add the policy code

openstack · Nov 17, 2011 · 860aa86 · 860aa86
1 parent 63943c9
commit 860aa86
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 2 deletions.
diff --git a/keystonelight/backends/policy.py b/keystonelight/backends/policy.py
@@ -0,0 +1,23 @@
+
+
+class TrivialTrue(object):
+  def __init__(self, options):
+    self.options = options
+
+  def can_haz(self, target, credentials):
+    return True
+
+
+class SimpleMatch(object):
+  def __init__(self, options):
+    self.options = options
+
+  def can_haz(self, target, credentials):
+    """Check whether key-values in target are present in credentials."""
+    # TODO(termie): handle ANDs, probably by providing a tuple instead of a
+    #               string
+    for requirement in target:
+      key, match = requirement.split(':', 1)
+      check = credentials.get(key)
+      if check == match:
+        return True
diff --git a/keystonelight/keystone_compat.py b/keystonelight/keystone_compat.py
@@ -44,7 +44,6 @@ def __init__(self, options):
         self.identity_api = identity.Manager(options)
         self.token_api = token.Manager(options)
         self.policy_api = policy.Manager(options)
-        pass
 
     def noop(self, context):
         return {}
@@ -155,7 +154,15 @@ def validate_token(self, context, token_id, belongs_to=None):
         Optionally, also ensure that it is owned by a specific tenant.
 
         """
-        assert context['is_admin']
+        # TODO(termie): this stuff should probably be moved to middleware
+        if not context['is_admin']:
+            user_token_ref = self.token_api.get_token(context['token_id'])
+            creds = user_token_ref['extras'].copy()
+            creds['user_id'] = user_token_ref['user'].get('id')
+            creds['tenant_id'] = user_token_ref['tenant'].get('id')
+            # Accept either is_admin or the admin role
+            assert self.policy_api.can_haz(('is_admin:1', 'roles:admin'),
+                                           creds)
 
         token_ref = self.token_api.get_token(context=context,
                                              token_id=token_id)

diff --git a/keystonelight/policy.py b/keystonelight/policy.py
@@ -0,0 +1,18 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# the catalog interfaces
+
+import uuid
+
+from keystonelight import utils
+
+
+class Manager(object):
+    def __init__(self, options):
+        self.options = options
+        self.driver = utils.import_object(options['policy_driver'],
+                                          options=options)
+
+    def can_haz(self, context, target, credentials):
+        """Check whether the given creds can perform action on target."""
+        return self.driver.can_haz(target, credentials)