From 1d14b4067cc8863278ebe08da88e6a2cb652ff0b Mon Sep 17 00:00:00 2001 From: Gao Hanxiang Date: Wed, 22 Sep 2021 15:50:49 -0400 Subject: [PATCH] test: Add skyline-policy-manager unit test 1. Add skyline-policy-manager unit test case and tools 2. Update `setup` method type annotation 3. Move some constants to `skyline_policy_manager.constants` 4. Adjust import to use modules instead of functions 5. Update code format Change-Id: Ic72e21126de0b16e4d969ad48ce64c57542c4667 --- libs/skyline-policy-manager/Makefile | 19 +- libs/skyline-policy-manager/poetry.lock | 261 ++++--- libs/skyline-policy-manager/pyproject.toml | 17 +- .../skyline_policy_manager/cmd/manage.py | 34 +- .../skyline_policy_manager/constants.py | 29 + .../skyline_policy_manager/policies/base.py | 1 - .../skyline_policy_manager/policies/cinder.py | 39 +- .../skyline_policy_manager/policies/glance.py | 15 +- .../skyline_policy_manager/policies/heat.py | 658 ++++++++++++++---- .../skyline_policy_manager/policies/ironic.py | 416 ++++++++--- .../policies/keystone.py | 84 +-- .../policies/neutron.py | 36 +- .../skyline_policy_manager/policies/nova.py | 47 +- .../policies/octavia.py | 268 +++++-- .../skyline_policy_manager/policies/panko.py | 5 +- .../policies/placement.py | 21 +- libs/skyline-policy-manager/tests/conftest.py | 47 ++ libs/skyline-policy-manager/tests/fake.py | 87 +++ libs/skyline-policy-manager/tests/models.py | 36 + .../tests/unit/__init__.py | 0 .../tests/unit/cmd/__init__.py | 0 .../tests/unit/cmd/test_manage.py | 158 +++++ .../{ => unit}/test_skyline_policy_manager.py | 2 +- 23 files changed, 1751 insertions(+), 529 deletions(-) create mode 100644 libs/skyline-policy-manager/skyline_policy_manager/constants.py create mode 100644 libs/skyline-policy-manager/tests/conftest.py create mode 100644 libs/skyline-policy-manager/tests/fake.py create mode 100644 libs/skyline-policy-manager/tests/models.py create mode 100644 libs/skyline-policy-manager/tests/unit/__init__.py create mode 100644 libs/skyline-policy-manager/tests/unit/cmd/__init__.py create mode 100644 libs/skyline-policy-manager/tests/unit/cmd/test_manage.py rename libs/skyline-policy-manager/tests/{ => unit}/test_skyline_policy_manager.py (95%) diff --git a/libs/skyline-policy-manager/Makefile b/libs/skyline-policy-manager/Makefile index 4edcdf2..0a3417f 100644 --- a/libs/skyline-policy-manager/Makefile +++ b/libs/skyline-policy-manager/Makefile @@ -1,4 +1,5 @@ PYTHON ?= python3 +PY_FILES := $(shell git ls-files -- *.py | xargs) .PHONY: all @@ -25,24 +26,24 @@ package: .PHONY: fmt fmt: - poetry run isort $$(git ls-files -- **/*.py) - poetry run black --config ../../pyproject.toml $$(git ls-files -- **/*.py) - poetry run add-trailing-comma --py36-plus --exit-zero-even-if-changed $$(git ls-files -- **/*.py) + poetry run isort $(PY_FILES) + poetry run black --config ../../pyproject.toml $(PY_FILES) + poetry run add-trailing-comma --py36-plus --exit-zero-even-if-changed $(PY_FILES) .PHONY: lint lint: - poetry run mypy --config-file=../../mypy.ini $$(git ls-files -- **/*.py) - poetry run isort --check-only --diff $$(git ls-files -- **/*.py) - poetry run black --check --diff --color --config ../../pyproject.toml $$(git ls-files -- **/*.py) - poetry run flake8 $$(git ls-files -- **/*.py) + # poetry run mypy --strict --config-file=../../mypy.ini $(PY_FILES) + poetry run isort --check-only --diff $(PY_FILES) + poetry run black --check --diff --color --config ../../pyproject.toml $(PY_FILES) + poetry run flake8 --config ../../.flake8 $(PY_FILES) .PHONY: test test: - echo TODO + poetry run pytest .PHONY: clean clean: - rm -rf .venv dist + rm -rf .venv dist tmp htmlcov .coverage diff --git a/libs/skyline-policy-manager/poetry.lock b/libs/skyline-policy-manager/poetry.lock index 7e364ad..58411d5 100644 --- a/libs/skyline-policy-manager/poetry.lock +++ b/libs/skyline-policy-manager/poetry.lock @@ -173,6 +173,17 @@ category = "main" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +[[package]] +name = "coverage" +version = "5.5" +description = "Code coverage measurement for Python" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4" + +[package.extras] +toml = ["toml"] + [[package]] name = "debtcollector" version = "2.3.0" @@ -477,6 +488,14 @@ category = "dev" optional = false python-versions = "*" +[[package]] +name = "mimesis" +version = "4.1.3" +description = "Mimesis: fake data generator." +category = "dev" +optional = false +python-versions = "*" + [[package]] name = "msgpack" version = "1.0.2" @@ -977,7 +996,7 @@ WebTest = ">=1.3.1" [[package]] name = "platformdirs" -version = "2.3.0" +version = "2.4.0" description = "A small Python module for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." category = "dev" optional = false @@ -1024,17 +1043,6 @@ python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" [package.extras] twisted = ["twisted"] -[[package]] -name = "psutil" -version = "5.8.0" -description = "Cross-platform lib for process and system monitoring in Python." -category = "dev" -optional = false -python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" - -[package.extras] -test = ["ipaddress", "mock", "unittest2", "enum34", "pywin32", "wmi"] - [[package]] name = "py" version = "1.10.0" @@ -1119,6 +1127,22 @@ toml = "*" [package.extras] testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "requests", "xmlschema"] +[[package]] +name = "pytest-cov" +version = "2.12.1" +description = "Pytest plugin for measuring coverage." +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" + +[package.dependencies] +coverage = ">=5.2.1" +pytest = ">=4.6" +toml = "*" + +[package.extras] +testing = ["fields", "hunter", "process-tests", "six", "pytest-xdist", "virtualenv"] + [[package]] name = "pytest-forked" version = "1.3.0" @@ -1131,6 +1155,29 @@ python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" py = "*" pytest = ">=3.10" +[[package]] +name = "pytest-html" +version = "3.1.1" +description = "pytest plugin for generating HTML reports" +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.dependencies] +pytest = ">=5.0,<6.0.0 || >6.0.0" +pytest-metadata = "*" + +[[package]] +name = "pytest-metadata" +version = "1.11.0" +description = "pytest plugin for test session metadata" +category = "dev" +optional = false +python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*" + +[package.dependencies] +pytest = ">=2.9.0" + [[package]] name = "pytest-xdist" version = "2.4.0" @@ -1141,7 +1188,6 @@ python-versions = ">=3.6" [package.dependencies] execnet = ">=1.1" -psutil = {version = ">=3.0", optional = true, markers = "extra == \"psutil\""} pytest = ">=6.0.0" pytest-forked = "*" @@ -1187,7 +1233,7 @@ python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*" [[package]] name = "regex" -version = "2021.8.28" +version = "2021.9.24" description = "Alternative regular expression module, to replace re." category = "dev" optional = false @@ -1584,7 +1630,7 @@ testing = ["pytest (>=4.6)", "pytest-checkdocs (>=2.4)", "pytest-flake8", "pytes [metadata] lock-version = "1.1" python-versions = "^3.8" -content-hash = "0737b8cb1359cd19a07102e508d51d838d1950a26bc2c68bcfd8918de08586ae" +content-hash = "65ef745e584aa6eddb35354f86597f253ad4b0b90a59a933aa84c06c14f45f68" [metadata.files] add-trailing-comma = [ @@ -1691,6 +1737,60 @@ colorama = [ {file = "colorama-0.4.4-py2.py3-none-any.whl", hash = "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"}, {file = "colorama-0.4.4.tar.gz", hash = "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b"}, ] +coverage = [ + {file = "coverage-5.5-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:b6d534e4b2ab35c9f93f46229363e17f63c53ad01330df9f2d6bd1187e5eaacf"}, + {file = "coverage-5.5-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:b7895207b4c843c76a25ab8c1e866261bcfe27bfaa20c192de5190121770672b"}, + {file = "coverage-5.5-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:c2723d347ab06e7ddad1a58b2a821218239249a9e4365eaff6649d31180c1669"}, + {file = "coverage-5.5-cp27-cp27m-manylinux2010_i686.whl", hash = "sha256:900fbf7759501bc7807fd6638c947d7a831fc9fdf742dc10f02956ff7220fa90"}, + {file = "coverage-5.5-cp27-cp27m-manylinux2010_x86_64.whl", hash = "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c"}, + {file = "coverage-5.5-cp27-cp27m-win32.whl", hash = "sha256:06191eb60f8d8a5bc046f3799f8a07a2d7aefb9504b0209aff0b47298333302a"}, + {file = "coverage-5.5-cp27-cp27m-win_amd64.whl", hash = "sha256:7501140f755b725495941b43347ba8a2777407fc7f250d4f5a7d2a1050ba8e82"}, + {file = "coverage-5.5-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:372da284cfd642d8e08ef606917846fa2ee350f64994bebfbd3afb0040436905"}, + {file = "coverage-5.5-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:8963a499849a1fc54b35b1c9f162f4108017b2e6db2c46c1bed93a72262ed083"}, + {file = "coverage-5.5-cp27-cp27mu-manylinux2010_i686.whl", hash = "sha256:869a64f53488f40fa5b5b9dcb9e9b2962a66a87dab37790f3fcfb5144b996ef5"}, + {file = "coverage-5.5-cp27-cp27mu-manylinux2010_x86_64.whl", hash = "sha256:4a7697d8cb0f27399b0e393c0b90f0f1e40c82023ea4d45d22bce7032a5d7b81"}, + {file = "coverage-5.5-cp310-cp310-macosx_10_14_x86_64.whl", hash = "sha256:8d0a0725ad7c1a0bcd8d1b437e191107d457e2ec1084b9f190630a4fb1af78e6"}, + {file = "coverage-5.5-cp310-cp310-manylinux1_x86_64.whl", hash = "sha256:51cb9476a3987c8967ebab3f0fe144819781fca264f57f89760037a2ea191cb0"}, + {file = "coverage-5.5-cp310-cp310-win_amd64.whl", hash = "sha256:c0891a6a97b09c1f3e073a890514d5012eb256845c451bd48f7968ef939bf4ae"}, + {file = "coverage-5.5-cp35-cp35m-macosx_10_9_x86_64.whl", hash = "sha256:3487286bc29a5aa4b93a072e9592f22254291ce96a9fbc5251f566b6b7343cdb"}, + {file = "coverage-5.5-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:deee1077aae10d8fa88cb02c845cfba9b62c55e1183f52f6ae6a2df6a2187160"}, + {file = "coverage-5.5-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:f11642dddbb0253cc8853254301b51390ba0081750a8ac03f20ea8103f0c56b6"}, + {file = "coverage-5.5-cp35-cp35m-manylinux2010_i686.whl", hash = "sha256:6c90e11318f0d3c436a42409f2749ee1a115cd8b067d7f14c148f1ce5574d701"}, + {file = "coverage-5.5-cp35-cp35m-manylinux2010_x86_64.whl", hash = "sha256:30c77c1dc9f253283e34c27935fded5015f7d1abe83bc7821680ac444eaf7793"}, + {file = "coverage-5.5-cp35-cp35m-win32.whl", hash = "sha256:9a1ef3b66e38ef8618ce5fdc7bea3d9f45f3624e2a66295eea5e57966c85909e"}, + {file = "coverage-5.5-cp35-cp35m-win_amd64.whl", hash = "sha256:972c85d205b51e30e59525694670de6a8a89691186012535f9d7dbaa230e42c3"}, + {file = "coverage-5.5-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:af0e781009aaf59e25c5a678122391cb0f345ac0ec272c7961dc5455e1c40066"}, + {file = "coverage-5.5-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:74d881fc777ebb11c63736622b60cb9e4aee5cace591ce274fb69e582a12a61a"}, + {file = "coverage-5.5-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:92b017ce34b68a7d67bd6d117e6d443a9bf63a2ecf8567bb3d8c6c7bc5014465"}, + {file = "coverage-5.5-cp36-cp36m-manylinux2010_i686.whl", hash = "sha256:d636598c8305e1f90b439dbf4f66437de4a5e3c31fdf47ad29542478c8508bbb"}, + {file = "coverage-5.5-cp36-cp36m-manylinux2010_x86_64.whl", hash = "sha256:41179b8a845742d1eb60449bdb2992196e211341818565abded11cfa90efb821"}, + {file = "coverage-5.5-cp36-cp36m-win32.whl", hash = "sha256:040af6c32813fa3eae5305d53f18875bedd079960822ef8ec067a66dd8afcd45"}, + {file = "coverage-5.5-cp36-cp36m-win_amd64.whl", hash = "sha256:5fec2d43a2cc6965edc0bb9e83e1e4b557f76f843a77a2496cbe719583ce8184"}, + {file = "coverage-5.5-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:18ba8bbede96a2c3dde7b868de9dcbd55670690af0988713f0603f037848418a"}, + {file = "coverage-5.5-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:2910f4d36a6a9b4214bb7038d537f015346f413a975d57ca6b43bf23d6563b53"}, + {file = "coverage-5.5-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:f0b278ce10936db1a37e6954e15a3730bea96a0997c26d7fee88e6c396c2086d"}, + {file = "coverage-5.5-cp37-cp37m-manylinux2010_i686.whl", hash = "sha256:796c9c3c79747146ebd278dbe1e5c5c05dd6b10cc3bcb8389dfdf844f3ead638"}, + {file = "coverage-5.5-cp37-cp37m-manylinux2010_x86_64.whl", hash = "sha256:53194af30d5bad77fcba80e23a1441c71abfb3e01192034f8246e0d8f99528f3"}, + {file = "coverage-5.5-cp37-cp37m-win32.whl", hash = "sha256:184a47bbe0aa6400ed2d41d8e9ed868b8205046518c52464fde713ea06e3a74a"}, + {file = "coverage-5.5-cp37-cp37m-win_amd64.whl", hash = "sha256:2949cad1c5208b8298d5686d5a85b66aae46d73eec2c3e08c817dd3513e5848a"}, + {file = "coverage-5.5-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:217658ec7187497e3f3ebd901afdca1af062b42cfe3e0dafea4cced3983739f6"}, + {file = "coverage-5.5-cp38-cp38-manylinux1_i686.whl", hash = "sha256:1aa846f56c3d49205c952d8318e76ccc2ae23303351d9270ab220004c580cfe2"}, + {file = "coverage-5.5-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:24d4a7de75446be83244eabbff746d66b9240ae020ced65d060815fac3423759"}, + {file = "coverage-5.5-cp38-cp38-manylinux2010_i686.whl", hash = "sha256:d1f8bf7b90ba55699b3a5e44930e93ff0189aa27186e96071fac7dd0d06a1873"}, + {file = "coverage-5.5-cp38-cp38-manylinux2010_x86_64.whl", hash = "sha256:970284a88b99673ccb2e4e334cfb38a10aab7cd44f7457564d11898a74b62d0a"}, + {file = "coverage-5.5-cp38-cp38-win32.whl", hash = "sha256:01d84219b5cdbfc8122223b39a954820929497a1cb1422824bb86b07b74594b6"}, + {file = "coverage-5.5-cp38-cp38-win_amd64.whl", hash = "sha256:2e0d881ad471768bf6e6c2bf905d183543f10098e3b3640fc029509530091502"}, + {file = "coverage-5.5-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:d1f9ce122f83b2305592c11d64f181b87153fc2c2bbd3bb4a3dde8303cfb1a6b"}, + {file = "coverage-5.5-cp39-cp39-manylinux1_i686.whl", hash = "sha256:13c4ee887eca0f4c5a247b75398d4114c37882658300e153113dafb1d76de529"}, + {file = "coverage-5.5-cp39-cp39-manylinux1_x86_64.whl", hash = "sha256:52596d3d0e8bdf3af43db3e9ba8dcdaac724ba7b5ca3f6358529d56f7a166f8b"}, + {file = "coverage-5.5-cp39-cp39-manylinux2010_i686.whl", hash = "sha256:2cafbbb3af0733db200c9b5f798d18953b1a304d3f86a938367de1567f4b5bff"}, + {file = "coverage-5.5-cp39-cp39-manylinux2010_x86_64.whl", hash = "sha256:44d654437b8ddd9eee7d1eaee28b7219bec228520ff809af170488fd2fed3e2b"}, + {file = "coverage-5.5-cp39-cp39-win32.whl", hash = "sha256:d314ed732c25d29775e84a960c3c60808b682c08d86602ec2c3008e1202e3bb6"}, + {file = "coverage-5.5-cp39-cp39-win_amd64.whl", hash = "sha256:13034c4409db851670bc9acd836243aeee299949bd5673e11844befcb0149f03"}, + {file = "coverage-5.5-pp36-none-any.whl", hash = "sha256:f030f8873312a16414c0d8e1a1ddff2d3235655a2174e3648b4fa66b3f2f1079"}, + {file = "coverage-5.5-pp37-none-any.whl", hash = "sha256:2a3859cb82dcbda1cfd3e6f71c27081d18aa251d20a17d87d26d4cd216fb0af4"}, + {file = "coverage-5.5.tar.gz", hash = "sha256:ebe78fe9a0e874362175b02371bdfbee64d8edc42a044253ddf4ee7d3c15212c"}, +] debtcollector = [ {file = "debtcollector-2.3.0-py3-none-any.whl", hash = "sha256:6f1fae29c9091a6f7e8f68da7ec17f3167f98abac13c019968e144108f381b7e"}, {file = "debtcollector-2.3.0.tar.gz", hash = "sha256:c7a9fac814ab5904e23905516b18356cc907e7d27c05da58d37103f001967846"}, @@ -1886,6 +1986,9 @@ mccabe = [ {file = "mccabe-0.6.1-py2.py3-none-any.whl", hash = "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42"}, {file = "mccabe-0.6.1.tar.gz", hash = "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f"}, ] +mimesis = [ + {file = "mimesis-4.1.3.tar.gz", hash = "sha256:90f36c21c1bb9944afc17178eb5868b0c85aa1fe49eb04bcbdafafd1ad4ca2ba"}, +] msgpack = [ {file = "msgpack-1.0.2-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:b6d9e2dae081aa35c44af9c4298de4ee72991305503442a5c74656d82b581fe9"}, {file = "msgpack-1.0.2-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:a99b144475230982aee16b3d249170f1cccebf27fb0a08e9f603b69637a62192"}, @@ -2084,8 +2187,8 @@ pecan = [ {file = "pecan-1.4.0.tar.gz", hash = "sha256:4b2acd6802a04b59e306d0a6ccf37701d24376f4dc044bbbafba3afdf9d3389a"}, ] platformdirs = [ - {file = "platformdirs-2.3.0-py3-none-any.whl", hash = "sha256:8003ac87717ae2c7ee1ea5a84a1a61e87f3fbd16eb5aadba194ea30a9019f648"}, - {file = "platformdirs-2.3.0.tar.gz", hash = "sha256:15b056538719b1c94bdaccb29e5f81879c7f7f0f4a153f46086d155dffcd4f0f"}, + {file = "platformdirs-2.4.0-py3-none-any.whl", hash = "sha256:8868bbe3c3c80d42f20156f22e7131d2fb321f5bc86a2a345375c6481a67021d"}, + {file = "platformdirs-2.4.0.tar.gz", hash = "sha256:367a5e80b3d04d2428ffa76d33f124cf11e8fff2acdaa9b43d545f5c7d661ef2"}, ] pluggy = [ {file = "pluggy-1.0.0-py2.py3-none-any.whl", hash = "sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"}, @@ -2099,36 +2202,6 @@ prometheus-client = [ {file = "prometheus_client-0.11.0-py2.py3-none-any.whl", hash = "sha256:b014bc76815eb1399da8ce5fc84b7717a3e63652b0c0f8804092c9363acab1b2"}, {file = "prometheus_client-0.11.0.tar.gz", hash = "sha256:3a8baade6cb80bcfe43297e33e7623f3118d660d41387593758e2fb1ea173a86"}, ] -psutil = [ - {file = "psutil-5.8.0-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:0066a82f7b1b37d334e68697faba68e5ad5e858279fd6351c8ca6024e8d6ba64"}, - {file = "psutil-5.8.0-cp27-cp27m-manylinux2010_i686.whl", hash = "sha256:0ae6f386d8d297177fd288be6e8d1afc05966878704dad9847719650e44fc49c"}, - {file = "psutil-5.8.0-cp27-cp27m-manylinux2010_x86_64.whl", hash = "sha256:12d844996d6c2b1d3881cfa6fa201fd635971869a9da945cf6756105af73d2df"}, - {file = "psutil-5.8.0-cp27-cp27mu-manylinux2010_i686.whl", hash = "sha256:02b8292609b1f7fcb34173b25e48d0da8667bc85f81d7476584d889c6e0f2131"}, - {file = "psutil-5.8.0-cp27-cp27mu-manylinux2010_x86_64.whl", hash = "sha256:6ffe81843131ee0ffa02c317186ed1e759a145267d54fdef1bc4ea5f5931ab60"}, - {file = "psutil-5.8.0-cp27-none-win32.whl", hash = "sha256:ea313bb02e5e25224e518e4352af4bf5e062755160f77e4b1767dd5ccb65f876"}, - {file = "psutil-5.8.0-cp27-none-win_amd64.whl", hash = "sha256:5da29e394bdedd9144c7331192e20c1f79283fb03b06e6abd3a8ae45ffecee65"}, - {file = "psutil-5.8.0-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:74fb2557d1430fff18ff0d72613c5ca30c45cdbfcddd6a5773e9fc1fe9364be8"}, - {file = "psutil-5.8.0-cp36-cp36m-manylinux2010_i686.whl", hash = "sha256:74f2d0be88db96ada78756cb3a3e1b107ce8ab79f65aa885f76d7664e56928f6"}, - {file = "psutil-5.8.0-cp36-cp36m-manylinux2010_x86_64.whl", hash = "sha256:99de3e8739258b3c3e8669cb9757c9a861b2a25ad0955f8e53ac662d66de61ac"}, - {file = "psutil-5.8.0-cp36-cp36m-win32.whl", hash = "sha256:36b3b6c9e2a34b7d7fbae330a85bf72c30b1c827a4366a07443fc4b6270449e2"}, - {file = "psutil-5.8.0-cp36-cp36m-win_amd64.whl", hash = "sha256:52de075468cd394ac98c66f9ca33b2f54ae1d9bff1ef6b67a212ee8f639ec06d"}, - {file = "psutil-5.8.0-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:c6a5fd10ce6b6344e616cf01cc5b849fa8103fbb5ba507b6b2dee4c11e84c935"}, - {file = "psutil-5.8.0-cp37-cp37m-manylinux2010_i686.whl", hash = "sha256:61f05864b42fedc0771d6d8e49c35f07efd209ade09a5afe6a5059e7bb7bf83d"}, - {file = "psutil-5.8.0-cp37-cp37m-manylinux2010_x86_64.whl", hash = "sha256:0dd4465a039d343925cdc29023bb6960ccf4e74a65ad53e768403746a9207023"}, - {file = "psutil-5.8.0-cp37-cp37m-win32.whl", hash = "sha256:1bff0d07e76114ec24ee32e7f7f8d0c4b0514b3fae93e3d2aaafd65d22502394"}, - {file = "psutil-5.8.0-cp37-cp37m-win_amd64.whl", hash = "sha256:fcc01e900c1d7bee2a37e5d6e4f9194760a93597c97fee89c4ae51701de03563"}, - {file = "psutil-5.8.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:6223d07a1ae93f86451d0198a0c361032c4c93ebd4bf6d25e2fb3edfad9571ef"}, - {file = "psutil-5.8.0-cp38-cp38-manylinux2010_i686.whl", hash = "sha256:d225cd8319aa1d3c85bf195c4e07d17d3cd68636b8fc97e6cf198f782f99af28"}, - {file = "psutil-5.8.0-cp38-cp38-manylinux2010_x86_64.whl", hash = "sha256:28ff7c95293ae74bf1ca1a79e8805fcde005c18a122ca983abf676ea3466362b"}, - {file = "psutil-5.8.0-cp38-cp38-win32.whl", hash = "sha256:ce8b867423291cb65cfc6d9c4955ee9bfc1e21fe03bb50e177f2b957f1c2469d"}, - {file = "psutil-5.8.0-cp38-cp38-win_amd64.whl", hash = "sha256:90f31c34d25b1b3ed6c40cdd34ff122b1887a825297c017e4cbd6796dd8b672d"}, - {file = "psutil-5.8.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:6323d5d845c2785efb20aded4726636546b26d3b577aded22492908f7c1bdda7"}, - {file = "psutil-5.8.0-cp39-cp39-manylinux2010_i686.whl", hash = "sha256:245b5509968ac0bd179287d91210cd3f37add77dad385ef238b275bad35fa1c4"}, - {file = "psutil-5.8.0-cp39-cp39-manylinux2010_x86_64.whl", hash = "sha256:90d4091c2d30ddd0a03e0b97e6a33a48628469b99585e2ad6bf21f17423b112b"}, - {file = "psutil-5.8.0-cp39-cp39-win32.whl", hash = "sha256:ea372bcc129394485824ae3e3ddabe67dc0b118d262c568b4d2602a7070afdb0"}, - {file = "psutil-5.8.0-cp39-cp39-win_amd64.whl", hash = "sha256:f4634b033faf0d968bb9220dd1c793b897ab7f1189956e1aa9eae752527127d3"}, - {file = "psutil-5.8.0.tar.gz", hash = "sha256:0c9ccb99ab76025f2f0bbecf341d4656e9c1351db8cc8a03ccd62e318ab4b5c6"}, -] py = [ {file = "py-1.10.0-py2.py3-none-any.whl", hash = "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"}, {file = "py-1.10.0.tar.gz", hash = "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3"}, @@ -2180,10 +2253,22 @@ pytest = [ {file = "pytest-6.2.5-py3-none-any.whl", hash = "sha256:7310f8d27bc79ced999e760ca304d69f6ba6c6649c0b60fb0e04a4a77cacc134"}, {file = "pytest-6.2.5.tar.gz", hash = "sha256:131b36680866a76e6781d13f101efb86cf674ebb9762eb70d3082b6f29889e89"}, ] +pytest-cov = [ + {file = "pytest-cov-2.12.1.tar.gz", hash = "sha256:261ceeb8c227b726249b376b8526b600f38667ee314f910353fa318caa01f4d7"}, + {file = "pytest_cov-2.12.1-py2.py3-none-any.whl", hash = "sha256:261bb9e47e65bd099c89c3edf92972865210c36813f80ede5277dceb77a4a62a"}, +] pytest-forked = [ {file = "pytest-forked-1.3.0.tar.gz", hash = "sha256:6aa9ac7e00ad1a539c41bec6d21011332de671e938c7637378ec9710204e37ca"}, {file = "pytest_forked-1.3.0-py2.py3-none-any.whl", hash = "sha256:dc4147784048e70ef5d437951728825a131b81714b398d5d52f17c7c144d8815"}, ] +pytest-html = [ + {file = "pytest-html-3.1.1.tar.gz", hash = "sha256:3ee1cf319c913d19fe53aeb0bc400e7b0bc2dbeb477553733db1dad12eb75ee3"}, + {file = "pytest_html-3.1.1-py3-none-any.whl", hash = "sha256:b7f82f123936a3f4d2950bc993c2c1ca09ce262c9ae12f9ac763a2401380b455"}, +] +pytest-metadata = [ + {file = "pytest-metadata-1.11.0.tar.gz", hash = "sha256:71b506d49d34e539cc3cfdb7ce2c5f072bea5c953320002c95968e0238f8ecf1"}, + {file = "pytest_metadata-1.11.0-py2.py3-none-any.whl", hash = "sha256:576055b8336dd4a9006dd2a47615f76f2f8c30ab12b1b1c039d99e834583523f"}, +] pytest-xdist = [ {file = "pytest-xdist-2.4.0.tar.gz", hash = "sha256:89b330316f7fc475f999c81b577c2b926c9569f3d397ae432c0c2e2496d61ff9"}, {file = "pytest_xdist-2.4.0-py3-none-any.whl", hash = "sha256:7b61ebb46997a0820a263553179d6d1e25a8c50d8a8620cd1aa1e20e3be99168"}, @@ -2240,47 +2325,47 @@ pyyaml = [ {file = "PyYAML-5.4.1.tar.gz", hash = "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e"}, ] regex = [ - {file = "regex-2021.8.28-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:9d05ad5367c90814099000442b2125535e9d77581855b9bee8780f1b41f2b1a2"}, - {file = "regex-2021.8.28-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f3bf1bc02bc421047bfec3343729c4bbbea42605bcfd6d6bfe2c07ade8b12d2a"}, - {file = "regex-2021.8.28-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5f6a808044faae658f546dd5f525e921de9fa409de7a5570865467f03a626fc0"}, - {file = "regex-2021.8.28-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:a617593aeacc7a691cc4af4a4410031654f2909053bd8c8e7db837f179a630eb"}, - {file = "regex-2021.8.28-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:79aef6b5cd41feff359acaf98e040844613ff5298d0d19c455b3d9ae0bc8c35a"}, - {file = "regex-2021.8.28-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:0fc1f8f06977c2d4f5e3d3f0d4a08089be783973fc6b6e278bde01f0544ff308"}, - {file = "regex-2021.8.28-cp310-cp310-win32.whl", hash = "sha256:6eebf512aa90751d5ef6a7c2ac9d60113f32e86e5687326a50d7686e309f66ed"}, - {file = "regex-2021.8.28-cp310-cp310-win_amd64.whl", hash = "sha256:ac88856a8cbccfc14f1b2d0b829af354cc1743cb375e7f04251ae73b2af6adf8"}, - {file = "regex-2021.8.28-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:c206587c83e795d417ed3adc8453a791f6d36b67c81416676cad053b4104152c"}, - {file = "regex-2021.8.28-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e8690ed94481f219a7a967c118abaf71ccc440f69acd583cab721b90eeedb77c"}, - {file = "regex-2021.8.28-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:328a1fad67445550b982caa2a2a850da5989fd6595e858f02d04636e7f8b0b13"}, - {file = "regex-2021.8.28-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:c7cb4c512d2d3b0870e00fbbac2f291d4b4bf2634d59a31176a87afe2777c6f0"}, - {file = "regex-2021.8.28-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:66256b6391c057305e5ae9209941ef63c33a476b73772ca967d4a2df70520ec1"}, - {file = "regex-2021.8.28-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:8e44769068d33e0ea6ccdf4b84d80c5afffe5207aa4d1881a629cf0ef3ec398f"}, - {file = "regex-2021.8.28-cp36-cp36m-win32.whl", hash = "sha256:08d74bfaa4c7731b8dac0a992c63673a2782758f7cfad34cf9c1b9184f911354"}, - {file = "regex-2021.8.28-cp36-cp36m-win_amd64.whl", hash = "sha256:abb48494d88e8a82601af905143e0de838c776c1241d92021e9256d5515b3645"}, - {file = "regex-2021.8.28-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:b4c220a1fe0d2c622493b0a1fd48f8f991998fb447d3cd368033a4b86cf1127a"}, - {file = "regex-2021.8.28-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d4a332404baa6665b54e5d283b4262f41f2103c255897084ec8f5487ce7b9e8e"}, - {file = "regex-2021.8.28-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c61dcc1cf9fd165127a2853e2c31eb4fb961a4f26b394ac9fe5669c7a6592892"}, - {file = "regex-2021.8.28-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:ee329d0387b5b41a5dddbb6243a21cb7896587a651bebb957e2d2bb8b63c0791"}, - {file = "regex-2021.8.28-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f60667673ff9c249709160529ab39667d1ae9fd38634e006bec95611f632e759"}, - {file = "regex-2021.8.28-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:b844fb09bd9936ed158ff9df0ab601e2045b316b17aa8b931857365ea8586906"}, - {file = "regex-2021.8.28-cp37-cp37m-win32.whl", hash = "sha256:4cde065ab33bcaab774d84096fae266d9301d1a2f5519d7bd58fc55274afbf7a"}, - {file = "regex-2021.8.28-cp37-cp37m-win_amd64.whl", hash = "sha256:1413b5022ed6ac0d504ba425ef02549a57d0f4276de58e3ab7e82437892704fc"}, - {file = "regex-2021.8.28-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:ed4b50355b066796dacdd1cf538f2ce57275d001838f9b132fab80b75e8c84dd"}, - {file = "regex-2021.8.28-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:28fc475f560d8f67cc8767b94db4c9440210f6958495aeae70fac8faec631797"}, - {file = "regex-2021.8.28-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bdc178caebd0f338d57ae445ef8e9b737ddf8fbc3ea187603f65aec5b041248f"}, - {file = "regex-2021.8.28-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:999ad08220467b6ad4bd3dd34e65329dd5d0df9b31e47106105e407954965256"}, - {file = "regex-2021.8.28-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:808ee5834e06f57978da3e003ad9d6292de69d2bf6263662a1a8ae30788e080b"}, - {file = "regex-2021.8.28-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:d5111d4c843d80202e62b4fdbb4920db1dcee4f9366d6b03294f45ed7b18b42e"}, - {file = "regex-2021.8.28-cp38-cp38-win32.whl", hash = "sha256:473858730ef6d6ff7f7d5f19452184cd0caa062a20047f6d6f3e135a4648865d"}, - {file = "regex-2021.8.28-cp38-cp38-win_amd64.whl", hash = "sha256:31a99a4796bf5aefc8351e98507b09e1b09115574f7c9dbb9cf2111f7220d2e2"}, - {file = "regex-2021.8.28-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:04f6b9749e335bb0d2f68c707f23bb1773c3fb6ecd10edf0f04df12a8920d468"}, - {file = "regex-2021.8.28-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9b006628fe43aa69259ec04ca258d88ed19b64791693df59c422b607b6ece8bb"}, - {file = "regex-2021.8.28-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:121f4b3185feaade3f85f70294aef3f777199e9b5c0c0245c774ae884b110a2d"}, - {file = "regex-2021.8.28-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:a577a21de2ef8059b58f79ff76a4da81c45a75fe0bfb09bc8b7bb4293fa18983"}, - {file = "regex-2021.8.28-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1743345e30917e8c574f273f51679c294effba6ad372db1967852f12c76759d8"}, - {file = "regex-2021.8.28-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:e1e8406b895aba6caa63d9fd1b6b1700d7e4825f78ccb1e5260551d168db38ed"}, - {file = "regex-2021.8.28-cp39-cp39-win32.whl", hash = "sha256:ed283ab3a01d8b53de3a05bfdf4473ae24e43caee7dcb5584e86f3f3e5ab4374"}, - {file = "regex-2021.8.28-cp39-cp39-win_amd64.whl", hash = "sha256:610b690b406653c84b7cb6091facb3033500ee81089867ee7d59e675f9ca2b73"}, - {file = "regex-2021.8.28.tar.gz", hash = "sha256:f585cbbeecb35f35609edccb95efd95a3e35824cd7752b586503f7e6087303f1"}, + {file = "regex-2021.9.24-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:0628ed7d6334e8f896f882a5c1240de8c4d9b0dd7c7fb8e9f4692f5684b7d656"}, + {file = "regex-2021.9.24-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3baf3eaa41044d4ced2463fd5d23bf7bd4b03d68739c6c99a59ce1f95599a673"}, + {file = "regex-2021.9.24-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c000635fd78400a558bd7a3c2981bb2a430005ebaa909d31e6e300719739a949"}, + {file = "regex-2021.9.24-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:295bc8a13554a25ad31e44c4bedabd3c3e28bba027e4feeb9bb157647a2344a7"}, + {file = "regex-2021.9.24-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b0e3f59d3c772f2c3baaef2db425e6fc4149d35a052d874bb95ccfca10a1b9f4"}, + {file = "regex-2021.9.24-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:aea4006b73b555fc5bdb650a8b92cf486d678afa168cf9b38402bb60bf0f9c18"}, + {file = "regex-2021.9.24-cp310-cp310-win32.whl", hash = "sha256:09eb62654030f39f3ba46bc6726bea464069c29d00a9709e28c9ee9623a8da4a"}, + {file = "regex-2021.9.24-cp310-cp310-win_amd64.whl", hash = "sha256:8d80087320632457aefc73f686f66139801959bf5b066b4419b92be85be3543c"}, + {file = "regex-2021.9.24-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:7e3536f305f42ad6d31fc86636c54c7dafce8d634e56fef790fbacb59d499dd5"}, + {file = "regex-2021.9.24-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c31f35a984caffb75f00a86852951a337540b44e4a22171354fb760cefa09346"}, + {file = "regex-2021.9.24-cp36-cp36m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9c7cb25adba814d5f419733fe565f3289d6fa629ab9e0b78f6dff5fa94ab0456"}, + {file = "regex-2021.9.24-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:85c61bee5957e2d7be390392feac7e1d7abd3a49cbaed0c8cee1541b784c8561"}, + {file = "regex-2021.9.24-cp36-cp36m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c94722bf403b8da744b7d0bb87e1f2529383003ceec92e754f768ef9323f69ad"}, + {file = "regex-2021.9.24-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:6adc1bd68f81968c9d249aab8c09cdc2cbe384bf2d2cb7f190f56875000cdc72"}, + {file = "regex-2021.9.24-cp36-cp36m-win32.whl", hash = "sha256:2054dea683f1bda3a804fcfdb0c1c74821acb968093d0be16233873190d459e3"}, + {file = "regex-2021.9.24-cp36-cp36m-win_amd64.whl", hash = "sha256:7783d89bd5413d183a38761fbc68279b984b9afcfbb39fa89d91f63763fbfb90"}, + {file = "regex-2021.9.24-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:b15dc34273aefe522df25096d5d087abc626e388a28a28ac75a4404bb7668736"}, + {file = "regex-2021.9.24-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:10a7a9cbe30bd90b7d9a1b4749ef20e13a3528e4215a2852be35784b6bd070f0"}, + {file = "regex-2021.9.24-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fb9f5844db480e2ef9fce3a72e71122dd010ab7b2920f777966ba25f7eb63819"}, + {file = "regex-2021.9.24-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:17310b181902e0bb42b29c700e2c2346b8d81f26e900b1328f642e225c88bce1"}, + {file = "regex-2021.9.24-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0bba1f6df4eafe79db2ecf38835c2626dbd47911e0516f6962c806f83e7a99ae"}, + {file = "regex-2021.9.24-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:821e10b73e0898544807a0692a276e539e5bafe0a055506a6882814b6a02c3ec"}, + {file = "regex-2021.9.24-cp37-cp37m-win32.whl", hash = "sha256:9c371dd326289d85906c27ec2bc1dcdedd9d0be12b543d16e37bad35754bde48"}, + {file = "regex-2021.9.24-cp37-cp37m-win_amd64.whl", hash = "sha256:1e8d1898d4fb817120a5f684363b30108d7b0b46c7261264b100d14ec90a70e7"}, + {file = "regex-2021.9.24-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:8a5c2250c0a74428fd5507ae8853706fdde0f23bfb62ee1ec9418eeacf216078"}, + {file = "regex-2021.9.24-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8aec4b4da165c4a64ea80443c16e49e3b15df0f56c124ac5f2f8708a65a0eddc"}, + {file = "regex-2021.9.24-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:650c4f1fc4273f4e783e1d8e8b51a3e2311c2488ba0fcae6425b1e2c248a189d"}, + {file = "regex-2021.9.24-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:2cdb3789736f91d0b3333ac54d12a7e4f9efbc98f53cb905d3496259a893a8b3"}, + {file = "regex-2021.9.24-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4e61100200fa6ab7c99b61476f9f9653962ae71b931391d0264acfb4d9527d9c"}, + {file = "regex-2021.9.24-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:8c268e78d175798cd71d29114b0a1f1391c7d011995267d3b62319ec1a4ecaa1"}, + {file = "regex-2021.9.24-cp38-cp38-win32.whl", hash = "sha256:658e3477676009083422042c4bac2bdad77b696e932a3de001c42cc046f8eda2"}, + {file = "regex-2021.9.24-cp38-cp38-win_amd64.whl", hash = "sha256:a731552729ee8ae9c546fb1c651c97bf5f759018fdd40d0e9b4d129e1e3a44c8"}, + {file = "regex-2021.9.24-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:86f9931eb92e521809d4b64ec8514f18faa8e11e97d6c2d1afa1bcf6c20a8eab"}, + {file = "regex-2021.9.24-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dcbbc9cfa147d55a577d285fd479b43103188855074552708df7acc31a476dd9"}, + {file = "regex-2021.9.24-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:29385c4dbb3f8b3a55ce13de6a97a3d21bd00de66acd7cdfc0b49cb2f08c906c"}, + {file = "regex-2021.9.24-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_12_i686.manylinux2010_i686.whl", hash = "sha256:c50a6379763c733562b1fee877372234d271e5c78cd13ade5f25978aa06744db"}, + {file = "regex-2021.9.24-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6f74b6d8f59f3cfb8237e25c532b11f794b96f5c89a6f4a25857d85f84fbef11"}, + {file = "regex-2021.9.24-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl", hash = "sha256:6c4d83d21d23dd854ffbc8154cf293f4e43ba630aa9bd2539c899343d7f59da3"}, + {file = "regex-2021.9.24-cp39-cp39-win32.whl", hash = "sha256:95e89a8558c8c48626dcffdf9c8abac26b7c251d352688e7ab9baf351e1c7da6"}, + {file = "regex-2021.9.24-cp39-cp39-win_amd64.whl", hash = "sha256:835962f432bce92dc9bf22903d46c50003c8d11b1dc64084c8fae63bca98564a"}, + {file = "regex-2021.9.24.tar.gz", hash = "sha256:6266fde576e12357b25096351aac2b4b880b0066263e7bc7a9a1b4307991bb0e"}, ] "repoze.lru" = [ {file = "repoze.lru-0.7-py3-none-any.whl", hash = "sha256:f77bf0e1096ea445beadd35f3479c5cff2aa1efe604a133e67150bc8630a62ea"}, diff --git a/libs/skyline-policy-manager/pyproject.toml b/libs/skyline-policy-manager/pyproject.toml index ef2307d..3be37c1 100644 --- a/libs/skyline-policy-manager/pyproject.toml +++ b/libs/skyline-policy-manager/pyproject.toml @@ -19,11 +19,24 @@ black = "^21.5b1" add-trailing-comma = "*" flake8 = "*" mypy = "*" -pytest = "*" -pytest-xdist = {extras = ["psutil"], version = "*"} skyline-log = {path = "../skyline-log", develop = true} "oslo.log" = "*" neutron-lib = "*" +pytest = "*" +pytest-xdist = "*" +mimesis = "*" +pytest-cov = "*" +pytest-html = "*" + +[tool.pytest.ini_options] +minversion = "6.0" +addopts = "-v -s -p no:cacheprovider -n auto --cov=skyline_policy_manager --cov-append --cov-report=term-missing --cov-report=html" +testpaths = [ + "tests", +] +markers = [ + "ddt(*args: TestData): Mark the test as a data-driven test." +] [tool.poetry.scripts] skyline-policy-manager = "skyline_policy_manager.cmd.manage:main" diff --git a/libs/skyline-policy-manager/skyline_policy_manager/cmd/manage.py b/libs/skyline-policy-manager/skyline_policy_manager/cmd/manage.py index 37bfb8b..3db6997 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/cmd/manage.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/cmd/manage.py @@ -15,7 +15,7 @@ from __future__ import annotations import json -from importlib.metadata import entry_points +from importlib import metadata from logging import StreamHandler from pathlib import Path from typing import Callable, Dict, Iterable, List, Union @@ -23,25 +23,11 @@ from typing import Callable, Dict, Iterable, List, Union import click from oslo_policy.policy import DocumentedRuleDefault, RuleDefault # type: ignore from skyline_log import LOG, setup as log_setup - +from skyline_policy_manager import constants from skyline_policy_manager.policies import get_service_rules from skyline_policy_manager.policies.base import APIRule, Rule DEBUG = False -POLICY_NS = "oslo.policy.policies" -SUPPORTED_SERVICE_EPS = { - # openstack_service: [, ,] - "cinder": ["cinder"], - "glance": ["glance"], - "heat": ["heat"], - "ironic": ["ironic.api", "ironic_inspector.api"], - "keystone": ["keystone"], - "neutron": ["neutron", "neutron-vpnaas"], - "nova": ["nova"], - "octavia": ["octavia"], - "panko": ["panko"], - "placement": ["placement"], -} OSRules = Iterable[Union[DocumentedRuleDefault, RuleDefault]] @@ -50,7 +36,7 @@ def load_list_rules_funcs( namespace: str, service_eps: Dict[str, List[str]], ) -> Dict[str, Callable[[], OSRules]]: - eps = set(entry_points()[namespace]) + eps = set(metadata.entry_points()[namespace]) supported_eps = set() for ep_names in service_eps.values(): supported_eps.update(ep_names) @@ -58,7 +44,7 @@ def load_list_rules_funcs( def load_list_rules_func(namespace: str, service_ep: str) -> Union[None, Callable[[], OSRules]]: - eps = set(entry_points()[namespace]) + eps = set(metadata.entry_points()[namespace]) for ep in eps: if ep.name == service_ep: return ep.load() @@ -106,10 +92,10 @@ def policy_manager(debug: bool) -> None: @click.command(help="Generate sample policy yaml file.") @click.option("--dir", help='Directory of policy file.(default: "./tmp")', default="./tmp") def generate_sample(dir: str) -> None: - list_rules_funcs = load_list_rules_funcs(POLICY_NS, SUPPORTED_SERVICE_EPS) + list_rules_funcs = load_list_rules_funcs(constants.POLICY_NS, constants.SUPPORTED_SERVICE_EPS) rule_map = {} - for service, eps in SUPPORTED_SERVICE_EPS.items(): + for service, eps in constants.SUPPORTED_SERVICE_EPS.items(): rules = [] api_rules = [] for ep in eps: @@ -156,7 +142,7 @@ def generate_conf(dir: str, desc: str) -> None: @click.command(help="Generate service rule code.") @click.argument("entry_point") def generate_rule(entry_point: str) -> None: - ep_rules_func = load_list_rules_func(POLICY_NS, entry_point) + ep_rules_func = load_list_rules_func(constants.POLICY_NS, entry_point) if ep_rules_func is None: raise Exception( f"Not found entry point '{entry_point}' in oslo.policy.policies namespace.", @@ -226,10 +212,10 @@ __all__ = ("list_rules",) @click.command(help="Validate all policy rules.") @click.option("--diff", help="Output policy rule diff info.", is_flag=True, default=False) def validate(diff: bool) -> None: - list_rules_funcs = load_list_rules_funcs(POLICY_NS, SUPPORTED_SERVICE_EPS) + list_rules_funcs = load_list_rules_funcs(constants.POLICY_NS, constants.SUPPORTED_SERVICE_EPS) os_rule_map = {} - for service, eps in SUPPORTED_SERVICE_EPS.items(): + for service, eps in constants.SUPPORTED_SERVICE_EPS.items(): service_rules = {} for ep in eps: ep_rules = list_rules_funcs.get(ep, lambda: [])() @@ -276,7 +262,7 @@ def validate(diff: bool) -> None: LOG.info("Validate policy completed") -def main(): +def main() -> None: policy_manager.add_command(generate_sample) policy_manager.add_command(generate_conf) policy_manager.add_command(generate_rule) diff --git a/libs/skyline-policy-manager/skyline_policy_manager/constants.py b/libs/skyline-policy-manager/skyline_policy_manager/constants.py new file mode 100644 index 0000000..7f64962 --- /dev/null +++ b/libs/skyline-policy-manager/skyline_policy_manager/constants.py @@ -0,0 +1,29 @@ +# Copyright 2021 99cloud +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +POLICY_NS = "oslo.policy.policies" + +SUPPORTED_SERVICE_EPS = { + # openstack_service: [, ,] + "cinder": ["cinder"], + "glance": ["glance"], + "heat": ["heat"], + "ironic": ["ironic.api", "ironic_inspector.api"], + "keystone": ["keystone"], + "neutron": ["neutron", "neutron-vpnaas"], + "nova": ["nova"], + "octavia": ["octavia"], + "panko": ["panko"], + "placement": ["placement"], +} diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/base.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/base.py index fe3c261..a5c86e7 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/base.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/base.py @@ -18,7 +18,6 @@ from typing import List from oslo_policy import _parser # type: ignore from oslo_policy.policy import DocumentedRuleDefault, RuleDefault # type: ignore - from skyline_policy_manager.schema import Operation, OperationsSchema, ScopeTypesSchema diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/cinder.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/cinder.py index e27899a..c2c97ae 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/cinder.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/cinder.py @@ -66,7 +66,7 @@ list_rules = ( description="Mark a volume attachment process as completed (in-use)", scope_types=["project"], operations=[ - {"method": "POST", "path": "/attachments/{attachment_id}/action (os-complete)"} + {"method": "POST", "path": "/attachments/{attachment_id}/action (os-complete)"}, ], ), base.APIRule( @@ -251,7 +251,7 @@ list_rules = ( description="Reset status of a snapshot.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-reset_status)"} + {"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-reset_status)"}, ], ), base.APIRule( @@ -261,7 +261,10 @@ list_rules = ( description="Update database fields of snapshot.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/snapshots/{snapshot_id}/action (update_snapshot_status)"} + { + "method": "POST", + "path": "/snapshots/{snapshot_id}/action (update_snapshot_status)", + }, ], ), base.APIRule( @@ -271,7 +274,7 @@ list_rules = ( description="Force delete a snapshot.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-force_delete)"} + {"method": "POST", "path": "/snapshots/{snapshot_id}/action (os-force_delete)"}, ], ), base.APIRule( @@ -566,7 +569,7 @@ list_rules = ( description="Reset status of group snapshot.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/group_snapshots/{g_snapshot_id}/action (reset_status)"} + {"method": "POST", "path": "/group_snapshots/{g_snapshot_id}/action (reset_status)"}, ], ), base.APIRule( @@ -606,7 +609,7 @@ list_rules = ( description="Disable replication.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/groups/{group_id}/action (disable_replication)"} + {"method": "POST", "path": "/groups/{group_id}/action (disable_replication)"}, ], ), base.APIRule( @@ -618,7 +621,7 @@ list_rules = ( description="Fail over replication.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/groups/{group_id}/action (failover_replication)"} + {"method": "POST", "path": "/groups/{group_id}/action (failover_replication)"}, ], ), base.APIRule( @@ -630,7 +633,7 @@ list_rules = ( description="List failover replication.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/groups/{group_id}/action (list_replication_targets)"} + {"method": "POST", "path": "/groups/{group_id}/action (list_replication_targets)"}, ], ), base.APIRule( @@ -1023,7 +1026,7 @@ list_rules = ( description="Update a volume's readonly flag.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"} + {"method": "POST", "path": "/volumes/{volume_id}/action (os-update_readonly_flag)"}, ], ), base.APIRule( @@ -1041,7 +1044,7 @@ list_rules = ( description="Upload a volume to image with public visibility.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"} + {"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}, ], ), base.APIRule( @@ -1053,7 +1056,7 @@ list_rules = ( description="Upload a volume to image.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"} + {"method": "POST", "path": "/volumes/{volume_id}/action (os-volume_upload_image)"}, ], ), base.APIRule( @@ -1071,7 +1074,7 @@ list_rules = ( description="migrate a volume to a specified host.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume)"} + {"method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume)"}, ], ), base.APIRule( @@ -1084,7 +1087,7 @@ list_rules = ( { "method": "POST", "path": "/volumes/{volume_id}/action (os-migrate_volume_completion)", - } + }, ], ), base.APIRule( @@ -1096,7 +1099,7 @@ list_rules = ( description="Initialize volume attachment.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-initialize_connection)"} + {"method": "POST", "path": "/volumes/{volume_id}/action (os-initialize_connection)"}, ], ), base.APIRule( @@ -1108,7 +1111,7 @@ list_rules = ( description="Terminate volume attachment.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-terminate_connection)"} + {"method": "POST", "path": "/volumes/{volume_id}/action (os-terminate_connection)"}, ], ), base.APIRule( @@ -1120,7 +1123,7 @@ list_rules = ( description="Roll back volume status to 'in-use'.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-roll_detaching)"} + {"method": "POST", "path": "/volumes/{volume_id}/action (os-roll_detaching)"}, ], ), base.APIRule( @@ -1152,7 +1155,7 @@ list_rules = ( description="Begin detach volumes.", scope_types=["project"], operations=[ - {"method": "POST", "path": "/volumes/{volume_id}/action (os-begin_detaching)"} + {"method": "POST", "path": "/volumes/{volume_id}/action (os-begin_detaching)"}, ], ), base.APIRule( @@ -1351,7 +1354,7 @@ list_rules = ( description="Delete type extra specs.", scope_types=["project"], operations=[ - {"method": "DELETE", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"} + {"method": "DELETE", "path": "/types/{type_id}/extra_specs/{extra_spec_key}"}, ], ), base.APIRule( diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/glance.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/glance.py index d485313..ca2addd 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/glance.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/glance.py @@ -176,7 +176,9 @@ list_rules = ( ), base.APIRule( name="get_image", - check_str=("role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or \"community\":%(visibility)s or \"public\":%(visibility)s))"), + check_str=( + 'role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))' + ), basic_check_str=("role:admin or role:reader or role:admin or role:member or role:reader"), description="Get specified image", scope_types=["system", "project"], @@ -216,7 +218,9 @@ list_rules = ( ), base.APIRule( name="download_image", - check_str=("role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or \"community\":%(visibility)s or \"public\":%(visibility)s))"), + check_str=( + 'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s))' + ), basic_check_str=("role:admin or role:admin or role:member"), description="Downloads given image", scope_types=["system", "project"], @@ -356,7 +360,12 @@ list_rules = ( basic_check_str=("!"), description="\n#This is a generic blanket policy for protecting all task APIs. It is not\n#granular and will not allow you to separate writable and readable task\n#operations into different roles.\n#", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v2/tasks/{task_id}"}, {"method": "GET", "path": "/v2/tasks"}, {"method": "POST", "path": "/v2/tasks"}, {"method": "DELETE", "path": "/v2/tasks/{task_id}"}], + operations=[ + {"method": "GET", "path": "/v2/tasks/{task_id}"}, + {"method": "GET", "path": "/v2/tasks"}, + {"method": "POST", "path": "/v2/tasks"}, + {"method": "DELETE", "path": "/v2/tasks/{task_id}"}, + ], ), ) diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/heat.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/heat.py index 7c04fd0..ff1711e 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/heat.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/heat.py @@ -30,67 +30,93 @@ list_rules = ( ), base.Rule( name="cloudformation:ListStacks", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:CreateStack", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:DescribeStacks", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:DeleteStack", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:UpdateStack", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:CancelUpdateStack", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:DescribeStackEvents", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:ValidateTemplate", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:GetTemplate", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:EstimateTemplateCost", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:DescribeStackResource", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:DescribeStackResources", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( name="cloudformation:ListStackResources", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), description="No description", ), base.Rule( @@ -205,63 +231,107 @@ list_rules = ( ), base.APIRule( name="actions:action", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel update, or check stack resources). This is the default for all actions but can be overridden by more specific policies for individual actions.", scope_types=["project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], + operations=[ + {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, + ], ), base.APIRule( name="actions:snapshot", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create stack snapshot", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], + operations=[ + {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, + ], ), base.APIRule( name="actions:suspend", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Suspend a stack.", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], + operations=[ + {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, + ], ), base.APIRule( name="actions:resume", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Resume a suspended stack.", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], + operations=[ + {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, + ], ), base.APIRule( name="actions:check", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Check stack resources.", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], + operations=[ + {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, + ], ), base.APIRule( name="actions:cancel_update", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Cancel stack operation and roll back.", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], + operations=[ + {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, + ], ), base.APIRule( name="actions:cancel_without_rollback", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Cancel stack operation without rolling back.", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}], + operations=[ + {"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions"}, + ], ), base.APIRule( name="build_info:build_info", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), basic_check_str=("@"), description="Show build information.", scope_types=["system", "project"], @@ -269,59 +339,116 @@ list_rules = ( ), base.APIRule( name="events:index", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List events.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events"}, + ], ), base.APIRule( name="events:show", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show event.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}"}], + operations=[ + { + "method": "GET", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}", + }, + ], ), base.APIRule( name="resource:index", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List resources.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources"}, + ], ), base.APIRule( name="resource:metadata", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user" + ), description="Show resource metadata.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata"}], + operations=[ + { + "method": "GET", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata", + }, + ], ), base.APIRule( name="resource:signal", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:heat_stack_user"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:heat_stack_user" + ), description="Signal resource.", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal"}], + operations=[ + { + "method": "POST", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal", + }, + ], ), base.APIRule( name="resource:mark_unhealthy", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Mark resource as unhealthy.", scope_types=["system", "project"], - operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}"}], + operations=[ + { + "method": "PATCH", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}", + }, + ], ), base.APIRule( name="resource:show", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show resource.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}"}], + operations=[ + { + "method": "GET", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}", + }, + ], ), base.APIRule( name="software_configs:global_index", @@ -333,131 +460,217 @@ list_rules = ( ), base.APIRule( name="software_configs:index", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List configs.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs"}], ), base.APIRule( name="software_configs:create", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create config.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_configs"}], ), base.APIRule( name="software_configs:show", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show config details.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_configs/{config_id}"}], ), base.APIRule( name="software_configs:delete", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Delete config.", scope_types=["system", "project"], operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_configs/{config_id}"}], ), base.APIRule( name="software_deployments:index", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List deployments.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments"}], ), base.APIRule( name="software_deployments:create", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create deployment.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/software_deployments"}], ), base.APIRule( name="software_deployments:show", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show deployment details.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}, + ], ), base.APIRule( name="software_deployments:update", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update deployment.", scope_types=["system", "project"], - operations=[{"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}], + operations=[ + {"method": "PUT", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}, + ], ), base.APIRule( name="software_deployments:delete", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Delete deployment.", scope_types=["system", "project"], - operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}], + operations=[ + {"method": "DELETE", "path": "/v1/{tenant_id}/software_deployments/{deployment_id}"}, + ], ), base.APIRule( name="software_deployments:metadata", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user" + ), description="Show server configuration metadata.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}"}], + operations=[ + { + "method": "GET", + "path": "/v1/{tenant_id}/software_deployments/metadata/{server_id}", + }, + ], ), base.APIRule( name="stacks:abandon", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Abandon stack.", scope_types=["system", "project"], - operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon"}], + operations=[ + { + "method": "DELETE", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon", + }, + ], ), base.APIRule( name="stacks:create", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create stack.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks"}], ), base.APIRule( name="stacks:delete", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Delete stack.", scope_types=["system", "project"], - operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], + operations=[ + {"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}, + ], ), base.APIRule( name="stacks:detail", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List stacks in detail.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}], ), base.APIRule( name="stacks:export", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Export stack.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export"}, + ], ), base.APIRule( name="stacks:generate_template", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Generate stack template.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}, + ], ), base.APIRule( name="stacks:global_index", @@ -469,15 +682,21 @@ list_rules = ( ), base.APIRule( name="stacks:index", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List stacks.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks"}], ), base.APIRule( name="stacks:list_resource_types", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), basic_check_str=("@"), description="List resource types.", scope_types=["system", "project"], @@ -485,7 +704,9 @@ list_rules = ( ), base.APIRule( name="stacks:list_template_versions", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), basic_check_str=("@"), description="List template versions.", scope_types=["system", "project"], @@ -493,31 +714,48 @@ list_rules = ( ), base.APIRule( name="stacks:list_template_functions", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), basic_check_str=("@"), description="List template functions.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/template_versions/{template_version}/functions"}], + operations=[ + { + "method": "GET", + "path": "/v1/{tenant_id}/template_versions/{template_version}/functions", + }, + ], ), base.APIRule( name="stacks:lookup", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s or role:heat_stack_user" + ), description="Find stack.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}], ), base.APIRule( name="stacks:preview", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Preview stack.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/preview"}], ), base.APIRule( name="stacks:resource_schema", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), basic_check_str=("@"), description="Show resource type schema.", scope_types=["system", "project"], @@ -525,139 +763,251 @@ list_rules = ( ), base.APIRule( name="stacks:show", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show stack.", scope_types=["system", "project"], operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_identity}"}], ), base.APIRule( name="stacks:template", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Get stack template.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template"}, + ], ), base.APIRule( name="stacks:environment", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Get stack environment.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment"}], + operations=[ + { + "method": "GET", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment", + }, + ], ), base.APIRule( name="stacks:files", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Get stack files.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files"}, + ], ), base.APIRule( name="stacks:update", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update stack.", scope_types=["system", "project"], operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], ), base.APIRule( name="stacks:update_patch", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update stack (PATCH).", scope_types=["system", "project"], - operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], + operations=[ + {"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}, + ], ), base.APIRule( name="stacks:update_no_change", check_str=("rule:stacks:update_patch"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update stack (PATCH) with no changes.", scope_types=["system", "project"], - operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}], + operations=[ + {"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}"}, + ], ), base.APIRule( name="stacks:preview_update", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Preview update stack.", scope_types=["system", "project"], - operations=[{"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}], + operations=[ + {"method": "PUT", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}, + ], ), base.APIRule( name="stacks:preview_update_patch", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Preview update stack (PATCH).", scope_types=["system", "project"], - operations=[{"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}], + operations=[ + {"method": "PATCH", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview"}, + ], ), base.APIRule( name="stacks:validate_template", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Validate template.", scope_types=["system", "project"], operations=[{"method": "POST", "path": "/v1/{tenant_id}/validate"}], ), base.APIRule( name="stacks:snapshot", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Snapshot Stack.", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}], + operations=[ + { + "method": "POST", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots", + }, + ], ), base.APIRule( name="stacks:show_snapshot", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show snapshot.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}], + operations=[ + { + "method": "GET", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}", + }, + ], ), base.APIRule( name="stacks:delete_snapshot", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Delete snapshot.", scope_types=["system", "project"], - operations=[{"method": "DELETE", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}"}], + operations=[ + { + "method": "DELETE", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}", + }, + ], ), base.APIRule( name="stacks:list_snapshots", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List snapshots.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots"}, + ], ), base.APIRule( name="stacks:restore_snapshot", - check_str=("(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + check_str=( + "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Restore snapshot.", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore"}], + operations=[ + { + "method": "POST", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore", + }, + ], ), base.APIRule( name="stacks:list_outputs", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List outputs.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"}], + operations=[ + {"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs"}, + ], ), base.APIRule( name="stacks:show_output", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show outputs.", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}"}], + operations=[ + { + "method": "GET", + "path": "/v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}", + }, + ], ), ) diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/ironic.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/ironic.py index 66a2951..100fa6f 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/ironic.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/ironic.py @@ -25,7 +25,9 @@ list_rules = ( ), base.Rule( name="is_member", - check_str=("(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"), + check_str=( + "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)" + ), description="May be used to restrict access to specific projects", ), base.Rule( @@ -67,7 +69,10 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Node records, filtered by an explicit owner or the client project_id", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/nodes"}, {"method": "GET", "path": "/nodes/detail"}], + operations=[ + {"method": "GET", "path": "/nodes"}, + {"method": "GET", "path": "/nodes/detail"}, + ], ), base.APIRule( name="baremetal:node:list_all", @@ -75,11 +80,16 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Node records", scope_types=["system"], - operations=[{"method": "GET", "path": "/nodes"}, {"method": "GET", "path": "/nodes/detail"}], + operations=[ + {"method": "GET", "path": "/nodes"}, + {"method": "GET", "path": "/nodes/detail"}, + ], ), base.APIRule( name="baremetal:node:get", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin or role:reader"), description="Retrieve a single Node record", scope_types=["system", "project"], @@ -95,7 +105,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:get:last_error", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin or role:reader"), description="Governs if the node last_error field is masked from APIclients with insufficent privileges.", scope_types=["system", "project"], @@ -103,7 +115,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:get:reservation", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin or role:reader"), description="Governs if the node reservation field is masked from APIclients with insufficent privileges.", scope_types=["system", "project"], @@ -111,7 +125,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:get:driver_internal_info", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin or role:reader"), description="Governs if the node driver_internal_info field is masked from API clients with insufficent privileges.", scope_types=["system", "project"], @@ -119,7 +135,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:get:driver_info", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin or role:reader"), description="Governs if the driver_info field is masked from APIclients with insufficent privileges.", scope_types=["system", "project"], @@ -127,7 +145,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:driver_info", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Governs if node driver_info field can be updated via the API clients.", scope_types=["system", "project"], @@ -135,7 +155,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:properties", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Governs if node properties field can be updated via the API clients.", scope_types=["system", "project"], @@ -151,7 +173,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:instance_uuid", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Governs if node instance_uuid field can be updated via the API clients.", scope_types=["system", "project"], @@ -159,7 +183,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:lessee", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Governs if node lessee field can be updated via the API clients.", scope_types=["system", "project"], @@ -175,7 +201,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:driver_interfaces", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Governs if node driver and driver interfaces field can be updated via the API clients.", scope_types=["system", "project"], @@ -183,7 +211,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:network_data", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Governs if node driver_info field can be updated via the API clients.", scope_types=["system", "project"], @@ -199,7 +229,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:name", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Governs if node name field can be updated via the API clients.", scope_types=["system", "project"], @@ -207,7 +239,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update:retired", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Governs if node retired and retired reason can be updated by API clients.", scope_types=["system", "project"], @@ -215,7 +249,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update", - check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin"), description="Generalized update of node records", scope_types=["system", "project"], @@ -223,7 +259,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update_extra", - check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin"), description="Update Node extra field", scope_types=["system", "project"], @@ -231,7 +269,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:update_instance_info", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Update Node instance_info field", scope_types=["system", "project"], @@ -255,7 +295,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:validate", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Request active validation of Nodes", scope_types=["system", "project"], @@ -263,7 +305,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:set_maintenance", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Set maintenance flag, taking a Node out of service", scope_types=["system", "project"], @@ -271,7 +315,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:clear_maintenance", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Clear maintenance flag, placing the Node into service again", scope_types=["system", "project"], @@ -279,15 +325,22 @@ list_rules = ( ), base.APIRule( name="baremetal:node:get_boot_device", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin or role:reader"), description="Retrieve Node boot device metadata", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}], + operations=[ + {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device"}, + {"method": "GET", "path": "/nodes/{node_ident}/management/boot_device/supported"}, + ], ), base.APIRule( name="baremetal:node:set_boot_device", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Change Node boot device", scope_types=["system", "project"], @@ -295,23 +348,40 @@ list_rules = ( ), base.APIRule( name="baremetal:node:get_indicator_state", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin or role:reader"), description="Retrieve Node indicators and their states", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}, {"method": "GET", "path": "/nodes/{node_ident}/management/indicators"}], + operations=[ + { + "method": "GET", + "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}", + }, + {"method": "GET", "path": "/nodes/{node_ident}/management/indicators"}, + ], ), base.APIRule( name="baremetal:node:set_indicator_state", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Change Node indicator state", scope_types=["system", "project"], - operations=[{"method": "PUT", "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}"}], + operations=[ + { + "method": "PUT", + "path": "/nodes/{node_ident}/management/indicators/{component}/{indicator}", + }, + ], ), base.APIRule( name="baremetal:node:inject_nmi", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Inject NMI for a node", scope_types=["system", "project"], @@ -319,7 +389,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:get_states", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin or role:reader"), description="View Node power and provision state", scope_types=["system", "project"], @@ -327,7 +399,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:set_power_state", - check_str=("(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:member and system_scope:all) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin"), description="Change Node power status", scope_types=["system", "project"], @@ -335,7 +409,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:set_provision_state", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Change Node provision status", scope_types=["system", "project"], @@ -343,7 +419,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:set_raid_state", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Change Node RAID status", scope_types=["system", "project"], @@ -351,7 +429,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:get_console", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Get Node console connection information", scope_types=["system", "project"], @@ -359,7 +439,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:set_console_state", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Change Node console status", scope_types=["system", "project"], @@ -367,7 +449,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:vif:list", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin"), description="List VIFs attached to node", scope_types=["system", "project"], @@ -375,7 +459,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:vif:attach", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Attach a VIF to a node", scope_types=["system", "project"], @@ -383,7 +469,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:vif:detach", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Detach a VIF from a node", scope_types=["system", "project"], @@ -391,7 +479,9 @@ list_rules = ( ), base.APIRule( name="baremetal:node:traits:list", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin or role:reader"), description="List node traits", scope_types=["system", "project"], @@ -399,27 +489,42 @@ list_rules = ( ), base.APIRule( name="baremetal:node:traits:set", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Add a trait to, or replace all traits of, a node", scope_types=["system", "project"], - operations=[{"method": "PUT", "path": "/nodes/{node_ident}/traits"}, {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}], + operations=[ + {"method": "PUT", "path": "/nodes/{node_ident}/traits"}, + {"method": "PUT", "path": "/nodes/{node_ident}/traits/{trait}"}, + ], ), base.APIRule( name="baremetal:node:traits:delete", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Remove one or all traits from a node", scope_types=["system", "project"], - operations=[{"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}], + operations=[ + {"method": "DELETE", "path": "/nodes/{node_ident}/traits"}, + {"method": "DELETE", "path": "/nodes/{node_ident}/traits/{trait}"}, + ], ), base.APIRule( name="baremetal:node:bios:get", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin or role:reader"), description="Retrieve Node BIOS information", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/nodes/{node_ident}/bios"}, {"method": "GET", "path": "/nodes/{node_ident}/bios/{setting}"}], + operations=[ + {"method": "GET", "path": "/nodes/{node_ident}/bios"}, + {"method": "GET", "path": "/nodes/{node_ident}/bios/{setting}"}, + ], ), base.APIRule( name="baremetal:node:disable_cleaning", @@ -431,11 +536,19 @@ list_rules = ( ), base.APIRule( name="baremetal:port:get", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin or role:reader"), description="Retrieve Port records", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/ports/{port_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/ports"}, {"method": "GET", "path": "/nodes/{node_ident}/ports/detail"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports/detail"}], + operations=[ + {"method": "GET", "path": "/ports/{port_id}"}, + {"method": "GET", "path": "/nodes/{node_ident}/ports"}, + {"method": "GET", "path": "/nodes/{node_ident}/ports/detail"}, + {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports"}, + {"method": "GET", "path": "/portgroups/{portgroup_ident}/ports/detail"}, + ], ), base.APIRule( name="baremetal:port:list", @@ -443,7 +556,10 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Port records, filtered by owner", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/detail"}], + operations=[ + {"method": "GET", "path": "/ports"}, + {"method": "GET", "path": "/ports/detail"}, + ], ), base.APIRule( name="baremetal:port:list_all", @@ -451,11 +567,16 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Port records", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/ports"}, {"method": "GET", "path": "/ports/detail"}], + operations=[ + {"method": "GET", "path": "/ports"}, + {"method": "GET", "path": "/ports/detail"}, + ], ), base.APIRule( name="baremetal:port:create", - check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Create Port records", scope_types=["system", "project"], @@ -463,7 +584,9 @@ list_rules = ( ), base.APIRule( name="baremetal:port:delete", - check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Delete Port records", scope_types=["system", "project"], @@ -471,7 +594,9 @@ list_rules = ( ), base.APIRule( name="baremetal:port:update", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Update Port records", scope_types=["system", "project"], @@ -479,15 +604,25 @@ list_rules = ( ), base.APIRule( name="baremetal:portgroup:get", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin or role:reader"), description="Retrieve Portgroup records", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}, {"method": "GET", "path": "/portgroups/{portgroup_ident}"}, {"method": "GET", "path": "/nodes/{node_ident}/portgroups"}, {"method": "GET", "path": "/nodes/{node_ident}/portgroups/detail"}], + operations=[ + {"method": "GET", "path": "/portgroups"}, + {"method": "GET", "path": "/portgroups/detail"}, + {"method": "GET", "path": "/portgroups/{portgroup_ident}"}, + {"method": "GET", "path": "/nodes/{node_ident}/portgroups"}, + {"method": "GET", "path": "/nodes/{node_ident}/portgroups/detail"}, + ], ), base.APIRule( name="baremetal:portgroup:create", - check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Create Portgroup records", scope_types=["system", "project"], @@ -495,7 +630,9 @@ list_rules = ( ), base.APIRule( name="baremetal:portgroup:delete", - check_str=("(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:admin and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Delete Portgroup records", scope_types=["system", "project"], @@ -503,7 +640,9 @@ list_rules = ( ), base.APIRule( name="baremetal:portgroup:update", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s)" + ), basic_check_str=("role:admin"), description="Update Portgroup records", scope_types=["system", "project"], @@ -515,7 +654,10 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Port records, filtered by owner", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}], + operations=[ + {"method": "GET", "path": "/portgroups"}, + {"method": "GET", "path": "/portgroups/detail"}, + ], ), base.APIRule( name="baremetal:portgroup:list_all", @@ -523,7 +665,10 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve multiple Port records", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/portgroups"}, {"method": "GET", "path": "/portgroups/detail"}], + operations=[ + {"method": "GET", "path": "/portgroups"}, + {"method": "GET", "path": "/portgroups/detail"}, + ], ), base.APIRule( name="baremetal:chassis:get", @@ -531,7 +676,11 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve Chassis records", scope_types=["system"], - operations=[{"method": "GET", "path": "/chassis"}, {"method": "GET", "path": "/chassis/detail"}, {"method": "GET", "path": "/chassis/{chassis_id}"}], + operations=[ + {"method": "GET", "path": "/chassis"}, + {"method": "GET", "path": "/chassis/detail"}, + {"method": "GET", "path": "/chassis/{chassis_id}"}, + ], ), base.APIRule( name="baremetal:chassis:create", @@ -563,7 +712,10 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="View list of available drivers", scope_types=["system"], - operations=[{"method": "GET", "path": "/drivers"}, {"method": "GET", "path": "/drivers/{driver_name}"}], + operations=[ + {"method": "GET", "path": "/drivers"}, + {"method": "GET", "path": "/drivers/{driver_name}"}, + ], ), base.APIRule( name="baremetal:driver:get_properties", @@ -579,7 +731,9 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="View driver-specific RAID metadata", scope_types=["system"], - operations=[{"method": "GET", "path": "/drivers/{driver_name}/raid/logical_disk_properties"}], + operations=[ + {"method": "GET", "path": "/drivers/{driver_name}/raid/logical_disk_properties"}, + ], ), base.APIRule( name="baremetal:node:vendor_passthru", @@ -587,7 +741,20 @@ list_rules = ( basic_check_str=("role:admin"), description="Access vendor-specific Node functions", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "nodes/{node_ident}/vendor_passthru/methods"}, {"method": "GET", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "PUT", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "POST", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "PATCH", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, {"method": "DELETE", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}], + operations=[ + {"method": "GET", "path": "nodes/{node_ident}/vendor_passthru/methods"}, + {"method": "GET", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, + {"method": "PUT", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, + {"method": "POST", "path": "nodes/{node_ident}/vendor_passthru?method={method_name}"}, + { + "method": "PATCH", + "path": "nodes/{node_ident}/vendor_passthru?method={method_name}", + }, + { + "method": "DELETE", + "path": "nodes/{node_ident}/vendor_passthru?method={method_name}", + }, + ], ), base.APIRule( name="baremetal:driver:vendor_passthru", @@ -595,7 +762,29 @@ list_rules = ( basic_check_str=("role:admin"), description="Access vendor-specific Driver functions", scope_types=["system"], - operations=[{"method": "GET", "path": "drivers/{driver_name}/vendor_passthru/methods"}, {"method": "GET", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "PUT", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "POST", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "PATCH", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}, {"method": "DELETE", "path": "drivers/{driver_name}/vendor_passthru?method={method_name}"}], + operations=[ + {"method": "GET", "path": "drivers/{driver_name}/vendor_passthru/methods"}, + { + "method": "GET", + "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", + }, + { + "method": "PUT", + "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", + }, + { + "method": "POST", + "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", + }, + { + "method": "PATCH", + "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", + }, + { + "method": "DELETE", + "path": "drivers/{driver_name}/vendor_passthru?method={method_name}", + }, + ], ), base.APIRule( name="baremetal:node:ipa_heartbeat", @@ -619,7 +808,12 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve a list of all Volume connector and target records", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}], + operations=[ + {"method": "GET", "path": "/volume/connectors"}, + {"method": "GET", "path": "/volume/targets"}, + {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, + {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}, + ], ), base.APIRule( name="baremetal:volume:list", @@ -627,39 +821,70 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve a list of Volume connector and target records", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}], + operations=[ + {"method": "GET", "path": "/volume/connectors"}, + {"method": "GET", "path": "/volume/targets"}, + {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, + {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}, + ], ), base.APIRule( name="baremetal:volume:get", - check_str=("(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" + ), basic_check_str=("role:admin or role:reader"), description="Retrieve Volume connector and target records", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/volume"}, {"method": "GET", "path": "/volume/connectors"}, {"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "GET", "path": "/volume/targets"}, {"method": "GET", "path": "/volume/targets/{volume_target_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/volume"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}], + operations=[ + {"method": "GET", "path": "/volume"}, + {"method": "GET", "path": "/volume/connectors"}, + {"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, + {"method": "GET", "path": "/volume/targets"}, + {"method": "GET", "path": "/volume/targets/{volume_target_id}"}, + {"method": "GET", "path": "/nodes/{node_ident}/volume"}, + {"method": "GET", "path": "/nodes/{node_ident}/volume/connectors"}, + {"method": "GET", "path": "/nodes/{node_ident}/volume/targets"}, + ], ), base.APIRule( name="baremetal:volume:create", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Create Volume connector and target records", scope_types=["system", "project"], - operations=[{"method": "POST", "path": "/volume/connectors"}, {"method": "POST", "path": "/volume/targets"}], + operations=[ + {"method": "POST", "path": "/volume/connectors"}, + {"method": "POST", "path": "/volume/targets"}, + ], ), base.APIRule( name="baremetal:volume:delete", - check_str=("(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Delete Volume connector and target records", scope_types=["system", "project"], - operations=[{"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}], + operations=[ + {"method": "DELETE", "path": "/volume/connectors/{volume_connector_id}"}, + {"method": "DELETE", "path": "/volume/targets/{volume_target_id}"}, + ], ), base.APIRule( name="baremetal:volume:update", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s)" + ), basic_check_str=("role:admin"), description="Update Volume connector and target records", scope_types=["system", "project"], - operations=[{"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}], + operations=[ + {"method": "PATCH", "path": "/volume/connectors/{volume_connector_id}"}, + {"method": "PATCH", "path": "/volume/targets/{volume_target_id}"}, + ], ), base.APIRule( name="baremetal:volume:view_target_properties", @@ -667,7 +892,10 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Ability to view volume target properties", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, {"method": "GET", "path": "/volume/targets/{volume_target_id}"}], + operations=[ + {"method": "GET", "path": "/volume/connectors/{volume_connector_id}"}, + {"method": "GET", "path": "/volume/targets/{volume_target_id}"}, + ], ), base.APIRule( name="baremetal:conductor:get", @@ -675,15 +903,23 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve Conductor records", scope_types=["system"], - operations=[{"method": "GET", "path": "/conductors"}, {"method": "GET", "path": "/conductors/{hostname}"}], + operations=[ + {"method": "GET", "path": "/conductors"}, + {"method": "GET", "path": "/conductors/{hostname}"}, + ], ), base.APIRule( name="baremetal:allocation:get", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(allocation.owner)s)" + ), basic_check_str=("role:admin or role:reader"), description="Retrieve Allocation records", scope_types=["system", "project"], - operations=[{"method": "GET", "path": "/allocations/{allocation_id}"}, {"method": "GET", "path": "/nodes/{node_ident}/allocation"}], + operations=[ + {"method": "GET", "path": "/allocations/{allocation_id}"}, + {"method": "GET", "path": "/nodes/{node_ident}/allocation"}, + ], ), base.APIRule( name="baremetal:allocation:list", @@ -719,15 +955,22 @@ list_rules = ( ), base.APIRule( name="baremetal:allocation:delete", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)" + ), basic_check_str=("role:admin"), description="Delete Allocation records", scope_types=["system", "project"], - operations=[{"method": "DELETE", "path": "/allocations/{allocation_id}"}, {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}], + operations=[ + {"method": "DELETE", "path": "/allocations/{allocation_id}"}, + {"method": "DELETE", "path": "/nodes/{node_ident}/allocation"}, + ], ), base.APIRule( name="baremetal:allocation:update", - check_str=("(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)"), + check_str=( + "(role:member and system_scope:all) or (role:member and project_id:%(allocation.owner)s)" + ), basic_check_str=("role:admin"), description="Change name and extra fields of an allocation", scope_types=["system", "project"], @@ -735,7 +978,9 @@ list_rules = ( ), base.APIRule( name="baremetal:allocation:create_pre_rbac", - check_str=("(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)"), + check_str=( + "(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)" + ), basic_check_str=("role:admin"), description="Logical restrictor to prevent legacy allocation rule missuse - Requires blank allocations to originate from the legacy baremetal_admin.", scope_types=["project"], @@ -755,7 +1000,10 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Retrieve Deploy Template records", scope_types=["system"], - operations=[{"method": "GET", "path": "/deploy_templates"}, {"method": "GET", "path": "/deploy_templates/{deploy_template_ident}"}], + operations=[ + {"method": "GET", "path": "/deploy_templates"}, + {"method": "GET", "path": "/deploy_templates/{deploy_template_ident}"}, + ], ), base.APIRule( name="baremetal:deploy_template:create", diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/keystone.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/keystone.py index af2b926..45d2aa3 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/keystone.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/keystone.py @@ -72,7 +72,7 @@ list_rules = ( description="Delete an access_rule.", scope_types=["system", "project"], operations=[ - {"method": "DELETE", "path": "/v3/users/{user_id}/access_rules/{access_rule_id}"} + {"method": "DELETE", "path": "/v3/users/{user_id}/access_rules/{access_rule_id}"}, ], ), base.APIRule( @@ -93,7 +93,7 @@ list_rules = ( { "method": "GET", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}", - } + }, ], ), base.APIRule( @@ -106,7 +106,7 @@ list_rules = ( { "method": "GET", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}", - } + }, ], ), base.APIRule( @@ -127,7 +127,7 @@ list_rules = ( { "method": "GET", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles", - } + }, ], ), base.APIRule( @@ -140,7 +140,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}", - } + }, ], ), base.APIRule( @@ -189,7 +189,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/users/{user_id}/application_credentials/{application_credential_id}", - } + }, ], ), base.APIRule( @@ -448,7 +448,7 @@ list_rules = ( description="Show ec2 credential details.", scope_types=["system", "project"], operations=[ - {"method": "GET", "path": "/v3/users/{user_id}/credentials/OS-EC2/{credential_id}"} + {"method": "GET", "path": "/v3/users/{user_id}/credentials/OS-EC2/{credential_id}"}, ], ), base.APIRule( @@ -474,7 +474,10 @@ list_rules = ( description="Delete ec2 credential.", scope_types=["system", "project"], operations=[ - {"method": "DELETE", "path": "/v3/users/{user_id}/credentials/OS-EC2/{credential_id}"} + { + "method": "DELETE", + "path": "/v3/users/{user_id}/credentials/OS-EC2/{credential_id}", + }, ], ), base.APIRule( @@ -551,7 +554,7 @@ list_rules = ( description="Update endpoint group.", scope_types=["system"], operations=[ - {"method": "PATCH", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"} + {"method": "PATCH", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}, ], ), base.APIRule( @@ -561,7 +564,7 @@ list_rules = ( description="Delete endpoint group.", scope_types=["system"], operations=[ - {"method": "DELETE", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"} + {"method": "DELETE", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}"}, ], ), base.APIRule( @@ -574,7 +577,7 @@ list_rules = ( { "method": "GET", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects", - } + }, ], ), base.APIRule( @@ -587,7 +590,7 @@ list_rules = ( { "method": "GET", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints", - } + }, ], ), base.APIRule( @@ -614,7 +617,7 @@ list_rules = ( description="List endpoint groups associated with a specific project.", scope_types=["system"], operations=[ - {"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups"} + {"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups"}, ], ), base.APIRule( @@ -627,7 +630,7 @@ list_rules = ( { "method": "PUT", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}", - } + }, ], ), base.APIRule( @@ -640,7 +643,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}", - } + }, ], ), base.APIRule( @@ -1058,7 +1061,7 @@ list_rules = ( description="Delete identity provider.", scope_types=["system"], operations=[ - {"method": "DELETE", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"} + {"method": "DELETE", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}"}, ], ), base.APIRule( @@ -1068,7 +1071,7 @@ list_rules = ( description="Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.", scope_types=["system"], operations=[ - {"method": "GET", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"} + {"method": "GET", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}, ], ), base.APIRule( @@ -1089,7 +1092,7 @@ list_rules = ( description="Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.", scope_types=["system"], operations=[ - {"method": "PUT", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"} + {"method": "PUT", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}, ], ), base.APIRule( @@ -1099,7 +1102,7 @@ list_rules = ( description="Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.", scope_types=["system"], operations=[ - {"method": "DELETE", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"} + {"method": "DELETE", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}, ], ), base.APIRule( @@ -1120,7 +1123,7 @@ list_rules = ( description="Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.", scope_types=["system"], operations=[ - {"method": "HEAD", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"} + {"method": "HEAD", "path": "/v3/roles/{prior_role_id}/implies/{implied_role_id}"}, ], ), base.APIRule( @@ -1278,7 +1281,7 @@ list_rules = ( { "method": "PUT", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}", - } + }, ], ), base.APIRule( @@ -1308,7 +1311,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}", - } + }, ], ), base.APIRule( @@ -1321,7 +1324,7 @@ list_rules = ( { "method": "PUT", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}", - } + }, ], ), base.APIRule( @@ -1351,7 +1354,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}", - } + }, ], ), base.APIRule( @@ -1364,7 +1367,7 @@ list_rules = ( { "method": "PUT", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}", - } + }, ], ), base.APIRule( @@ -1394,7 +1397,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}", - } + }, ], ), base.APIRule( @@ -1415,7 +1418,7 @@ list_rules = ( description="List endpoints for policy.", scope_types=["system"], operations=[ - {"method": "GET", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints"} + {"method": "GET", "path": "/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints"}, ], ), base.APIRule( @@ -1551,7 +1554,7 @@ list_rules = ( description="List projects allowed to access an endpoint.", scope_types=["system"], operations=[ - {"method": "GET", "path": "/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects"} + {"method": "GET", "path": "/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects"}, ], ), base.APIRule( @@ -1564,7 +1567,7 @@ list_rules = ( { "method": "PUT", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}", - } + }, ], ), base.APIRule( @@ -1591,7 +1594,7 @@ list_rules = ( description="List the endpoints a project is allowed to access.", scope_types=["system"], operations=[ - {"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints"} + {"method": "GET", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints"}, ], ), base.APIRule( @@ -1604,7 +1607,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}", - } + }, ], ), base.APIRule( @@ -1617,7 +1620,7 @@ list_rules = ( { "method": "PUT", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}", - } + }, ], ), base.APIRule( @@ -1630,7 +1633,7 @@ list_rules = ( { "method": "PATCH", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}", - } + }, ], ), base.APIRule( @@ -1643,7 +1646,7 @@ list_rules = ( { "method": "GET", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}", - } + }, ], ), base.APIRule( @@ -1653,7 +1656,7 @@ list_rules = ( description="List federated protocols.", scope_types=["system"], operations=[ - {"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols"} + {"method": "GET", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols"}, ], ), base.APIRule( @@ -1666,7 +1669,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}", - } + }, ], ), base.APIRule( @@ -1939,7 +1942,10 @@ list_rules = ( description="Create federated service provider.", scope_types=["system"], operations=[ - {"method": "PUT", "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}"} + { + "method": "PUT", + "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}", + }, ], ), base.APIRule( @@ -1980,7 +1986,7 @@ list_rules = ( { "method": "PATCH", "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}", - } + }, ], ), base.APIRule( @@ -1993,7 +1999,7 @@ list_rules = ( { "method": "DELETE", "path": "/v3/OS-FEDERATION/service_providers/{service_provider_id}", - } + }, ], ), base.APIRule( diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/neutron.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/neutron.py index efddd73..24c0382 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/neutron.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/neutron.py @@ -257,7 +257,7 @@ list_rules = ( description="Remove a network from a DHCP agent", scope_types=["system"], operations=[ - {"method": "DELETE", "path": "/agents/{agent_id}/dhcp-networks/{network_id}"} + {"method": "DELETE", "path": "/agents/{agent_id}/dhcp-networks/{network_id}"}, ], ), base.APIRule( @@ -421,7 +421,7 @@ list_rules = ( description="Disassociate a flavor with a service profile", scope_types=["system"], operations=[ - {"method": "DELETE", "path": "/flavors/{flavor_id}/service_profiles/{profile_id}"} + {"method": "DELETE", "path": "/flavors/{flavor_id}/service_profiles/{profile_id}"}, ], ), base.APIRule( @@ -541,7 +541,7 @@ list_rules = ( { "method": "PUT", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}", - } + }, ], ), base.APIRule( @@ -558,7 +558,7 @@ list_rules = ( { "method": "DELETE", "path": "/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}", - } + }, ], ), base.APIRule( @@ -605,7 +605,7 @@ list_rules = ( { "method": "PUT", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}", - } + }, ], ), base.APIRule( @@ -622,7 +622,7 @@ list_rules = ( { "method": "DELETE", "path": "/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}", - } + }, ], ), base.APIRule( @@ -1477,7 +1477,7 @@ list_rules = ( description="Create a QoS bandwidth limit rule", scope_types=["system"], operations=[ - {"method": "POST", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules"} + {"method": "POST", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules"}, ], ), base.APIRule( @@ -1487,7 +1487,10 @@ list_rules = ( description="Update a QoS bandwidth limit rule", scope_types=["system"], operations=[ - {"method": "PUT", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}"} + { + "method": "PUT", + "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}", + }, ], ), base.APIRule( @@ -1500,7 +1503,7 @@ list_rules = ( { "method": "DELETE", "path": "/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}", - } + }, ], ), base.APIRule( @@ -1533,7 +1536,7 @@ list_rules = ( description="Update a QoS DSCP marking rule", scope_types=["system"], operations=[ - {"method": "PUT", "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}"} + {"method": "PUT", "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}"}, ], ), base.APIRule( @@ -1543,7 +1546,10 @@ list_rules = ( description="Delete a QoS DSCP marking rule", scope_types=["system"], operations=[ - {"method": "DELETE", "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}"} + { + "method": "DELETE", + "path": "/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}", + }, ], ), base.APIRule( @@ -1571,7 +1577,7 @@ list_rules = ( description="Create a QoS minimum bandwidth rule", scope_types=["system"], operations=[ - {"method": "POST", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules"} + {"method": "POST", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules"}, ], ), base.APIRule( @@ -1584,7 +1590,7 @@ list_rules = ( { "method": "PUT", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}", - } + }, ], ), base.APIRule( @@ -1597,7 +1603,7 @@ list_rules = ( { "method": "DELETE", "path": "/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}", - } + }, ], ), base.APIRule( @@ -1677,7 +1683,7 @@ list_rules = ( description="Delete a QoS minimum bandwidth rule through alias", scope_types=["project"], operations=[ - {"method": "DELETE", "path": "/qos/alias_minimum_bandwidth_rules/{rule_id}/"} + {"method": "DELETE", "path": "/qos/alias_minimum_bandwidth_rules/{rule_id}/"}, ], ), base.APIRule( diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/nova.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/nova.py index 292dcad..8cf19e5 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/nova.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/nova.py @@ -68,7 +68,7 @@ list_rules = ( description="Inject network information into the server", scope_types=["system", "project"], operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (injectNetworkInfo)"} + {"method": "POST", "path": "/servers/{server_id}/action (injectNetworkInfo)"}, ], ), base.APIRule( @@ -88,7 +88,7 @@ list_rules = ( description="Create or replace metadata for an aggregate", scope_types=["system"], operations=[ - {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (set_metadata)"} + {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (set_metadata)"}, ], ), base.APIRule( @@ -98,7 +98,7 @@ list_rules = ( description="Add a host to an aggregate", scope_types=["system"], operations=[ - {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (add_host)"} + {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (add_host)"}, ], ), base.APIRule( @@ -116,7 +116,7 @@ list_rules = ( description="Remove a host from an aggregate", scope_types=["system"], operations=[ - {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (remove_host)"} + {"method": "POST", "path": "/os-aggregates/{aggregate_id}/action (remove_host)"}, ], ), base.APIRule( @@ -266,7 +266,7 @@ list_rules = ( description="Show console output for a server", scope_types=["system", "project"], operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (os-getConsoleOutput)"} + {"method": "POST", "path": "/servers/{server_id}/action (os-getConsoleOutput)"}, ], ), base.APIRule( @@ -346,7 +346,7 @@ list_rules = ( description="Remove flavor access from a tenant", scope_types=["system"], operations=[ - {"method": "POST", "path": "/flavors/{flavor_id}/action (removeTenantAccess)"} + {"method": "POST", "path": "/flavors/{flavor_id}/action (removeTenantAccess)"}, ], ), base.APIRule( @@ -369,7 +369,7 @@ list_rules = ( { "method": "GET", "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}", - } + }, ], ), base.APIRule( @@ -390,7 +390,7 @@ list_rules = ( { "method": "PUT", "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}", - } + }, ], ), base.APIRule( @@ -403,7 +403,7 @@ list_rules = ( { "method": "DELETE", "path": "/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}", - } + }, ], ), base.APIRule( @@ -613,7 +613,7 @@ list_rules = ( description="Search hypervisor by hypervisor_hostname pattern.", scope_types=["system"], operations=[ - {"method": "GET", "path": "/os-hypervisors/{hypervisor_hostname_pattern}/search"} + {"method": "GET", "path": "/os-hypervisors/{hypervisor_hostname_pattern}/search"}, ], ), base.APIRule( @@ -623,7 +623,7 @@ list_rules = ( description="List all servers on hypervisors that can match the provided hypervisor_hostname pattern.", scope_types=["system"], operations=[ - {"method": "GET", "path": "/os-hypervisors/{hypervisor_hostname_pattern}/servers"} + {"method": "GET", "path": "/os-hypervisors/{hypervisor_hostname_pattern}/servers"}, ], ), base.APIRule( @@ -633,7 +633,7 @@ list_rules = ( description="Add \"details\" key in action events for a server.\n#\n#This check is performed only after the check\n#os_compute_api:os-instance-actions:show passes. Beginning with Microversion\n#2.84, new field 'details' is exposed via API which can have more details about\n#event failure. That field is controlled by this policy which is system reader\n#by default. Making the 'details' field visible to the non-admin user helps to\n#understand the nature of the problem (i.e. if the action can be retried),\n#but in the other hand it might leak information about the deployment\n#(e.g. the type of the hypervisor).\n#", scope_types=["system", "project"], operations=[ - {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"} + {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}, ], ), base.APIRule( @@ -643,7 +643,7 @@ list_rules = ( description="Add events details in action details for a server.\n#This check is performed only after the check\n#os_compute_api:os-instance-actions:show passes. Beginning with Microversion\n#2.51, events details are always included; traceback information is provided\n#per event if policy enforcement passes. Beginning with Microversion 2.62,\n#each event includes a hashed host identifier and, if policy enforcement\n#passes, the name of the host.", scope_types=["system", "project"], operations=[ - {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"} + {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}, ], ), base.APIRule( @@ -665,7 +665,7 @@ list_rules = ( description="Show action details for a server.", scope_types=["system", "project"], operations=[ - {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"} + {"method": "GET", "path": "/servers/{server_id}/os-instance-actions/{request_id}"}, ], ), base.APIRule( @@ -1063,7 +1063,7 @@ list_rules = ( description="Remove security groups from server.", scope_types=["system", "project"], operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (removeSecurityGroup)"} + {"method": "POST", "path": "/servers/{server_id}/action (removeSecurityGroup)"}, ], ), base.APIRule( @@ -1587,7 +1587,7 @@ list_rules = ( description="Trigger crash dump in a server", scope_types=["system", "project"], operations=[ - {"method": "POST", "path": "/servers/{server_id}/action (trigger_crash_dump)"} + {"method": "POST", "path": "/servers/{server_id}/action (trigger_crash_dump)"}, ], ), base.APIRule( @@ -1608,7 +1608,7 @@ list_rules = ( { "method": "POST", "path": "/servers/{server_id}/migrations/{migration_id}/action (force_complete)", - } + }, ], ), base.APIRule( @@ -1618,7 +1618,7 @@ list_rules = ( description="Delete(Abort) an in-progress live migration", scope_types=["system", "project"], operations=[ - {"method": "DELETE", "path": "/servers/{server_id}/migrations/{migration_id}"} + {"method": "DELETE", "path": "/servers/{server_id}/migrations/{migration_id}"}, ], ), base.APIRule( @@ -1870,7 +1870,7 @@ list_rules = ( description="Show details of a volume attachment", scope_types=["system", "project"], operations=[ - {"method": "GET", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"} + {"method": "GET", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}, ], ), base.APIRule( @@ -1882,7 +1882,7 @@ list_rules = ( description="Update a volume attachment.\n#New 'update' policy about 'swap + update' request (which is possible\n#only >2.85) only is checked. We expect to be\n#always superset of this policy permission.\n#", scope_types=["system", "project"], operations=[ - {"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"} + {"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}, ], ), base.APIRule( @@ -1892,7 +1892,7 @@ list_rules = ( description="Update a volume attachment with a different volumeId", scope_types=["system"], operations=[ - {"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"} + {"method": "PUT", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"}, ], ), base.APIRule( @@ -1904,7 +1904,10 @@ list_rules = ( description="Detach a volume from an instance", scope_types=["system", "project"], operations=[ - {"method": "DELETE", "path": "/servers/{server_id}/os-volume_attachments/{volume_id}"} + { + "method": "DELETE", + "path": "/servers/{server_id}/os-volume_attachments/{volume_id}", + }, ], ), ) diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/octavia.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/octavia.py index 8cd6bb8..bb02bd2 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/octavia.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/octavia.py @@ -55,7 +55,9 @@ list_rules = ( ), base.Rule( name="load-balancer:read", - check_str=("rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"), + check_str=( + "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin" + ), description="No description", ), base.Rule( @@ -70,12 +72,16 @@ list_rules = ( ), base.Rule( name="load-balancer:read-quota", - check_str=("rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"), + check_str=( + "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin" + ), description="No description", ), base.Rule( name="load-balancer:read-quota-global", - check_str=("rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"), + check_str=( + "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin" + ), description="No description", ), base.Rule( @@ -86,7 +92,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List Flavors", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors"}], @@ -110,7 +118,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:flavor:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Flavor details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/flavors/{flavor_id}"}], @@ -161,12 +171,16 @@ list_rules = ( basic_check_str=("role:admin"), description="Remove a Flavor Profile", scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}], + operations=[ + {"method": "DELETE", "path": "/v2.0/lbaas/flavorprofiles/{flavor_profile_id}"}, + ], ), base.APIRule( name="os_load-balancer_api:availability-zone:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List Availability Zones", scope_types=["project"], operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones"}], @@ -185,15 +199,21 @@ list_rules = ( basic_check_str=("role:admin"), description="Update an Availability Zone", scope_types=["project"], - operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}], + operations=[ + {"method": "PUT", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}, + ], ), base.APIRule( name="os_load-balancer_api:availability-zone:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Availability Zone details", scope_types=["project"], - operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}], + operations=[ + {"method": "GET", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}, + ], ), base.APIRule( name="os_load-balancer_api:availability-zone:delete", @@ -201,7 +221,9 @@ list_rules = ( basic_check_str=("role:admin"), description="Remove an Availability Zone", scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}], + operations=[ + {"method": "DELETE", "path": "/v2.0/lbaas/availabilityzones/{availability_zone_id}"}, + ], ), base.APIRule( name="os_load-balancer_api:availability-zone-profile:get_all", @@ -225,7 +247,12 @@ list_rules = ( basic_check_str=("role:admin"), description="Update an Availability Zone", scope_types=["project"], - operations=[{"method": "PUT", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}], + operations=[ + { + "method": "PUT", + "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}", + }, + ], ), base.APIRule( name="os_load-balancer_api:availability-zone-profile:get_one", @@ -233,7 +260,12 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Show Availability Zone details", scope_types=["project"], - operations=[{"method": "GET", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}], + operations=[ + { + "method": "GET", + "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}", + }, + ], ), base.APIRule( name="os_load-balancer_api:availability-zone-profile:delete", @@ -241,12 +273,19 @@ list_rules = ( basic_check_str=("role:admin"), description="Remove an Availability Zone", scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}"}], + operations=[ + { + "method": "DELETE", + "path": "/v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}", + }, + ], ), base.APIRule( name="os_load-balancer_api:healthmonitor:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List Health Monitors of a Pool", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors"}], @@ -262,7 +301,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:post", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create a Health Monitor", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/healthmonitors"}], @@ -270,7 +311,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Health Monitor details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], @@ -278,7 +321,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:put", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update a Health Monitor", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], @@ -286,7 +331,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:healthmonitor:delete", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Remove a Health Monitor", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/healthmonitors/{healthmonitor_id}"}], @@ -294,7 +341,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List L7 Policys", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies"}], @@ -310,7 +359,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:post", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create a L7 Policy", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/l7policies"}], @@ -318,7 +369,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show L7 Policy details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], @@ -326,7 +379,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:put", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update a L7 Policy", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], @@ -334,7 +389,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7policy:delete", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Remove a L7 Policy", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}"}], @@ -342,7 +399,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7rule:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List L7 Rules", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}], @@ -350,7 +409,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7rule:post", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create a L7 Rule", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules"}], @@ -358,31 +419,45 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:l7rule:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show L7 Rule details", scope_types=["project"], - operations=[{"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}], + operations=[ + {"method": "GET", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}, + ], ), base.APIRule( name="os_load-balancer_api:l7rule:put", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update a L7 Rule", scope_types=["project"], - operations=[{"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}], + operations=[ + {"method": "PUT", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}, + ], ), base.APIRule( name="os_load-balancer_api:l7rule:delete", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Remove a L7 Rule", scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}], + operations=[ + {"method": "DELETE", "path": "/v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}"}, + ], ), base.APIRule( name="os_load-balancer_api:listener:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List Listeners", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/listeners"}], @@ -398,7 +473,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:post", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create a Listener", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/listeners"}], @@ -406,7 +483,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Listener details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}"}], @@ -414,7 +493,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:put", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update a Listener", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/listeners/{listener_id}"}], @@ -422,7 +503,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:delete", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Remove a Listener", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/listeners/{listener_id}"}], @@ -430,7 +513,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:listener:get_stats", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Listener statistics", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/listeners/{listener_id}/stats"}], @@ -438,7 +523,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List Load Balancers", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers"}], @@ -454,7 +541,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:post", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create a Load Balancer", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/loadbalancers"}], @@ -462,7 +551,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Load Balancer details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], @@ -470,7 +561,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:put", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update a Load Balancer", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], @@ -478,7 +571,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:delete", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Remove a Load Balancer", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}"}], @@ -486,7 +581,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_stats", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Load Balancer statistics", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/stats"}], @@ -494,10 +591,14 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:loadbalancer:get_status", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Load Balancer status", scope_types=["project"], - operations=[{"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"}], + operations=[ + {"method": "GET", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/status"}, + ], ), base.APIRule( name="os_load-balancer_api:loadbalancer:put_failover", @@ -505,12 +606,16 @@ list_rules = ( basic_check_str=("role:admin"), description="Failover a Load Balancer", scope_types=["project"], - operations=[{"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"}], + operations=[ + {"method": "PUT", "path": "/v2/lbaas/loadbalancers/{loadbalancer_id}/failover"}, + ], ), base.APIRule( name="os_load-balancer_api:member:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List Members of a Pool", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members"}], @@ -518,7 +623,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:member:post", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create a Member", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/pools/{pool_id}/members"}], @@ -526,7 +633,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:member:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Member details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}], @@ -534,7 +643,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:member:put", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update a Member", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}], @@ -542,15 +653,21 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:member:delete", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Remove a Member", scope_types=["project"], - operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}], + operations=[ + {"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}/members/{member_id}"}, + ], ), base.APIRule( name="os_load-balancer_api:pool:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List Pools", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools"}], @@ -566,7 +683,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:post", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Create a Pool", scope_types=["project"], operations=[{"method": "POST", "path": "/v2/lbaas/pools"}], @@ -574,7 +693,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:get_one", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Pool details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/pools/{pool_id}"}], @@ -582,7 +703,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:put", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Update a Pool", scope_types=["project"], operations=[{"method": "PUT", "path": "/v2/lbaas/pools/{pool_id}"}], @@ -590,7 +713,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:pool:delete", check_str=("rule:load-balancer:write"), - basic_check_str=("role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s" + ), description="Remove a Pool", scope_types=["project"], operations=[{"method": "DELETE", "path": "/v2/lbaas/pools/{pool_id}"}], @@ -598,7 +723,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:provider:get_all", check_str=("rule:load-balancer:read"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List enabled providers", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/providers"}], @@ -606,7 +733,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:get_all", check_str=("rule:load-balancer:read-quota"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="List Quotas", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/quotas"}], @@ -622,7 +751,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:get_one", check_str=("rule:load-balancer:read-quota"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Quota details", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}"}], @@ -646,7 +777,9 @@ list_rules = ( base.APIRule( name="os_load-balancer_api:quota:get_defaults", check_str=("rule:load-balancer:read-quota"), - basic_check_str=("role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s"), + basic_check_str=( + "role:admin or role:reader or role:admin and project_id:%(project_id)s or role:member and project_id:%(project_id)s or role:reader and project_id:%(project_id)s" + ), description="Show Default Quota for a Project", scope_types=["project"], operations=[{"method": "GET", "path": "/v2/lbaas/quotas/{project_id}/default"}], @@ -705,7 +838,9 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="List the provider flavor capabilities.", scope_types=["project"], - operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"}], + operations=[ + {"method": "GET", "path": "/v2/lbaas/providers/{provider}/flavor_capabilities"}, + ], ), base.APIRule( name="os_load-balancer_api:provider-availability-zone:get_all", @@ -713,7 +848,12 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="List the provider availability zone capabilities.", scope_types=["project"], - operations=[{"method": "GET", "path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities"}], + operations=[ + { + "method": "GET", + "path": "/v2/lbaas/providers/{provider}/availability_zone_capabilities", + }, + ], ), ) diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/panko.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/panko.py index 6b1f1f9..7494580 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/panko.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/panko.py @@ -14,7 +14,10 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Return the user and project the requestshould be limited to", scope_types=["system"], - operations=[{"method": "GET", "path": "/v2/events"}, {"method": "GET", "path": "/v2/events/{message_id}"}], + operations=[ + {"method": "GET", "path": "/v2/events"}, + {"method": "GET", "path": "/v2/events/{message_id}"}, + ], ), base.APIRule( name="telemetry:events:index", diff --git a/libs/skyline-policy-manager/skyline_policy_manager/policies/placement.py b/libs/skyline-policy-manager/skyline_policy_manager/policies/placement.py index 1ebd155..ed92da5 100644 --- a/libs/skyline-policy-manager/skyline_policy_manager/policies/placement.py +++ b/libs/skyline-policy-manager/skyline_policy_manager/policies/placement.py @@ -110,7 +110,9 @@ list_rules = ( basic_check_str=("role:admin or role:reader"), description="Show resource provider inventory.", scope_types=["system"], - operations=[{"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}], + operations=[ + {"method": "GET", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}, + ], ), base.APIRule( name="placement:resource_providers:inventories:update", @@ -118,7 +120,10 @@ list_rules = ( basic_check_str=("role:admin"), description="Update resource provider inventory.", scope_types=["system"], - operations=[{"method": "PUT", "path": "/resource_providers/{uuid}/inventories"}, {"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}], + operations=[ + {"method": "PUT", "path": "/resource_providers/{uuid}/inventories"}, + {"method": "PUT", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}, + ], ), base.APIRule( name="placement:resource_providers:inventories:delete", @@ -126,7 +131,13 @@ list_rules = ( basic_check_str=("role:admin"), description="Delete resource provider inventory.", scope_types=["system"], - operations=[{"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"}, {"method": "DELETE", "path": "/resource_providers/{uuid}/inventories/{resource_class}"}], + operations=[ + {"method": "DELETE", "path": "/resource_providers/{uuid}/inventories"}, + { + "method": "DELETE", + "path": "/resource_providers/{uuid}/inventories/{resource_class}", + }, + ], ), base.APIRule( name="placement:resource_providers:aggregates:list", @@ -154,7 +165,9 @@ list_rules = ( ), base.APIRule( name="placement:usages", - check_str=("(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"), + check_str=( + "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" + ), basic_check_str=("role:admin or role:reader"), description="List total resource usages for a given project.", scope_types=["system", "project"], diff --git a/libs/skyline-policy-manager/tests/conftest.py b/libs/skyline-policy-manager/tests/conftest.py new file mode 100644 index 0000000..636f462 --- /dev/null +++ b/libs/skyline-policy-manager/tests/conftest.py @@ -0,0 +1,47 @@ +# Copyright 2021 99cloud +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING + +from _pytest.mark import ParameterSet +from tests.models import TestData + +if TYPE_CHECKING: + from _pytest.python import Metafunc + + +def pytest_generate_tests(metafunc: Metafunc) -> None: + for marker in metafunc.definition.iter_markers(name="ddt"): + test_data: TestData + for test_data in marker.args: + argument_length = len(test_data.arguments) + argvalues = [] + for argument_data in test_data.argument_data_set: + if len(argument_data.values) != argument_length: + raise ValueError( + f'Argument data "{argument_data.id}" of method ' + f'"{metafunc.function.__name__}" doesn\'t match ' + "number of arguments.", + ) + argvalues.append( + ParameterSet( + id=argument_data.id, + marks=argument_data.marks, + values=argument_data.values, + ), + ) + + metafunc.parametrize(test_data.arguments, argvalues, indirect=test_data.indirect) diff --git a/libs/skyline-policy-manager/tests/fake.py b/libs/skyline-policy-manager/tests/fake.py new file mode 100644 index 0000000..b00e2d8 --- /dev/null +++ b/libs/skyline-policy-manager/tests/fake.py @@ -0,0 +1,87 @@ +# Copyright 2021 99cloud +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import sys +from dataclasses import asdict, dataclass, field +from typing import Dict, List + +from mimesis import Generic + +FAKER = Generic() + +FAKE_NS = "skyline_policy_manager.tests.mock_ns" + +FAKE_SERVICE_EPS = { + "cinder": ["cinder"], + "glance": ["glance"], + "heat": ["heat"], + "keystone": ["keystone"], + "neutron": ["neutron"], + "nova": ["nova"], +} + +current_module = sys.modules[__name__] + +for ep_names in FAKE_SERVICE_EPS.values(): + for ep_name in ep_names: + setattr(current_module, f"{ep_name}_list_rules", lambda: []) + + +@dataclass +class FakeOperation: + method: str = field( + default_factory=lambda: FAKER.choice(["GET", "POST", "PUT", "PATCH", "DELETE"]), + ) + path: str = field( + default_factory=lambda: FAKER.choice(["/resources", "/resources/{resource_id}"]), + ) + + +@dataclass +class FakeDocumentedRuleData: + name: str = field(default_factory=lambda: ":".join(FAKER.text.words())) + description: str = field(default_factory=lambda: FAKER.text.text()) + check_str: str = field( + default_factory=lambda: f'role:{FAKER.choice(["admin", "member", "reader"])}', + ) + scope_types: List[str] = field( + default_factory=lambda: FAKER.choice( + ["system", "domain", "project"], + length=FAKER.numbers.integer_number(1, 3), + unique=True, + ), + ) + operations: List[Dict[str, str]] = field( + default_factory=lambda: [ + asdict(FakeOperation()) for _ in range(FAKER.numbers.integer_number(1, 5)) + ], + ) + + +@dataclass +class FakeRuleData: + name: str = field(default_factory=lambda: ":".join(FAKER.text.words())) + description: str = field(default_factory=lambda: FAKER.text.text()) + check_str: str = field( + default_factory=lambda: f'role:{FAKER.choice(["admin", "member", "reader"])}', + ) + scope_types: List[str] = field( + default_factory=lambda: FAKER.choice( + ["system", "domain", "project"], + length=FAKER.numbers.integer_number(1, 3), + unique=True, + ), + ) diff --git a/libs/skyline-policy-manager/tests/models.py b/libs/skyline-policy-manager/tests/models.py new file mode 100644 index 0000000..c7cb00a --- /dev/null +++ b/libs/skyline-policy-manager/tests/models.py @@ -0,0 +1,36 @@ +# Copyright 2021 99cloud +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from dataclasses import dataclass +from typing import Any, Collection, Sequence, Tuple, Union + + +@dataclass +class ArgumentData: + id: str + values: Sequence[object] + # TODO: Fix type annotation of `marks` after the pytest > 7.0.0 + # marks: Collection[Union[pytest.MarkDecorator, pytest.Mark]] + marks: Collection[Any] = () + + +@dataclass +class TestData: + arguments: Tuple[str, ...] + argument_data_set: Sequence[ArgumentData] + indirect: Union[bool, Tuple[str]] = False + + __test__ = False diff --git a/libs/skyline-policy-manager/tests/unit/__init__.py b/libs/skyline-policy-manager/tests/unit/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/libs/skyline-policy-manager/tests/unit/cmd/__init__.py b/libs/skyline-policy-manager/tests/unit/cmd/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/libs/skyline-policy-manager/tests/unit/cmd/test_manage.py b/libs/skyline-policy-manager/tests/unit/cmd/test_manage.py new file mode 100644 index 0000000..f78c3bf --- /dev/null +++ b/libs/skyline-policy-manager/tests/unit/cmd/test_manage.py @@ -0,0 +1,158 @@ +# Copyright 2021 99cloud +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from dataclasses import asdict +from importlib import metadata +from importlib.metadata import EntryPoint +from pathlib import Path +from typing import Dict, List, Tuple, Union + +import pytest +from click.testing import CliRunner +from oslo_policy.policy import DocumentedRuleDefault, RuleDefault +from skyline_policy_manager import constants, policies +from skyline_policy_manager.cmd.manage import ( + generate_conf, + generate_rule, + generate_sample, + policy_manager, + validate, +) +from tests import fake +from tests.fake import FAKE_NS, FAKE_SERVICE_EPS, FAKER, FakeDocumentedRuleData, FakeRuleData +from tests.models import ArgumentData, TestData + + +class TestPolicyManager: + @pytest.fixture(autouse=True) + def setup_entry_points(self, monkeypatch) -> None: + eps = [] + for ep_names in FAKE_SERVICE_EPS.values(): + for ep_name in ep_names: + fake_rules: List[Union[DocumentedRuleDefault, RuleDefault]] + fake_rules = [ + DocumentedRuleDefault(**asdict(FakeDocumentedRuleData())) + for _ in range(FAKER.numbers.integer_number(1, 10)) + ] + fake_rules.extend( + [ + RuleDefault(**asdict(FakeRuleData())) + for _ in range(FAKER.numbers.integer_number(1, 3)) + ], + ) + monkeypatch.setattr(fake, f"{ep_name}_list_rules", lambda: fake_rules) + eps.append( + EntryPoint( + name=ep_name, + value=f"tests.fake:{ep_name}_list_rules", + group=FAKE_NS, + ), + ) + + def entry_points() -> Dict[str, Tuple[EntryPoint, ...]]: + return {FAKE_NS: tuple(eps)} + + monkeypatch.setattr(metadata, "entry_points", entry_points) + monkeypatch.setattr(constants, "POLICY_NS", FAKE_NS) + monkeypatch.setattr(constants, "SUPPORTED_SERVICE_EPS", FAKE_SERVICE_EPS) + + @pytest.fixture + def runner(self) -> CliRunner: + runner = CliRunner() + return runner + + @pytest.mark.ddt( + TestData( + arguments=("dir_path",), + argument_data_set=[ + ArgumentData( + id="str_dir_path", + values=(FAKER.text.word(),), + ), + ], + ), + ) + def test_generate_sample(self, runner: CliRunner, tmp_path: Path, dir_path: str) -> None: + sample_dir = tmp_path.joinpath(dir_path) + sample_dir.mkdir(parents=True, exist_ok=True) + policy_manager.add_command(generate_sample) + result = runner.invoke( + policy_manager, + ["generate-sample", "--dir", sample_dir.as_posix()], + ) + assert result.exit_code == 0 + for service in FAKE_SERVICE_EPS: + assert sample_dir.joinpath(service).exists() + assert sample_dir.joinpath(service).joinpath("policy.yaml.sample").exists() + + @pytest.mark.ddt( + TestData( + arguments=("dir_path",), + argument_data_set=[ + ArgumentData( + id="str_dir_path", + values=(FAKER.text.word(),), + ), + ], + ), + TestData( + arguments=("description",), + argument_data_set=[ + ArgumentData( + id="str_description", + values=(FAKER.text.text(),), + ), + ], + ), + ) + def test_generate_conf( + self, + runner: CliRunner, + tmp_path: Path, + dir_path: str, + description: str, + ) -> None: + conf_dir = tmp_path.joinpath(dir_path) + conf_dir.mkdir(parents=True, exist_ok=True) + policy_manager.add_command(generate_conf) + result = runner.invoke( + policy_manager, + ["generate-conf", "--dir", conf_dir.as_posix(), "--desc", description], + ) + service_rules = policies.get_service_rules() + assert result.exit_code == 0 + for service in service_rules: + assert conf_dir.joinpath(service).exists() + assert conf_dir.joinpath(service).joinpath("policy.yaml").exists() + assert description in conf_dir.joinpath(service).joinpath("policy.yaml").read_text() + + def test_generate_rule(self, runner: CliRunner) -> None: + policy_manager.add_command(generate_rule) + for ep_names in FAKE_SERVICE_EPS.values(): + for ep_name in ep_names: + result = runner.invoke(policy_manager, ["generate-rule", ep_name]) + assert result.exit_code == 0 + + def test_validate(self, runner: CliRunner) -> None: + policy_manager.add_command(validate) + result = runner.invoke( + policy_manager, + [ + "validate", + "--diff", + ], + ) + assert result.exit_code == 0 diff --git a/libs/skyline-policy-manager/tests/test_skyline_policy_manager.py b/libs/skyline-policy-manager/tests/unit/test_skyline_policy_manager.py similarity index 95% rename from libs/skyline-policy-manager/tests/test_skyline_policy_manager.py rename to libs/skyline-policy-manager/tests/unit/test_skyline_policy_manager.py index 7a70a4f..9166fd6 100644 --- a/libs/skyline-policy-manager/tests/test_skyline_policy_manager.py +++ b/libs/skyline-policy-manager/tests/unit/test_skyline_policy_manager.py @@ -15,5 +15,5 @@ from skyline_policy_manager import __version__ -def test_version(): +def test_version() -> None: assert __version__ == "0.1.0"