From 3f7cc0a4604643bb70f6702718760cded12cbf25 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Mon, 2 Oct 2017 16:55:36 +0000
Subject: [PATCH] Implement basic policy module in code

This change prepares the zaqar project to start implementing policies
in code. Subsequent patches will register more zaqar policies in code
and remove the corresponding entry from the policy file maintained in
source.

This is part of a community effort to provide better user experience
for those having to maintain RBAC policy. More information on this
effort can be found below:

  https://governance.openstack.org/tc/goals/queens/policy-in-code.html

bp policy-and-docs-in-code

Change-Id: I5d804b589df215fddc18257fc9f05ba2e0d708bd
---
 .../zaqar-policy-generator.conf               |  3 ++
 etc/policy.json.sample                        |  2 --
 setup.cfg                                     |  3 ++
 tox.ini                                       |  4 +++
 zaqar/common/policies/__init__.py             | 21 +++++++++++++
 zaqar/common/policies/base.py                 | 31 +++++++++++++++++++
 zaqar/transport/acl.py                        |  7 +++++
 7 files changed, 69 insertions(+), 2 deletions(-)
 create mode 100644 etc/oslo-config-generator/zaqar-policy-generator.conf
 create mode 100644 zaqar/common/policies/__init__.py
 create mode 100644 zaqar/common/policies/base.py

diff --git a/etc/oslo-config-generator/zaqar-policy-generator.conf b/etc/oslo-config-generator/zaqar-policy-generator.conf
new file mode 100644
index 000000000..6a419956f
--- /dev/null
+++ b/etc/oslo-config-generator/zaqar-policy-generator.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/zaqar.policy.yaml.sample
+namespace = zaqar
diff --git a/etc/policy.json.sample b/etc/policy.json.sample
index 83a6bd5d4..e685911e4 100644
--- a/etc/policy.json.sample
+++ b/etc/policy.json.sample
@@ -1,6 +1,4 @@
 {
-    "context_is_admin": "role:admin",
-    "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
     "default": "rule:admin_or_owner",
 
     "queues:get_all": "",
diff --git a/setup.cfg b/setup.cfg
index 6843e826c..02b25924f 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -87,6 +87,9 @@ zaqar.notification.tasks =
 tempest.test_plugins =
     zaqar_tests = zaqar.tests.tempest_plugin.plugin:ZaqarTempestPlugin
 
+oslo.policy.policies =
+    zaqar = zaqar.common.policies:list_rules
+
 [nosetests]
 where=zaqar/tests
 verbosity=2
diff --git a/tox.ini b/tox.ini
index e83c8363c..ebe6da552 100644
--- a/tox.ini
+++ b/tox.ini
@@ -34,6 +34,10 @@ commands = flake8
 commands =
   oslo-config-generator --config-file etc/oslo-config-generator/zaqar.conf
 
+[testenv:genpolicy]
+commands =
+  oslopolicy-sample-generator --config-file etc/oslo-config-generator/zaqar-policy-generator.conf
+
 [testenv:cover]
 commands =
   python setup.py testr --coverage \
diff --git a/zaqar/common/policies/__init__.py b/zaqar/common/policies/__init__.py
new file mode 100644
index 000000000..4f457a846
--- /dev/null
+++ b/zaqar/common/policies/__init__.py
@@ -0,0 +1,21 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import itertools
+
+from zaqar.common.policies import base
+
+
+def list_rules():
+    return itertools.chain(
+        base.list_rules()
+    )
diff --git a/zaqar/common/policies/base.py b/zaqar/common/policies/base.py
new file mode 100644
index 000000000..849e9bc38
--- /dev/null
+++ b/zaqar/common/policies/base.py
@@ -0,0 +1,31 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+ROLE_ADMIN = 'role:admin'
+RULE_ADMIN_OR_OWNER = 'is_admin:True or project_id:%(project_id)s'
+
+rules = [
+    policy.RuleDefault(
+        name='context_is_admin',
+        check_str=ROLE_ADMIN
+    ),
+    policy.RuleDefault(
+        name='admin_or_owner',
+        check_str=RULE_ADMIN_OR_OWNER
+    )
+]
+
+
+def list_rules():
+    return rules
diff --git a/zaqar/transport/acl.py b/zaqar/transport/acl.py
index 377563d04..e8fbafb18 100644
--- a/zaqar/transport/acl.py
+++ b/zaqar/transport/acl.py
@@ -18,6 +18,8 @@ import functools
 
 from oslo_policy import policy
 
+from zaqar.common import policies
+
 ENFORCER = None
 
 
@@ -25,6 +27,11 @@ def setup_policy(conf):
     global ENFORCER
 
     ENFORCER = policy.Enforcer(conf)
+    register_rules(ENFORCER)
+
+
+def register_rules(enforcer):
+    enforcer.register_defaults(policies.list_rules())
 
 
 def enforce(rule):