releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml --- old/oslo.policy-1.37.0/releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-1.38.1/releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml 2018-07-20 03:10:38.000000000 +0200 @@ -0,0 +1,7 @@ +--- +fixes: + - | + As reported in launchpad bug 1723030, under some circumstances policy + checks caused a significant performance degradation. This release includes + improved logic around rule validation to prevent that. + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/releasenotes/notes/reno.cache new/oslo.policy-1.38.1/releasenotes/notes/reno.cache --- old/oslo.policy-1.37.0/releasenotes/notes/reno.cache 2018-06-05 20:06:27.000000000 +0200 +++ new/oslo.policy-1.38.1/releasenotes/notes/reno.cache 2018-07-20 03:13:43.000000000 +0200 @@ -8,6 +8,45 @@ ``scope_types`` attributes. '] + releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml: + features: ['[`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_] + + The ``enforce()`` method now supports the ability to parse ``oslo.context`` + + objects if passed into ``enforce()`` as ``creds``. This provides more + + consistent policy enforcement for service developers by ensuring the + + attributes provided in policy enforcement are standardized. In this case + + they are being standardized through the + + ``oslo_context.context.RequestContext.to_policy_values()`` method. + + '] + fixes: ['[`bug 1779172 https://bugs.launchpad.net/keystone/+bug/1779172`_] + + The ``enforce()`` method now supports the ability to parse ``oslo.context`` + + objects if passed into ``enforce()`` as ``creds``. This provides more + + consistent policy enforcement for service developers by ensuring the + + attributes provided in policy enforcement are standardized. In this case + + they are being standardized through the + + ``oslo_context.context.RequestContext.to_policy_values()`` method. + + '] + releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml: + fixes: ['[`bug 1741073 https://bugs.launchpad.net/oslo.policy/+bug/1741073`_] + + Documentation has been improved to include ``oslopolicy-sample-generator`` + + and ``oslopolicy-list-redundant`` usage. + + '] releasenotes/notes/fix-rendering-for-deprecated-rules-d465292e4155f483.yaml: fixes: ['[`bug 1771442 https://bugs.launchpad.net/oslo.policy/+bug/1771442`_] @@ -16,8 +55,29 @@ when rendering sample policy files for documentation. '] + releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml: + fixes: ['As reported in launchpad bug 1723030, under some circumstances policy + + checks caused a significant performance degradation. This release includes + + improved logic around rule validation to prevent that. + + '] notes: - files: + - - releasenotes/notes/policy-check-performance-fbad83c7a4afd7d7.yaml + - !!binary | + OTA5YTFlYTNhN2FjZWI2ZTA2MzcwNThiOWM2YTUzZDE0MDQzZDZkMQ== + version: 1.38.1 +- files: + - - releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml + - !!binary | + Nzc1NjQxYTVmYzU0OWMyMGJlMzdjZjg2MmRlY2EzOTRiZjdmMmQyMQ== + - - releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml + - !!binary | + M2ZlOTViMmFlYmRlMjI2YmFiMGQ3MTA4ODVmNjBhMTg2MjQ5OWIxNg== + version: 1.38.0 +- files: - - releasenotes/notes/add-scope-types-to-sphinxext-cacd845c4575e965.yaml - !!binary | ZWIxNTQ2ZmRmYzE1N2ViY2UwZDUyY2JlZTU0ZTI4OThkMTNkZTI0NQ== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/requirements.txt new/oslo.policy-1.38.1/requirements.txt --- old/oslo.policy-1.37.0/requirements.txt 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/requirements.txt 2018-07-20 03:10:38.000000000 +0200 @@ -4,6 +4,7 @@ requests>=2.14.2 # Apache-2.0 oslo.config>=5.2.0 # Apache-2.0 +oslo.context>=2.21.0 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 PyYAML>=3.12 # MIT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/test-requirements.txt new/oslo.policy-1.38.1/test-requirements.txt --- old/oslo.policy-1.37.0/test-requirements.txt 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/test-requirements.txt 2018-07-20 03:10:38.000000000 +0200 @@ -4,13 +4,15 @@ hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0 oslotest>=3.2.0 # Apache-2.0 requests-mock>=1.1.0 # Apache-2.0 +stestr>=2.0.0 # Apache-2.0 +oslo.context>=2.21.0 # Apache-2.0 # computes code coverage percentages coverage!=4.4,>=4.0 # Apache-2.0 # These are needed for docs generation openstackdocstheme>=1.18.1 # Apache-2.0 -sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD +sphinx!=1.6.6,!=1.6.7,>=1.6.5 # BSD reno>=2.5.0 # Apache-2.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-1.37.0/tox.ini new/oslo.policy-1.38.1/tox.ini --- old/oslo.policy-1.37.0/tox.ini 2018-06-05 20:03:29.000000000 +0200 +++ new/oslo.policy-1.38.1/tox.ini 2018-07-20 03:10:38.000000000 +0200 @@ -3,18 +3,18 @@ envlist = py35,py27,pep8,docs [testenv] -basepython = python3 install_command = pip install {opts} {packages} deps = -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} -r{toxinidir}/test-requirements.txt -r{toxinidir}/requirements.txt -commands = python setup.py testr --slowest --testr-args='{posargs}' +commands = stestr run --slowest {posargs} [testenv:py27] basepython = python2.7 [testenv:pep8] +basepython = python3 deps = -r{toxinidir}/test-requirements.txt commands = @@ -23,12 +23,15 @@ bandit -r oslo_policy tests -n5 [testenv:venv] +basepython = python3 commands = {posargs} [testenv:docs] +basepython = python3 commands = python setup.py build_sphinx [testenv:cover] +basepython = python3 commands = python setup.py test --coverage --coverage-package-name=oslo_policy --testr-args='{posargs}' [flake8] @@ -42,9 +45,11 @@ import_exceptions = oslo_policy._i18n [testenv:releasenotes] +basepython = python3 commands = sphinx-build -a -E -W -d releasenotes/build/doctrees -b html releasenotes/source releasenotes/build/html [testenv:lower-constraints] +basepython = python3 deps = -c{toxinidir}/lower-constraints.txt -r{toxinidir}/test-requirements.txt