Add initial permission checks

8ea3fe0c · Szabolcs Gelencser · d484ad4b · 8ea3fe0c · 8ea3fe0c · 8ea3fe0c
Commit 8ea3fe0c authored Feb 26, 2018 by Szabolcs Gelencser
13 changed files
--- a/.idea/inspectionProfiles/Project_Default.xml
+++ b/.idea/inspectionProfiles/Project_Default.xml
@@ -14,8 +14,11 @@
    <inspection_tool class="PyPackageRequirementsInspection" enabled="true" level="WARNING" enabled_by_default="true">
      <option name="ignoredPackages">
        <value>
-          <list size="1">
+          <list size="4">
            <item index="0" class="java.lang.String" itemvalue="salt" />
+            <item index="1" class="java.lang.String" itemvalue="six" />
+            <item index="2" class="java.lang.String" itemvalue="netaddr" />
+            <item index="3" class="java.lang.String" itemvalue="requests" />
          </list>
        </value>
      </option>

--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
--- a/circle/circle/os_policies/cinder_policy.json
+++ b/circle/circle/os_policies/cinder_policy.json
+{
+    "admin_or_owner":  "is_admin:True or (role:admin and is_admin_project:True) or  project_id:%(project_id)s",
+    "default": "rule:admin_or_owner",
+
+    "admin_api": "is_admin:True or (role:admin and is_admin_project:True)",
+
+    "volume:create": "",
+    "volume:create_from_image": "",
+    "volume:delete": "rule:admin_or_owner",
+    "volume:force_delete": "rule:admin_api",
+    "volume:get": "rule:admin_or_owner",
+    "volume:get_all": "rule:admin_or_owner",
+    "volume:get_volume_metadata": "rule:admin_or_owner",
+    "volume:create_volume_metadata": "rule:admin_or_owner",
+    "volume:delete_volume_metadata": "rule:admin_or_owner",
+    "volume:update_volume_metadata": "rule:admin_or_owner",
+    "volume:get_volume_admin_metadata": "rule:admin_api",
+    "volume:update_volume_admin_metadata": "rule:admin_api",
+    "volume:get_snapshot": "rule:admin_or_owner",
+    "volume:get_all_snapshots": "rule:admin_or_owner",
+    "volume:create_snapshot": "rule:admin_or_owner",
+    "volume:delete_snapshot": "rule:admin_or_owner",
+    "volume:update_snapshot": "rule:admin_or_owner",
+    "volume:get_snapshot_metadata": "rule:admin_or_owner",
+    "volume:delete_snapshot_metadata": "rule:admin_or_owner",
+    "volume:update_snapshot_metadata": "rule:admin_or_owner",
+    "volume:extend": "rule:admin_or_owner",
+    "volume:extend_attached_volume": "rule:admin_or_owner",
+    "volume:update_readonly_flag": "rule:admin_or_owner",
+    "volume:retype": "rule:admin_or_owner",
+    "volume:update": "rule:admin_or_owner",
+    "volume:revert_to_snapshot": "rule:admin_or_owner",
+
+    "volume_extension:types_manage": "rule:admin_api",
+    "volume_extension:types_extra_specs:create": "rule:admin_api",
+    "volume_extension:types_extra_specs:delete": "rule:admin_api",
+    "volume_extension:types_extra_specs:index": "rule:admin_api",
+    "volume_extension:types_extra_specs:show": "rule:admin_api",
+    "volume_extension:types_extra_specs:update": "rule:admin_api",
+    "volume_extension:access_types_qos_specs_id": "rule:admin_api",
+    "volume_extension:access_types_extra_specs": "rule:admin_api",
+    "volume_extension:volume_type_access": "rule:admin_or_owner",
+    "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api",
+    "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api",
+    "volume_extension:volume_type_encryption": "rule:admin_api",
+    "volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
+    "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner",
+    "volume_extension:volume_image_metadata": "rule:admin_or_owner",
+
+    "volume_extension:qos_specs_manage:create": "rule:admin_api",
+    "volume_extension:qos_specs_manage:get": "rule:admin_api",
+    "volume_extension:qos_specs_manage:get_all": "rule:admin_api",
+    "volume_extension:qos_specs_manage:update": "rule:admin_api",
+    "volume_extension:qos_specs_manage:delete": "rule:admin_api",
+
+    "volume_extension:quotas:show": "",
+    "volume_extension:quotas:update": "rule:admin_api",
+    "volume_extension:quotas:delete": "rule:admin_api",
+    "volume_extension:quota_classes": "rule:admin_api",
+    "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api",
+
+    "volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
+    "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
+    "volume_extension:backup_admin_actions:reset_status": "rule:admin_api",
+    "volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
+    "volume_extension:volume_admin_actions:force_detach": "rule:admin_api",
+    "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api",
+    "volume_extension:backup_admin_actions:force_delete": "rule:admin_api",
+    "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api",
+    "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",
+
+    "volume_extension:volume_actions:upload_public": "rule:admin_api",
+    "volume_extension:volume_actions:upload_image": "rule:admin_or_owner",
+
+    "volume_extension:volume_host_attribute": "rule:admin_api",
+    "volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
+    "volume_extension:volume_mig_status_attribute": "rule:admin_api",
+    "volume_extension:hosts": "rule:admin_api",
+    "volume_extension:services:index": "rule:admin_api",
+    "volume_extension:services:update" : "rule:admin_api",
+
+    "volume_extension:volume_manage": "rule:admin_api",
+    "volume_extension:volume_unmanage": "rule:admin_api",
+    "volume_extension:list_manageable": "rule:admin_api",
+
+    "volume_extension:capabilities": "rule:admin_api",
+
+    "volume:create_transfer": "rule:admin_or_owner",
+    "volume:accept_transfer": "",
+    "volume:delete_transfer": "rule:admin_or_owner",
+    "volume:get_transfer": "rule:admin_or_owner",
+    "volume:get_all_transfers": "rule:admin_or_owner",
+
+    "volume:failover_host": "rule:admin_api",
+    "volume:freeze_host": "rule:admin_api",
+    "volume:thaw_host": "rule:admin_api",
+
+    "backup:create" : "",
+    "backup:delete": "rule:admin_or_owner",
+    "backup:get": "rule:admin_or_owner",
+    "backup:get_all": "rule:admin_or_owner",
+    "backup:restore": "rule:admin_or_owner",
+    "backup:backup-import": "rule:admin_api",
+    "backup:backup-export": "rule:admin_api",
+    "backup:update": "rule:admin_or_owner",
+    "backup:backup_project_attribute": "rule:admin_api",
+
+    "volume:attachment_create": "",
+    "volume:attachment_update": "rule:admin_or_owner",
+    "volume:attachment_delete": "rule:admin_or_owner",
+    "volume:attachment_complete": "rule:admin_or_owner",
+
+    "snapshot_extension:snapshot_actions:update_snapshot_status": "",
+    "snapshot_extension:snapshot_manage": "rule:admin_api",
+    "snapshot_extension:snapshot_unmanage": "rule:admin_api",
+    "snapshot_extension:list_manageable": "rule:admin_api",
+
+    "consistencygroup:create" : "group:nobody",
+    "consistencygroup:delete": "group:nobody",
+    "consistencygroup:update": "group:nobody",
+    "consistencygroup:get": "group:nobody",
+    "consistencygroup:get_all": "group:nobody",
+
+    "consistencygroup:create_cgsnapshot" : "group:nobody",
+    "consistencygroup:delete_cgsnapshot": "group:nobody",
+    "consistencygroup:get_cgsnapshot": "group:nobody",
+    "consistencygroup:get_all_cgsnapshots": "group:nobody",
+
+    "group:group_types_manage": "rule:admin_api",
+    "group:group_types_specs": "rule:admin_api",
+    "group:access_group_types_specs": "rule:admin_api",
+    "group:group_type_access": "rule:admin_or_owner",
+
+    "group:create" : "",
+    "group:delete": "rule:admin_or_owner",
+    "group:update": "rule:admin_or_owner",
+    "group:get": "rule:admin_or_owner",
+    "group:get_all": "rule:admin_or_owner",
+
+    "group:create_group_snapshot": "",
+    "group:delete_group_snapshot": "rule:admin_or_owner",
+    "group:update_group_snapshot": "rule:admin_or_owner",
+    "group:get_group_snapshot": "rule:admin_or_owner",
+    "group:get_all_group_snapshots": "rule:admin_or_owner",
+    "group:reset_group_snapshot_status":"rule:admin_api",
+    "group:reset_status":"rule:admin_api",
+
+    "group:enable_replication": "rule:admin_or_owner",
+    "group:disable_replication": "rule:admin_or_owner",
+    "group:failover_replication": "rule:admin_or_owner",
+    "group:list_replication_targets": "rule:admin_or_owner",
+
+    "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api",
+    "message:delete": "rule:admin_or_owner",
+    "message:get": "rule:admin_or_owner",
+    "message:get_all": "rule:admin_or_owner",
+
+    "clusters:get": "rule:admin_api",
+    "clusters:get_all": "rule:admin_api",
+    "clusters:update": "rule:admin_api",
+
+    "workers:cleanup": "rule:admin_api"
+}
\ No newline at end of file
--- a/circle/circle/os_policies/glance_policy.json
+++ b/circle/circle/os_policies/glance_policy.json
+{
+    "context_is_admin":  "role:admin",
+    "default": "role:admin",
+
+    "add_image": "",
+    "delete_image": "",
+    "get_image": "",
+    "get_images": "",
+    "modify_image": "",
+    "publicize_image": "role:admin",
+    "communitize_image": "",
+    "copy_from": "",
+
+    "download_image": "",
+    "upload_image": "",
+
+    "delete_image_location": "",
+    "get_image_location": "",
+    "set_image_location": "",
+
+    "add_member": "",
+    "delete_member": "",
+    "get_member": "",
+    "get_members": "",
+    "modify_member": "",
+
+    "manage_image_cache": "role:admin",
+
+    "get_task": "",
+    "get_tasks": "",
+    "add_task": "",
+    "modify_task": "",
+    "tasks_api_access": "role:admin",
+
+    "deactivate": "",
+    "reactivate": "",
+
+    "get_metadef_namespace": "",
+    "get_metadef_namespaces":"",
+    "modify_metadef_namespace":"",
+    "add_metadef_namespace":"",
+
+    "get_metadef_object":"",
+    "get_metadef_objects":"",
+    "modify_metadef_object":"",
+    "add_metadef_object":"",
+
+    "list_metadef_resource_types":"",
+    "get_metadef_resource_type":"",
+    "add_metadef_resource_type_association":"",
+
+    "get_metadef_property":"",
+    "get_metadef_properties":"",
+    "modify_metadef_property":"",
+    "add_metadef_property":"",
+
+    "get_metadef_tag":"",
+    "get_metadef_tags":"",
+    "modify_metadef_tag":"",
+    "add_metadef_tag":"",
+    "add_metadef_tags":""
+
+}
\ No newline at end of file
--- a/circle/circle/os_policies/keystone_policy.json
+++ b/circle/circle/os_policies/keystone_policy.json
--- a/circle/circle/os_policies/neutron_policy.json
+++ b/circle/circle/os_policies/neutron_policy.json
--- a/circle/circle/os_policies/nova_policy.json
+++ b/circle/circle/os_policies/nova_policy.json
--- a/circle/circle/settings/base.py
+++ b/circle/circle/settings/base.py
@@ -29,7 +29,6 @@ from django.core.exceptions import ImproperlyConfigured
 from django.utils.translation import ugettext_lazy as _
 from json import loads

-
 # from socket import SOCK_STREAM


@@ -535,3 +534,19 @@ BLACKLIST_HOOK_URL = get_env_variable("BLACKLIST_HOOK_URL", "")
 REQUEST_HOOK_URL = get_env_variable("REQUEST_HOOK_URL", "")

 TWO_FACTOR_ISSUER = get_env_variable("TWO_FACTOR_ISSUER", "CIRCLE")
+
+POLICY_FILES_PATH = os.path.join(BASE_DIR, "os_policies")
+# Map of local copy of service policy files
+POLICY_FILES = {
+    'identity': 'keystone_policy.json',
+    'compute': 'nova_policy.json',
+    'volume': 'cinder_policy.json',
+    'image': 'glance_policy.json',
+    'network': 'neutron_policy.json',
+}
+# Services for which horizon has extra policies are defined
+# in POLICY_DIRS by default.
+POLICY_DIRS = {
+    'compute': ['nova_policy.d'],
+    'volume': ['cinder_policy.d'],
+}
\ No newline at end of file
--- a/circle/common/operations.py
+++ b/circle/common/operations.py
@@ -72,7 +72,7 @@ class Operation(object):
                                "%s" % ", ".join(unexpected_kwargs))

        if not skip_auth_check:
-            self.check_auth(user)
+            self.check_auth(user, request)
        self.check_precond()

        return allargs, auxargs

--- a/circle/dashboard/views/util.py
+++ b/circle/dashboard/views/util.py
@@ -262,16 +262,17 @@ class OperationView(RedirectToLoginMixin, DetailView):
        ctx['template'] = super(OperationView, self).get_template_names()[0]
        return ctx

-    def check_auth(self):
+    def check_auth(self, request):
        logger.debug("OperationView.check_auth(%s)", unicode(self))
-        self.get_op().check_auth(self.request.user)
+        self.get_op().check_auth(self.request.user, request)

    @classmethod
    def check_perms(cls, user):
        cls.get_operation_class().check_perms(user)

    def get(self, request, *args, **kwargs):
-        self.check_auth()
+        self.get_op().instance.get_from_os(request)
+        self.check_auth(request)
        return super(OperationView, self).get(request, *args, **kwargs)

    def get_response_data(self, result, done, extra=None, **kwargs):
@@ -287,7 +288,8 @@ class OperationView(RedirectToLoginMixin, DetailView):
        return extra

    def post(self, request, extra=None, *args, **kwargs):
-        self.check_auth()
+        self.get_op().instance.get_from_os(request)
+        self.check_auth(request)
        self.object = self.get_object()
        if extra is None:
            extra = {}

--- a/circle/dashboard/views/vm.py
+++ b/circle/dashboard/views/vm.py
@@ -111,7 +111,7 @@ class VmDetailView(LoginRequiredMixin, GraphMixin, DetailView):
        context = super(VmDetailView, self).get_context_data(**kwargs)
        instance = context['instance']
        user = self.request.user
-        ops = get_operations(instance, user)
+        ops = get_operations(instance, user, self.request)
        hide_tutorial = self.request.COOKIES.get(
            "hide_tutorial_for_%s" % instance.pk) == "True"
        context.update({
@@ -293,13 +293,13 @@ class VmOperationView(AjaxOperationMixin, OperationView):
        self.object.get_from_os(self.request)
        return ctx

-#
-def get_operations(instance, user):
+
+def get_operations(instance, user, request):
    ops = []
    for k, v in vm_ops.iteritems():
        try:
            op = v.get_op_by_object(instance)
-            # op.check_auth(user)
+            op.check_auth(user, request)
            op.check_precond()
        except PermissionDenied as e:
            logger.debug('Not showing operation %s for %s: %s',
@@ -1268,7 +1268,7 @@ def vm_activity(request, pk):
        'instance': instance,
        'activities': (),
        'show_show_all': False,
-        'ops': get_operations(instance, request.user),
+        'ops': get_operations(instance, request.user, request),
    }

    response['activities'] = render_to_string(

--- a/circle/vm/operations.py
+++ b/circle/vm/operations.py
--- a/requirements/circlestack.txt
+++ b/requirements/circlestack.txt
@@ -68,7 +68,7 @@ msgpack==0.5.4
 msgpack-python==0.5.4
 munch==2.2.0
 MySQL-python==1.2.5
-netaddr==0.7.14
+netaddr==0.7.19
 netifaces==0.10.6
 nltk==3.2.5
 numpy==1.14.0
@@ -78,6 +78,7 @@ os-service-types==1.2.0
 osc-lib==1.9.0
 oslo.config==5.2.0
 oslo.i18n==3.19.0
+oslo.policy==1.33.1
 oslo.serialization==2.24.0
 oslo.utils==3.35.0
 packaging==16.8
@@ -117,7 +118,7 @@ python-novaclient==10.1.0
 pytz==2015.4
 PyYAML==3.12
 repoze.who==2.3
-requests==2.7.0
+requests==2.18.4
 requestsexceptions==1.4.0
 rfc3986==1.1.0
 rosetta==0.3
@@ -128,7 +129,7 @@ semantic-version==2.6.0
 shutilwhich==1.1.0
 simplegeneric==0.8.1
 simplejson==3.7.2
-six==1.9.0
+six==1.11.0
 slimit==0.8.1
 sqlparse==0.1.15
 stevedore==1.28.0