eea81cef1e
Bump pydantic version which fixes skyline-apiserver when running under python3.11. Closes-Bug: #2047145 Change-Id: Idb1897f64ffaf0cd0fbee4f7f198935386a5f599
194 lines
7.2 KiB
Python
194 lines
7.2 KiB
Python
# Copyright 2021 99cloud
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from __future__ import annotations
|
|
|
|
from typing import Dict, List
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, status
|
|
from keystoneauth1.exceptions.http import (
|
|
InternalServerError as KeystoneInternalServerError,
|
|
Unauthorized as KeystoneUnauthorized,
|
|
)
|
|
|
|
from skyline_apiserver import schemas
|
|
from skyline_apiserver.api import deps
|
|
from skyline_apiserver.client.utils import generate_session, get_access, get_system_scope_access
|
|
from skyline_apiserver.config import CONF
|
|
from skyline_apiserver.log import LOG
|
|
from skyline_apiserver.policy import ENFORCER, UserContext
|
|
from skyline_apiserver.types import constants
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
def _generate_target(profile: schemas.Profile) -> Dict[str, str]:
|
|
return {
|
|
"user_id": profile.user.id,
|
|
"project_id": profile.project.id,
|
|
# oslo policy
|
|
"enforce_new_defaults": CONF.openstack.enforce_new_defaults,
|
|
# trove
|
|
"tenant": profile.project.id,
|
|
# keystone
|
|
"trust.trustor_user_id": profile.user.id,
|
|
"target.user.id": profile.user.id,
|
|
"target.user.domain_id": profile.user.domain.id,
|
|
"target.project.domain_id": profile.project.domain.id,
|
|
"target.project.id": profile.project.id,
|
|
"target.trust.trustor_user_id": profile.user.id,
|
|
"target.trust.trustee_user_id": profile.user.id,
|
|
"target.token.user_id": profile.user.id,
|
|
"target.domain.id": profile.project.domain.id,
|
|
"target.domain_id": profile.project.domain.id,
|
|
"target.credential.user_id": profile.user.id,
|
|
"target.role.domain_id": profile.project.domain.id,
|
|
"target.group.domain_id": profile.project.domain.id,
|
|
"target.limit.domain.id": profile.project.domain.id,
|
|
"target.limit.project_id": profile.project.domain.id,
|
|
"target.limit.project.domain_id": profile.project.domain.id,
|
|
# barbican
|
|
"target.container.project_id": profile.project.id,
|
|
"target.secret.project_id": profile.project.id,
|
|
"target.order.project_id": profile.project.id,
|
|
"target.secret.creator_id": profile.user.id,
|
|
# ironic
|
|
"allocation.owner": profile.project.id,
|
|
"node.lessee": profile.project.id,
|
|
"node.owner": profile.project.id,
|
|
# glance
|
|
"member_id": profile.project.id,
|
|
"owner": profile.project.id,
|
|
# cinder
|
|
"domain_id": profile.project.domain.id,
|
|
}
|
|
|
|
|
|
@router.get(
|
|
"/policies",
|
|
description="List policies and permissions",
|
|
responses={
|
|
200: {"model": schemas.Policies},
|
|
401: {"model": schemas.UnauthorizedMessage},
|
|
500: {"model": schemas.InternalServerErrorMessage},
|
|
},
|
|
response_model=schemas.Policies,
|
|
status_code=status.HTTP_200_OK,
|
|
response_description="OK",
|
|
)
|
|
async def list_policies(
|
|
profile: schemas.Profile = Depends(deps.get_profile_update_jwt),
|
|
) -> schemas.Policies:
|
|
session = await generate_session(profile)
|
|
access = await get_access(session)
|
|
user_context = UserContext(access)
|
|
try:
|
|
system_scope_access = await get_system_scope_access(
|
|
profile.keystone_token, profile.region
|
|
)
|
|
user_context["system_scope"] = (
|
|
"all"
|
|
if getattr(system_scope_access, "system")
|
|
and getattr(system_scope_access, "system", {}).get("all", False)
|
|
else user_context["system_scope"]
|
|
)
|
|
except KeystoneUnauthorized:
|
|
# User is not authorized to access the system scope. So just ignore the
|
|
# exception and use the user_context as is.
|
|
LOG.debug("Keystone token is invalid. No privilege to access system scope.")
|
|
except KeystoneInternalServerError:
|
|
# Keystone is not reachable. So just ignore the exception and use the
|
|
# user_context as is.
|
|
LOG.debug("Keystone is not reachable. No privilege to access system scope.")
|
|
target = _generate_target(profile)
|
|
|
|
results: List = []
|
|
services = constants.SUPPORTED_SERVICE_EPS.keys()
|
|
for service in services:
|
|
try:
|
|
enforcer = ENFORCER[service]
|
|
result = [
|
|
{
|
|
"rule": f"{service}:{rule}",
|
|
"allowed": enforcer.authorize(rule, target, user_context),
|
|
}
|
|
for rule in enforcer.rules
|
|
]
|
|
results.extend(result)
|
|
except Exception:
|
|
msg = "An error occurred when calling %(service)s enforcer." % {
|
|
"service": str(service)
|
|
}
|
|
LOG.warning(msg)
|
|
|
|
return schemas.Policies(**{"policies": results})
|
|
|
|
|
|
@router.post(
|
|
"/policies/check",
|
|
description="Check policies permissions",
|
|
responses={
|
|
200: {"model": schemas.Policies},
|
|
401: {"model": schemas.UnauthorizedMessage},
|
|
403: {"model": schemas.ForbiddenMessage},
|
|
500: {"model": schemas.InternalServerErrorMessage},
|
|
},
|
|
response_model=schemas.Policies,
|
|
status_code=status.HTTP_200_OK,
|
|
response_description="OK",
|
|
)
|
|
async def check_policies(
|
|
policy_rules: schemas.PoliciesRules,
|
|
profile: schemas.Profile = Depends(deps.get_profile_update_jwt),
|
|
) -> schemas.Policies:
|
|
session = await generate_session(profile)
|
|
access = await get_access(session)
|
|
user_context = UserContext(access)
|
|
try:
|
|
system_scope_access = await get_system_scope_access(
|
|
profile.keystone_token, profile.region
|
|
)
|
|
user_context["system_scope"] = (
|
|
"all"
|
|
if getattr(system_scope_access, "system")
|
|
and getattr(system_scope_access, "system", {}).get("all", False)
|
|
else user_context["system_scope"]
|
|
)
|
|
except KeystoneUnauthorized:
|
|
# User is not authorized to access the system scope. So just ignore the
|
|
# exception and use the user_context as is.
|
|
LOG.debug("Keystone token is invalid. No privilege to access system scope.")
|
|
except KeystoneInternalServerError:
|
|
# Keystone is not reachable. So just ignore the exception and use the
|
|
# user_context as is.
|
|
LOG.debug("Keystone is not reachable. No privilege to access system scope.")
|
|
target = _generate_target(profile)
|
|
target.update(policy_rules.target if policy_rules.target else {})
|
|
try:
|
|
result: List = []
|
|
for policy_rule in policy_rules.rules:
|
|
service = policy_rule.split(":", 1)[0]
|
|
rule = policy_rule.split(":", 1)[1]
|
|
enforcer = ENFORCER[service]
|
|
result.append(
|
|
{"rule": policy_rule, "allowed": enforcer.authorize(rule, target, user_context)}
|
|
)
|
|
except Exception as e:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=str(e),
|
|
)
|
|
|
|
return schemas.Policies(**{"policies": result})
|