Add policies for API access control to watcher project.

Change-Id: Ibdbe494c636dfaeca9cf2ef8724d0dade1f19c7f
blueprint: watcher-policies

watcher/api/controllers/v1/action.py

@@ -70,6 +70,7 @@ from watcher.api.controllers.v1 import collection
 from watcher.api.controllers.v1 import types
 from watcher.api.controllers.v1 import utils as api_utils
 from watcher.common import exception
+from watcher.common import policy
 from watcher import objects
 
 
@@ -303,6 +304,10 @@ class ActionsController(rest.RestController):
         :param audit_uuid: Optional UUID of an audit,
            to get only actions for that audit.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'action:get_all',
+                       action='action:get_all')
+
         if action_plan_uuid and audit_uuid:
             raise exception.ActionFilterCombinationProhibited
 
@@ -327,6 +332,10 @@ class ActionsController(rest.RestController):
         :param audit_uuid: Optional UUID of an audit,
            to get only actions for that audit.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'action:detail',
+                       action='action:detail')
+
         # NOTE(lucasagomes): /detail should only work agaist collections
         parent = pecan.request.path.split('/')[:-1][-1]
         if parent != "actions":
@@ -350,8 +359,10 @@ class ActionsController(rest.RestController):
         if self.from_actions:
             raise exception.OperationNotPermitted
 
-        action = objects.Action.get_by_uuid(pecan.request.context,
-                                            action_uuid)
+        context = pecan.request.context
+        action = api_utils.get_resource('Action', action_uuid)
+        policy.enforce(context, 'action:get', action, action='action:get')
+
         return Action.convert_with_links(action)
 
     @wsme_pecan.wsexpose(Action, body=Action, status_code=201)

watcher/api/controllers/v1/action_plan.py

@@ -72,6 +72,7 @@ from watcher.api.controllers.v1 import types
 from watcher.api.controllers.v1 import utils as api_utils
 from watcher.applier import rpcapi
 from watcher.common import exception
+from watcher.common import policy
 from watcher import objects
 from watcher.objects import action_plan as ap_objects
 
@@ -358,6 +359,10 @@ class ActionPlansController(rest.RestController):
         :param audit_uuid: Optional UUID of an audit, to get only actions
             for that audit.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'action_plan:get_all',
+                       action='action_plan:get_all')
+
         return self._get_action_plans_collection(
             marker, limit, sort_key, sort_dir, audit_uuid=audit_uuid)
 
@@ -374,6 +379,10 @@ class ActionPlansController(rest.RestController):
         :param audit_uuid: Optional UUID of an audit, to get only actions
             for that audit.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'action_plan:detail',
+                       action='action_plan:detail')
+
         # NOTE(lucasagomes): /detail should only work agaist collections
         parent = pecan.request.path.split('/')[:-1][-1]
         if parent != "action_plans":
@@ -395,8 +404,11 @@ class ActionPlansController(rest.RestController):
         if self.from_actionsPlans:
             raise exception.OperationNotPermitted
 
-        action_plan = objects.ActionPlan.get_by_uuid(
-            pecan.request.context, action_plan_uuid)
+        context = pecan.request.context
+        action_plan = api_utils.get_resource('ActionPlan', action_plan_uuid)
+        policy.enforce(
+            context, 'action_plan:get', action_plan, action='action_plan:get')
+
         return ActionPlan.convert_with_links(action_plan)
 
     @wsme_pecan.wsexpose(None, types.uuid, status_code=204)
@@ -405,11 +417,12 @@ class ActionPlansController(rest.RestController):
 
         :param action_plan_uuid: UUID of a action.
         """
+        context = pecan.request.context
+        action_plan = api_utils.get_resource('ActionPlan', action_plan_uuid)
+        policy.enforce(context, 'action_plan:delete', action_plan,
+                       action='action_plan:delete')
 
-        action_plan_to_delete = objects.ActionPlan.get_by_uuid(
-            pecan.request.context,
-            action_plan_uuid)
-        action_plan_to_delete.soft_delete()
+        action_plan.soft_delete()
 
     @wsme.validate(types.uuid, [ActionPlanPatchType])
     @wsme_pecan.wsexpose(ActionPlan, types.uuid,
@@ -424,9 +437,12 @@ class ActionPlansController(rest.RestController):
         if self.from_actionsPlans:
             raise exception.OperationNotPermitted
 
-        action_plan_to_update = objects.ActionPlan.get_by_uuid(
-            pecan.request.context,
-            action_plan_uuid)
+        context = pecan.request.context
+        action_plan_to_update = api_utils.get_resource('ActionPlan',
+                                                       action_plan_uuid)
+        policy.enforce(context, 'action_plan:update', action_plan_to_update,
+                       action='action_plan:update')
+
         try:
             action_plan_dict = action_plan_to_update.as_dict()
             action_plan = ActionPlan(**api_utils.apply_jsonpatch(

watcher/api/controllers/v1/audit.py

@@ -44,6 +44,7 @@ from watcher.api.controllers.v1 import collection
 from watcher.api.controllers.v1 import types
 from watcher.api.controllers.v1 import utils as api_utils
 from watcher.common import exception
+from watcher.common import policy
 from watcher.common import utils
 from watcher.decision_engine import rpcapi
 from watcher import objects
@@ -308,6 +309,9 @@ class AuditsController(rest.RestController):
         :param audit_template: Optional UUID or name of an audit
          template, to get only audits for that audit template.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'audit:get_all',
+                       action='audit:get_all')
         return self._get_audits_collection(marker, limit, sort_key,
                                            sort_dir,
                                            audit_template=audit_template)
@@ -323,6 +327,9 @@ class AuditsController(rest.RestController):
         :param sort_key: column to sort results by. Default: id.
         :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'audit:detail',
+                       action='audit:detail')
         # NOTE(lucasagomes): /detail should only work agaist collections
         parent = pecan.request.path.split('/')[:-1][-1]
         if parent != "audits":
@@ -343,8 +350,10 @@ class AuditsController(rest.RestController):
         if self.from_audits:
             raise exception.OperationNotPermitted
 
-        rpc_audit = objects.Audit.get_by_uuid(pecan.request.context,
-                                              audit_uuid)
+        context = pecan.request.context
+        rpc_audit = api_utils.get_resource('Audit', audit_uuid)
+        policy.enforce(context, 'audit:get', rpc_audit, action='audit:get')
+
         return Audit.convert_with_links(rpc_audit)
 
     @wsme_pecan.wsexpose(Audit, body=AuditPostType, status_code=201)
@@ -353,6 +362,10 @@ class AuditsController(rest.RestController):
 
         :param audit_p: a audit within the request body.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'audit:create',
+                       action='audit:create')
+
         audit = audit_p.as_audit()
         if self.from_audits:
             raise exception.OperationNotPermitted
@@ -388,6 +401,12 @@ class AuditsController(rest.RestController):
         if self.from_audits:
             raise exception.OperationNotPermitted
 
+        context = pecan.request.context
+        audit_to_update = api_utils.get_resource('Audit',
+                                                 audit_uuid)
+        policy.enforce(context, 'audit:update', audit_to_update,
+                       action='audit:update')
+
         audit_to_update = objects.Audit.get_by_uuid(pecan.request.context,
                                                     audit_uuid)
         try:
@@ -417,8 +436,9 @@ class AuditsController(rest.RestController):
 
         :param audit_uuid: UUID of a audit.
         """
+        context = pecan.request.context
+        audit_to_delete = api_utils.get_resource('Audit', audit_uuid)
+        policy.enforce(context, 'audit:update', audit_to_delete,
+                       action='audit:update')
 
-        audit_to_delete = objects.Audit.get_by_uuid(
-            pecan.request.context,
-            audit_uuid)
         audit_to_delete.soft_delete()

watcher/api/controllers/v1/audit_template.py

@@ -64,6 +64,7 @@ from watcher.api.controllers.v1 import types
 from watcher.api.controllers.v1 import utils as api_utils
 from watcher.common import context as context_utils
 from watcher.common import exception
+from watcher.common import policy
 from watcher.common import utils as common_utils
 from watcher import objects
 
@@ -493,6 +494,9 @@ class AuditTemplatesController(rest.RestController):
         :param sort_key: column to sort results by. Default: id.
         :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'audit_template:get_all',
+                       action='audit_template:get_all')
         filters = {}
         if goal:
             if common_utils.is_uuid_like(goal):
@@ -522,6 +526,10 @@ class AuditTemplatesController(rest.RestController):
         :param sort_key: column to sort results by. Default: id.
         :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'audit_template:detail',
+                       action='audit_template:detail')
+
         # NOTE(lucasagomes): /detail should only work agaist collections
         parent = pecan.request.path.split('/')[:-1][-1]
         if parent != "audit_templates":
@@ -555,14 +563,11 @@ class AuditTemplatesController(rest.RestController):
         if self.from_audit_templates:
             raise exception.OperationNotPermitted
 
-        if common_utils.is_uuid_like(audit_template):
-            rpc_audit_template = objects.AuditTemplate.get_by_uuid(
-                pecan.request.context,
-                audit_template)
-        else:
-            rpc_audit_template = objects.AuditTemplate.get_by_name(
-                pecan.request.context,
-                audit_template)
+        context = pecan.request.context
+        rpc_audit_template = api_utils.get_resource('AuditTemplate',
+                                                    audit_template)
+        policy.enforce(context, 'audit_template:get', rpc_audit_template,
+                       action='audit_template:get')
 
         return AuditTemplate.convert_with_links(rpc_audit_template)
 
@@ -578,6 +583,10 @@ class AuditTemplatesController(rest.RestController):
         if self.from_audit_templates:
             raise exception.OperationNotPermitted
 
+        context = pecan.request.context
+        policy.enforce(context, 'audit_template:create',
+                       action='audit_template:create')
+
         context = pecan.request.context
         audit_template = audit_template_postdata.as_audit_template()
         audit_template_dict = audit_template.as_dict()
@@ -602,6 +611,13 @@ class AuditTemplatesController(rest.RestController):
         if self.from_audit_templates:
             raise exception.OperationNotPermitted
 
+        context = pecan.request.context
+        audit_template_to_update = api_utils.get_resource('AuditTemplate',
+                                                          audit_template)
+        policy.enforce(context, 'audit_template:update',
+                       audit_template_to_update,
+                       action='audit_template:update')
+
         if common_utils.is_uuid_like(audit_template):
             audit_template_to_update = objects.AuditTemplate.get_by_uuid(
                 pecan.request.context,
@@ -639,14 +655,11 @@ class AuditTemplatesController(rest.RestController):
 
         :param audit template_uuid: UUID or name of an audit template.
         """
-
-        if common_utils.is_uuid_like(audit_template):
-            audit_template_to_delete = objects.AuditTemplate.get_by_uuid(
-                pecan.request.context,
-                audit_template)
-        else:
-            audit_template_to_delete = objects.AuditTemplate.get_by_name(
-                pecan.request.context,
-                audit_template)
+        context = pecan.request.context
+        audit_template_to_delete = api_utils.get_resource('AuditTemplate',
+                                                          audit_template)
+        policy.enforce(context, 'audit_template:update',
+                       audit_template_to_delete,
+                       action='audit_template:update')
 
         audit_template_to_delete.soft_delete()

watcher/api/controllers/v1/goal.py

@@ -46,7 +46,7 @@ from watcher.api.controllers.v1 import collection
 from watcher.api.controllers.v1 import types
 from watcher.api.controllers.v1 import utils as api_utils
 from watcher.common import exception
-from watcher.common import utils as common_utils
+from watcher.common import policy
 from watcher import objects
 
 CONF = cfg.CONF
@@ -201,6 +201,9 @@ class GoalsController(rest.RestController):
         :param sort_key: column to sort results by. Default: id.
         :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'goal:get_all',
+                       action='goal:get_all')
         return self._get_goals_collection(marker, limit, sort_key, sort_dir)
 
     @wsme_pecan.wsexpose(GoalCollection, wtypes.text, int,
@@ -213,6 +216,9 @@ class GoalsController(rest.RestController):
         :param sort_key: column to sort results by. Default: id.
         :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'goal:detail',
+                       action='goal:detail')
         # NOTE(lucasagomes): /detail should only work agaist collections
         parent = pecan.request.path.split('/')[:-1][-1]
         if parent != "goals":
@@ -231,11 +237,8 @@ class GoalsController(rest.RestController):
         if self.from_goals:
             raise exception.OperationNotPermitted
 
-        if common_utils.is_uuid_like(goal):
-            get_goal_func = objects.Goal.get_by_uuid
-        else:
-            get_goal_func = objects.Goal.get_by_name
-
-        rpc_goal = get_goal_func(pecan.request.context, goal)
+        context = pecan.request.context
+        rpc_goal = api_utils.get_resource('Goal', goal)
+        policy.enforce(context, 'goal:get', rpc_goal, action='goal:get')
 
         return Goal.convert_with_links(rpc_goal)

watcher/api/controllers/v1/strategy.py

@@ -41,6 +41,7 @@ from watcher.api.controllers.v1 import collection
 from watcher.api.controllers.v1 import types
 from watcher.api.controllers.v1 import utils as api_utils
 from watcher.common import exception
+from watcher.common import policy
 from watcher.common import utils as common_utils
 from watcher import objects
 
@@ -223,6 +224,9 @@ class StrategiesController(rest.RestController):
         :param sort_key: column to sort results by. Default: id.
         :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'strategy:get_all',
+                       action='strategy:get_all')
         filters = {}
         if goal:
             if common_utils.is_uuid_like(goal):
@@ -245,6 +249,9 @@ class StrategiesController(rest.RestController):
         :param sort_key: column to sort results by. Default: id.
         :param sort_dir: direction to sort. "asc" or "desc". Default: asc.
         """
+        context = pecan.request.context
+        policy.enforce(context, 'strategy:detail',
+                       action='strategy:detail')
         # NOTE(lucasagomes): /detail should only work agaist collections
         parent = pecan.request.path.split('/')[:-1][-1]
         if parent != "strategies":
@@ -271,11 +278,9 @@ class StrategiesController(rest.RestController):
         if self.from_strategies:
             raise exception.OperationNotPermitted
 
-        if common_utils.is_uuid_like(strategy):
-            get_strategy_func = objects.Strategy.get_by_uuid
-        else:
-            get_strategy_func = objects.Strategy.get_by_name
-
-        rpc_strategy = get_strategy_func(pecan.request.context, strategy)
+        context = pecan.request.context
+        rpc_strategy = api_utils.get_resource('Strategy', strategy)
+        policy.enforce(context, 'strategy:get', rpc_strategy,
+                       action='strategy:get')
 
         return Strategy.convert_with_links(rpc_strategy)

watcher/api/controllers/v1/utils.py

@@ -15,9 +15,12 @@
 
 import jsonpatch
 from oslo_config import cfg
+from oslo_utils import uuidutils
+import pecan
 import wsme
 
 from watcher._i18n import _
+from watcher import objects
 
 CONF = cfg.CONF
 
@@ -75,3 +78,19 @@ def as_filters_dict(**filters):
             filters_dict[filter_name] = filter_value
 
     return filters_dict
+
+
+def get_resource(resource, resource_ident):
+    """Get the resource from the uuid or logical name.
+
+    :param resource: the resource type.
+    :param resource_ident: the UUID or logical name of the resource.
+
+    :returns: The resource.
+    """
+    resource = getattr(objects, resource)
+
+    if uuidutils.is_uuid_like(resource_ident):
+        return resource.get_by_uuid(pecan.request.context, resource_ident)
+
+    return resource.get_by_name(pecan.request.context, resource_ident)