baha/skyline-apiserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8cb60f0833
skyline-apiserver/skyline_apiserver/policy/base.py
zhu.boxiang 8cb60f0833 chore: Move skyline_apiserver out of libs 
1. move skyline_apiserver out of libs
2. remove libs folder
3. remove old skyline folder
4. adjust zull, devstack and dockerfile

Change-Id: I27a4babd3df077d1dfc7555f67a6ea618d4b2966
2022-05-18 17:21:00 +08:00

118 lines
4.0 KiB
Python
Raw Blame History

# Copyright 2021 99cloud
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import annotations
from collections.abc import MutableMapping
from typing import Any, Dict, Iterable, Iterator
import attr
from immutables import Map
from keystoneauth1.access.access import AccessInfoV3
from oslo_policy._checks import _check
from skyline_apiserver.config import CONF
from .manager.base import APIRule
class UserContext(MutableMapping):
def __init__(
self,
access: AccessInfoV3,
):
self._data = {}
self.access = access
self._data.setdefault("auth_token", getattr(access, "auth_token", None))
self._data.setdefault("user_id", getattr(access, "user_id", None))
self._data.setdefault("project_id", getattr(access, "project_id", None))
self._data.setdefault("domain_id", getattr(access, "domain_id", None))
self._data.setdefault("user_domain_id", getattr(access, "user_domain_id", None))
self._data.setdefault("project_domain_id", getattr(access, "project_domain_id", None))
self._data.setdefault("username", getattr(access, "username", None))
self._data.setdefault("project_name", getattr(access, "project_name", None))
self._data.setdefault("domain_name", getattr(access, "domain_name", None))
self._data.setdefault("user_domain_name", getattr(access, "user_domain_name", None))
self._data.setdefault("project_domain_name", getattr(access, "project_domain_name", None))
self._data.setdefault("system_scope", getattr(access, "system_scope", None))
self._data.setdefault("role_ids", getattr(access, "role_ids", []))
self._data.setdefault("roles", getattr(access, "role_names", []))
is_admin = False
for role in CONF.openstack.system_admin_roles:
if role in self._data["roles"]:
is_admin = True
break
self._data.setdefault("is_admin", is_admin)
is_reader_admin = False
for role in CONF.openstack.system_reader_roles:
if role in self._data["roles"]:
is_reader_admin = True
break
self._data.setdefault("is_reader_admin", is_reader_admin)
def __getitem__(self, k: Any) -> Any:
return self._data[k]
def __setitem__(self, k: Any, v: Any) -> None:
self._data[k] = v
def __delitem__(self, k: Any) -> None:
del self._data[k]
def __iter__(self) -> Iterator[Any]:
return iter(self._data)
def __len__(self) -> int:
return len(self._data)
def __str__(self) -> str:
return self._data.__str__()
def __repr__(self) -> str:
return self._data.__repr__()
@attr.s(kw_only=True, repr=True, frozen=False, slots=True, auto_attribs=True)
class Enforcer:
rules: Map = attr.ib(factory=Map, repr=True, init=False)
def register_rules(self, rules: Iterable[APIRule]) -> None:
rule_map = {}
for rule in rules:
if rule.name in rule_map:
raise ValueError(f"Duplicate policy rule {rule.name}.")
rule_map[rule.name] = rule.basic_check
self.rules = Map(rule_map)
def authorize(self, rule: str, target: Dict[str, Any], context: UserContext) -> bool:
result = False
do_check = self.rules.get(rule)
if do_check is None:
raise ValueError(f"Policy {rule} not registered.")
result = _check(
rule=do_check,
target=target,
creds=context,
enforcer=self,
current_rule=rule,
)
return result
Reference in New Issue View Git Blame Copy Permalink