Syncing policy engine from oslo-incubator

Syncing policy module - commit a53c4dc Includes patch 0da5de6 implementing Blueprint policy-constant-check python update.py --nodeps --base keystone --dest-dir ../keystone/ --modules policy ----- Adds the ability to check any resource's field against a constant (literal, or string) in the policy.json file. For instance, I can ensure that only users with field `enabled` set to False can be deleted with the following rule: "identity:delete_user": "False:%(target.user.enabled)s", Or that only the `Member` role can be granted: "identity:create_grant": "'Member':%(target.role.name)s", ----- Change-Id: I054271306f20aac47ce5e9dac594bc1989fee56d Implements: blueprint policy-constant-check
openstack · Feb 13, 2014 · 74f5385 · 74f5385
1 parent 8557e47
commit 74f5385
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/keystone/openstack/common/policy.py b/keystone/openstack/common/policy.py
@@ -55,6 +55,7 @@
 """
 
 import abc
+import ast
 import re
 
 from oslo.config import cfg
@@ -119,11 +120,16 @@ def __missing__(self, key):
 
         # If the default rule isn't actually defined, do something
         # reasonably intelligent
-        if not self.default_rule or self.default_rule not in self:
+        if not self.default_rule:
             raise KeyError(key)
 
         if isinstance(self.default_rule, BaseCheck):
             return self.default_rule
+
+        # We need to check this or we can get infinite recursion
+        if self.default_rule not in self:
+            raise KeyError(key)
+
         elif isinstance(self.default_rule, six.string_types):
             return self[self.default_rule]
 
@@ -839,6 +845,8 @@ def __call__(self, target, creds, enforcer):
 
             tenant:%(tenant_id)s
             role:compute:admin
+            True:%(user.enabled)s
+            'Member':%(role.name)s
         """
 
         # TODO(termie): do dict inspection via dot syntax
@@ -849,6 +857,12 @@ def __call__(self, target, creds, enforcer):
             # present in Target return false
             return False
 
-        if self.kind in creds:
-            return match == six.text_type(creds[self.kind])
-        return False
+        try:
+            # Try to interpret self.kind as a literal
+            leftval = ast.literal_eval(self.kind)
+        except ValueError:
+            try:
+                leftval = creds[self.kind]
+            except KeyError:
+                return False
+        return match == six.text_type(leftval)