patrole_tempest_plugin/requirements_authority.py

# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.
import copy
import yaml

from oslo_log import log as logging

from tempest import config
from tempest.lib import exceptions as lib_exc

from patrole_tempest_plugin.rbac_authority import RbacAuthority
from patrole_tempest_plugin import rbac_exceptions

CONF = config.CONF
LOG = logging.getLogger(__name__)


class RequirementsParser(object):
    """A class that parses a custom requirements file."""
    _inner = None

    class Inner(object):
        _rbac_map = None

        def __init__(self, filepath):
            with open(filepath) as f:
                RequirementsParser.Inner._rbac_map = \
                    list(yaml.safe_load_all(f))

    def __init__(self, filepath):
        if RequirementsParser._inner is None:
            RequirementsParser._inner = RequirementsParser.Inner(filepath)

    @staticmethod
    def parse(component):
        """Parses a requirements file with the following format:

        .. code-block:: yaml

            <service_foo>:
              <api_action_a>:
                - <allowed_role_1>
                - <allowed_role_2>,<allowed_role_3>
                - <allowed_role_3>
              <api_action_b>:
                - <allowed_role_2>
                - <allowed_role_4>
            <service_bar>:
              <api_action_c>:
                - <allowed_role_3>

        :param str component: Name of the OpenStack service to be validated.
        :returns: The dictionary that maps each policy action to the list
            of allowed roles, for the given ``component``.
        :rtype: dict
        """
        try:
            for section in RequirementsParser.Inner._rbac_map:
                if component in section:
                    rules = copy.copy(section[component])

                    for rule in rules:
                        rules[rule] = [
                            roles.split(',') for roles in rules[rule]]

                        for i, role_pack in enumerate(rules[rule]):
                            rules[rule][i] = [r.strip() for r in role_pack]

                    return rules
        except yaml.parser.ParserError:
            LOG.error("Error while parsing the requirements YAML file. Did "
                      "you pass a valid component name from the test case?")
        return {}


class RequirementsAuthority(RbacAuthority):
    """A class that uses a custom requirements file to validate RBAC."""

    def __init__(self, filepath=None, component=None):
        """This class can be used to achieve a requirements-driven approach to
        validating an OpenStack cloud's RBAC implementation. Using this
        approach, Patrole computes expected test results by performing lookups
        against a custom requirements file which precisely defines the cloud's
        RBAC requirements.

        :param str filepath: Path where the custom requirements file lives.
            Defaults to ``[patrole].custom_requirements_file``.
        :param str component: Name of the OpenStack service to be validated.
        """
        self.filepath = filepath or CONF.patrole.custom_requirements_file
        if component is not None:
            self.roles_dict = RequirementsParser(self.filepath).parse(
                component)
        else:
            self.roles_dict = None

    def allowed(self, rule_name, roles):
        """Checks if a given rule in a policy is allowed with given role.

        :param string rule_name: Rule to be checked using provided requirements
            file specified by ``[patrole].custom_requirements_file``. Must be
            a key present in this file, under the appropriate component.
        :param List[string] roles: Roles to validate against custom
            requirements file.
        :returns: True if ``role`` is allowed to perform ``rule_name``, else
            False.
        :rtype: bool
        :raises RbacParsingException: If ``rule_name`` does not exist among the
            keyed policy names in the custom requirements file.
        """
        if not self.roles_dict:
            raise lib_exc.InvalidConfiguration(
                "Roles dictionary parsed from requirements YAML file is "
                "empty. Ensure the requirements YAML file is correctly "
                "formatted.")
        try:
            requirement_roles = self.roles_dict[rule_name]
        except KeyError:
            raise rbac_exceptions.RbacParsingException(
                "'%s' rule name is not defined in the requirements YAML file: "
                "%s" % (rule_name, self.filepath))

        for role_reqs in requirement_roles:
            required_roles = [
                role for role in role_reqs if not role.startswith("!")]
            forbidden_roles = [
                role[1:] for role in role_reqs if role.startswith("!")]

            # User must have all required roles
            required_passed = all([r in roles for r in required_roles])
            # User must not have any forbidden roles
            forbidden_passed = all([r not in forbidden_roles
                                    for r in roles])

            if required_passed and forbidden_passed:
                return True

        return False