| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Change-Id: I8162d5c413de6a73614443fdcd30ee472cb81035
|
|
|
|
|
|
|
| |
collections.MutableMapping has been deprecated since Python 3.3 and
is removed in Python 3.10. The functionality should be identical.
Change-Id: Ic96309fef409ba01dd24a3a70ff132a9f5352f9c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, the policy checker issues a 'failed' result when
checking a system-scoped sample token against a policy string like
"role:admin and system_scope:all", because the policy checker does not
understand the 'system_scope' attribute that is now in oslo.context[1]
and wasn't parsing the "system" scope object from the sample token.
Similarly, it fails on a string like "user_id:%(user_id)s" because it
never looked up the user_id from the sample token. This change updates
the policy checker to understand token contexts and policies like these
so that more of the policy defaults in keystone, and soon other
projects, will pass. This also adds a new system-scoped sample token to
check against.
[1] https://review.opendev.org/530509
Change-Id: I02fbbc99d28aa5c787133f530f6e968341107bf7
|
|
|
|
|
|
|
|
|
| |
Reading configurations will enable us to be able to use the
oslopolicy-checker to do external checks (which require the
configuration in the enforcer).
Change-Id: If2e697f9ac0317046f5a872ad668b42c1b32eb1e
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
|
|
|
|
|
|
|
| |
oslo.config already has a proper type to deal with boolean options.
Change-Id: I675c1dbfa13ca68506042f7907082b0e3d51672a
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
|
|
|
|
|
| |
Change-Id: If29fcf542c48a931edfebb7763d80f045c2fa0d7
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
|
|
|
|
|
|
|
|
| |
Changing arg consumption from argparse to oslo.config in
order to also provide behavior control using config files.
Change-Id: Iec4dab763b973b70c98077cb29708acd9cbbcec4
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
|
|
|
|
|
|
|
|
| |
This makes it easier for folks checking their policies to just
execute their rule checks and compare them with the original output.
Instead of having to manually pipe the result and sort it.
Change-Id: I8d45173578d3b309b97caaa7d4e87cb2aec0e8f2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows us to test the policy for other services which might have
different or unusual target data formats (such as Barbican). It would be
possible to pass it as a nested dictionary, e.g.:
{
"target": {
"secret": {
"project_id": "my project id"
}
}
}
or as a key pair (as oslo.policy would expect):
{
"target.secret.project_id": "my project id"
}
Both will work (note that this logic was taken from barbican).
This fixes around the limitation that the target is hardcoded to be
"project_id", and thus allows to test more scenarios (such as the
project ID not matching).
Change-Id: Ia9f7462072a8cb142251c8bb5ef19d9a25a98119
|
|
|
|
|
|
|
|
| |
We were not passing the policy name, which made it quite hard to test
out external checks given that this is information that is passed in
there. This passes that parameter.
Change-Id: I217a6545bdf753470e08b39de2c0df08ffa1f82f
|
|
|
|
|
|
|
|
|
|
|
| |
In the 'tool' method, the var 'apply_rule' was tested, and the
method returned if it was true. Then, it was tested again even
though it could only be 'false' (or not be None).
Also, an unused parameter of main() had been removed.
Closes-Bug #1650599
Change-Id: I4b265ef609d4a5fc8128f40359cf8d04ee8cbe28
Signed-off-by: Sami Makki <mail@samimakki.fr>
|
|
|
|
|
|
|
|
|
| |
The Rules.load_json function now supports loading YAML and is not
limited to JSON. As such, the name is changed to load(). The old
name remains but is deprecated.
bp policy-yaml
Change-Id: I8c71d1a566779f1641106a996ebbc9551e2f05e3
|
|
Allows testing the access_data from a Keystone token against
all rules in a policy file.
Optionally can test a single rule. See
$ tox -e venv -- oslopolicy-checker --help
For more details
Co-Authored-By: Ian Cordasco <graffatcolmingov@gmail.com>
Implements-Blueprint: oslopolicy-cli
Change-Id: I8b2e8739c85077e856775f37e9868eb0a8babb3c
|