98
def _build_match_list(action, target):
99
"""Create the list of rules to match for a given action.
98
def _build_match_rule(action, target):
99
"""Create the rule to match for a given action.
101
The list of policy rules to be matched is built in the following way:
101
The policy rule to be matched is built in the following way:
102
102
1) add entries for matching permission on objects
103
103
2) add an entry for the specific action (e.g.: create_network)
104
104
3) add an entry for attributes of a resource for which the action
119
119
attribute = res_map[resource][attribute_name]
120
120
if 'enforce_policy' in attribute and is_write:
121
match_list += ('rule:%s:%s' % (action,
121
attr_rule = policy.RuleCheck('rule', '%s:%s' %
122
(action, attribute_name))
123
match_rule = policy.AndCheck([match_rule, attr_rule])
126
128
@policy.register('field')
127
def check_field(brain, match_kind, match, target_dict, cred_dict):
128
# If this method is invoked for the wrong kind of match
129
# which should never happen, just skip the check and don't
130
# fail the policy evaluation
131
if match_kind != 'field':
132
LOG.warning("Field check function invoked with wrong match_kind:%s",
135
resource, field_value = match.split(':', 1)
136
field, value = field_value.split('=', 1)
137
target_value = target_dict.get(field)
138
# target_value might be a boolean, explicitly compare with None
139
if target_value is None:
140
LOG.debug("Unable to find requested field: %s in target: %s",
143
# Value migth need conversion - we need help from the attribute map
144
conv_func = attributes.RESOURCE_ATTRIBUTE_MAP[resource][field].get(
145
'convert_to', lambda x: x)
146
if target_value != conv_func(value):
147
LOG.debug("%s does not match the value in the target object:%s",
148
conv_func(value), target_value)
150
# If we manage to get here, the policy check is successful
129
class FieldCheck(policy.Check):
130
def __init__(self, kind, match):
132
resource, field_value = match.split(':', 1)
133
field, value = field_value.split('=', 1)
135
super(FieldCheck, self).__init__(kind, '%s:%s:%s' %
136
(resource, field, value))
138
# Value might need conversion - we need help from the attribute map
140
attr = attributes.RESOURCE_ATTRIBUTE_MAP[resource][field]
141
conv_func = attr['convert_to']
143
conv_func = lambda x: x
146
self.value = conv_func(value)
148
def __call__(self, target_dict, cred_dict):
149
target_value = target_dict.get(self.field)
150
# target_value might be a boolean, explicitly compare with None
151
if target_value is None:
152
LOG.debug("Unable to find requested field: %s in target: %s",
153
self.field, target_dict)
156
return target_value == self.value
154
159
def check(context, action, target, plugin=None):
169
174
real_target = _build_target(action, target, plugin, context)
170
match_list = _build_match_list(action, real_target)
175
match_rule = _build_match_rule(action, real_target)
171
176
credentials = context.to_dict()
172
return policy.enforce(match_list, real_target, credentials)
177
return policy.check(match_rule, real_target, credentials)
175
180
def enforce(context, action, target, plugin=None):
191
196
real_target = _build_target(action, target, plugin, context)
192
match_list = _build_match_list(action, real_target)
197
match_rule = _build_match_rule(action, real_target)
193
198
credentials = context.to_dict()
194
policy.enforce(match_list, real_target, credentials,
195
exceptions.PolicyNotAuthorized, action=action)
199
return policy.check(match_rule, real_target, credentials,
200
exceptions.PolicyNotAuthorized, action=action)