From 860aa86e0305c8cdc4cc509e971c39003ef0a5ea Mon Sep 17 00:00:00 2001
From: termie <github@anarkystic.com>
Date: Thu, 17 Nov 2011 11:58:43 -0800
Subject: add the policy code

---
 keystonelight/backends/policy.py | 23 +++++++++++++++++++++++
 keystonelight/keystone_compat.py | 11 +++++++++--
 keystonelight/policy.py          | 18 ++++++++++++++++++
 3 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 keystonelight/backends/policy.py
 create mode 100644 keystonelight/policy.py

diff --git a/keystonelight/backends/policy.py b/keystonelight/backends/policy.py
new file mode 100644
index 00000000..780cf0aa
--- /dev/null
+++ b/keystonelight/backends/policy.py
@@ -0,0 +1,23 @@
+
+
+class TrivialTrue(object):
+  def __init__(self, options):
+    self.options = options
+
+  def can_haz(self, target, credentials):
+    return True
+
+
+class SimpleMatch(object):
+  def __init__(self, options):
+    self.options = options
+
+  def can_haz(self, target, credentials):
+    """Check whether key-values in target are present in credentials."""
+    # TODO(termie): handle ANDs, probably by providing a tuple instead of a
+    #               string
+    for requirement in target:
+      key, match = requirement.split(':', 1)
+      check = credentials.get(key)
+      if check == match:
+        return True
diff --git a/keystonelight/keystone_compat.py b/keystonelight/keystone_compat.py
index 83fb5700..807a10bc 100644
--- a/keystonelight/keystone_compat.py
+++ b/keystonelight/keystone_compat.py
@@ -44,7 +44,6 @@ class KeystoneController(service.BaseApplication):
         self.identity_api = identity.Manager(options)
         self.token_api = token.Manager(options)
         self.policy_api = policy.Manager(options)
-        pass
 
     def noop(self, context):
         return {}
@@ -155,7 +154,15 @@ class KeystoneController(service.BaseApplication):
         Optionally, also ensure that it is owned by a specific tenant.
 
         """
-        assert context['is_admin']
+        # TODO(termie): this stuff should probably be moved to middleware
+        if not context['is_admin']:
+            user_token_ref = self.token_api.get_token(context['token_id'])
+            creds = user_token_ref['extras'].copy()
+            creds['user_id'] = user_token_ref['user'].get('id')
+            creds['tenant_id'] = user_token_ref['tenant'].get('id')
+            # Accept either is_admin or the admin role
+            assert self.policy_api.can_haz(('is_admin:1', 'roles:admin'),
+                                           creds)
 
         token_ref = self.token_api.get_token(context=context,
                                              token_id=token_id)
diff --git a/keystonelight/policy.py b/keystonelight/policy.py
new file mode 100644
index 00000000..147c6501
--- /dev/null
+++ b/keystonelight/policy.py
@@ -0,0 +1,18 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# the catalog interfaces
+
+import uuid
+
+from keystonelight import utils
+
+
+class Manager(object):
+    def __init__(self, options):
+        self.options = options
+        self.driver = utils.import_object(options['policy_driver'],
+                                          options=options)
+
+    def can_haz(self, context, target, credentials):
+        """Check whether the given creds can perform action on target."""
+        return self.driver.can_haz(target, credentials)
-- 
cgit