Merge "Use openstack-common's policy module"

ttx · Jun 5, 2012 · 1334ce8 · 1334ce8
2 parents 68d5835 + 18ed0b0
commit 1334ce8
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 19 deletions.
diff --git a/nova/common/policy.py → nova/openstack/common/policy.py b/nova/common/policy.py → nova/openstack/common/policy.py
@@ -18,12 +18,12 @@
 """Common Policy Engine Implementation"""
 
 import json
+import logging
 import urllib
 import urllib2
 
 
-class NotAuthorized(Exception):
-    pass
+LOG = logging.getLogger(__name__)
 
 
 _BRAIN = None
@@ -45,7 +45,8 @@ def reset():
     _BRAIN = None
 
 
-def enforce(match_list, target_dict, credentials_dict):
+def enforce(match_list, target_dict, credentials_dict, exc=None,
+            *args, **kwargs):
     """Enforces authorization of some rules against credentials.
 
     :param match_list: nested tuples of data to match against
@@ -106,14 +107,24 @@ def enforce(match_list, target_dict, credentials_dict):
       Credentials dicts contain as much information as we can about the user
       performing the action.
 
-    :raises NotAuthorized: if the check fails
+    :param exc: exception to raise
 
+      Class of the exception to raise if the check fails.  Any remaining
+      arguments passed to enforce() (both positional and keyword arguments)
+      will be passed to the exception class.  If exc is not provided, returns
+      False.
+
+    :return: True if the policy allows the action
+    :return: False if the policy does not allow the action and exc is not set
     """
     global _BRAIN
     if not _BRAIN:
         _BRAIN = Brain()
     if not _BRAIN.check(match_list, target_dict, credentials_dict):
-        raise NotAuthorized()
+        if exc:
+            raise exc(*args, **kwargs)
+        return False
+    return True
 
 
 class Brain(object):
@@ -132,7 +143,12 @@ def add_rule(self, key, match):
         self.rules[key] = match
 
     def _check(self, match, target_dict, cred_dict):
-        match_kind, match_value = match.split(':', 1)
+        try:
+            match_kind, match_value = match.split(':', 1)
+        except Exception:
+            LOG.exception(_("Failed to understand rule %(match)r") % locals())
+            # If the rule is invalid, fail closed
+            return False
         try:
             f = getattr(self, '_check_%s' % match_kind)
         except AttributeError:

diff --git a/nova/policy.py b/nova/policy.py
@@ -19,10 +19,10 @@
 
 import os.path
 
-from nova.common import policy
 from nova import exception
 from nova import flags
 from nova.openstack.common import cfg
+from nova.openstack.common import policy
 from nova import utils
 
 
@@ -90,7 +90,5 @@ def enforce(context, action, target):
     match_list = ('rule:%s' % action,)
     credentials = context.to_dict()
 
-    try:
-        policy.enforce(match_list, target, credentials)
-    except policy.NotAuthorized:
-        raise exception.PolicyNotAuthorized(action=action)
+    policy.enforce(match_list, target, credentials,
+                   exception.PolicyNotAuthorized, action=action)
diff --git a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
@@ -22,10 +22,10 @@
 import webob
 
 from nova.api.openstack.compute.contrib import simple_tenant_usage
-from nova.common import policy as common_policy
 from nova.compute import api
 from nova import context
 from nova import flags
+from nova.openstack.common import policy as common_policy
 from nova import policy
 from nova import test
 from nova.tests.api.openstack import fakes

diff --git a/nova/tests/compute/test_compute.py b/nova/tests/compute/test_compute.py
@@ -26,7 +26,6 @@
 import mox
 
 import nova
-import nova.common.policy
 from nova import compute
 from nova.compute import aggregate_states
 from nova.compute import api as compute_api
@@ -44,6 +43,7 @@
 from nova import log as logging
 from nova.notifier import test_notifier
 from nova.openstack.common import importutils
+from nova.openstack.common import policy as common_policy
 import nova.policy
 from nova import quota
 from nova import rpc
@@ -3961,7 +3961,7 @@ def tearDown(self):
         nova.policy.reset()
 
     def _set_rules(self, rules):
-        nova.common.policy.set_brain(nova.common.policy.HttpBrain(rules))
+        common_policy.set_brain(common_policy.HttpBrain(rules))
 
     def test_actions_are_prefixed(self):
         self.mox.StubOutWithMock(nova.policy, 'enforce')

diff --git a/nova/tests/test_policy.py b/nova/tests/test_policy.py
@@ -21,11 +21,10 @@
 import StringIO
 import urllib2
 
-from nova.common import policy as common_policy
-import nova.common.policy
 from nova import context
 from nova import exception
 from nova import flags
+from nova.openstack.common import policy as common_policy
 from nova import policy
 from nova import test
 from nova import utils
@@ -169,8 +168,8 @@ def setUp(self):
         self.context = context.RequestContext('fake', 'fake')
 
     def _set_brain(self, default_rule):
-        brain = nova.common.policy.HttpBrain(self.rules, default_rule)
-        nova.common.policy.set_brain(brain)
+        brain = common_policy.HttpBrain(self.rules, default_rule)
+        common_policy.set_brain(brain)
 
     def tearDown(self):
         super(DefaultPolicyTestCase, self).tearDown()

diff --git a/openstack-common.conf b/openstack-common.conf
@@ -1,7 +1,7 @@
 [DEFAULT]
 
 # The list of modules to copy from openstack-common
-modules=cfg,excutils,local,importutils,iniparser,jsonutils,setup
+modules=cfg,excutils,local,importutils,iniparser,jsonutils,setup,policy
 
 # The base module to hold the copy of openstack.common
 base=nova