summaryrefslogtreecommitdiff
path: root/oslo_policy/shell.py
Commit message (Collapse)AuthorAgeFilesLines
* Ussuri+ is python3 only and update python to python3dengzhaosen2021-05-061-1/+1
| | | | Change-Id: I8162d5c413de6a73614443fdcd30ee472cb81035
* Switch to collections.abc.MutableMappingCyril Roelandt2021-01-291-2/+2
| | | | | | | collections.MutableMapping has been deprecated since Python 3.3 and is removed in Python 3.10. The functionality should be identical. Change-Id: Ic96309fef409ba01dd24a3a70ff132a9f5352f9c
* Modernize policy checkerColleen Murphy2019-10-101-2/+8
| | | | | | | | | | | | | | | | | | Without this patch, the policy checker issues a 'failed' result when checking a system-scoped sample token against a policy string like "role:admin and system_scope:all", because the policy checker does not understand the 'system_scope' attribute that is now in oslo.context[1] and wasn't parsing the "system" scope object from the sample token. Similarly, it fails on a string like "user_id:%(user_id)s" because it never looked up the user_id from the sample token. This change updates the policy checker to understand token contexts and policies like these so that more of the policy defaults in keystone, and soon other projects, will pass. This also adds a new system-scoped sample token to check against. [1] https://review.opendev.org/530509 Change-Id: I02fbbc99d28aa5c787133f530f6e968341107bf7
* Add ability for policy-checker to read configurationJuan Antonio Osorio Robles2019-01-211-8/+27
| | | | | | | | | Reading configurations will enable us to be able to use the oslopolicy-checker to do external checks (which require the configuration in the enforcer). Change-Id: If2e697f9ac0317046f5a872ad668b42c1b32eb1e Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
* Fixes is_admin type from StrOpt to BoolOpt.Moisés Guimarães de Medeiros2019-01-031-9/+7
| | | | | | | oslo.config already has a proper type to deal with boolean options. Change-Id: I675c1dbfa13ca68506042f7907082b0e3d51672a Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
* Fixes file access using with statements.Moisés Guimarães de Medeiros2019-01-031-7/+11
| | | | | Change-Id: If29fcf542c48a931edfebb7763d80f045c2fa0d7 Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
* Use oslo.config instead of argparse.Moisés Guimarães de Medeiros2018-12-201-30/+34
| | | | | | | | Changing arg consumption from argparse to oslo.config in order to also provide behavior control using config files. Change-Id: Iec4dab763b973b70c98077cb29708acd9cbbcec4 Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
* oslopolicy-checker: iterate through rules in sorted orderJuan Antonio Osorio Robles2018-11-271-1/+1
| | | | | | | | This makes it easier for folks checking their policies to just execute their rule checks and compare them with the original output. Instead of having to manually pipe the result and sort it. Change-Id: I8d45173578d3b309b97caaa7d4e87cb2aec0e8f2
* Add ability to pass in target data for the oslopolicy-checker1.41.0Juan Antonio Osorio Robles2018-11-021-5/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows us to test the policy for other services which might have different or unusual target data formats (such as Barbican). It would be possible to pass it as a nested dictionary, e.g.: { "target": { "secret": { "project_id": "my project id" } } } or as a key pair (as oslo.policy would expect): { "target.secret.project_id": "my project id" } Both will work (note that this logic was taken from barbican). This fixes around the limitation that the target is hardcoded to be "project_id", and thus allows to test more scenarios (such as the project ID not matching). Change-Id: Ia9f7462072a8cb142251c8bb5ef19d9a25a98119
* Pass in policy name as part of the oslopolicy-check check callJuan Antonio Osorio Robles2018-11-011-1/+1
| | | | | | | | We were not passing the policy name, which made it quite hard to test out external checks given that this is information that is passed in there. This passes that parameter. Change-Id: I217a6545bdf753470e08b39de2c0df08ffa1f82f
* Remove dead code and use default value of argparse.Sami Makki2017-01-021-12/+4
| | | | | | | | | | | In the 'tool' method, the var 'apply_rule' was tested, and the method returned if it was true. Then, it was tested again even though it could only be 'false' (or not be None). Also, an unused parameter of main() had been removed. Closes-Bug #1650599 Change-Id: I4b265ef609d4a5fc8128f40359cf8d04ee8cbe28 Signed-off-by: Sami Makki <mail@samimakki.fr>
* Deprecate load_json() in favor of load()Brant Knudson2016-02-221-1/+1
| | | | | | | | | The Rules.load_json function now supports loading YAML and is not limited to JSON. As such, the name is changed to load(). The old name remains but is deprecated. bp policy-yaml Change-Id: I8c71d1a566779f1641106a996ebbc9551e2f05e3
* Add oslopolicy-checker command-line toolAdam Young2016-01-121-0/+100
Allows testing the access_data from a Keystone token against all rules in a policy file. Optionally can test a single rule. See $ tox -e venv -- oslopolicy-checker --help For more details Co-Authored-By: Ian Cordasco <graffatcolmingov@gmail.com> Implements-Blueprint: oslopolicy-cli Change-Id: I8b2e8739c85077e856775f37e9868eb0a8babb3c
View Lorry Controller Status