Add In Some Actions

unikorn-cloud · Aug 5, 2024 · ed800dd · ed800dd
1 parent caafede
commit ed800dd
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 39 deletions.
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -0,0 +1,23 @@
+name: Unikorn Push
+on:
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+jobs:
+  Static:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Install pylint
+      run: pip3 install pylint
+    - name: Build
+      run: python3 -m build
+    - name: Install
+      # TODO: make this dynamic somehow by reading out from the toml.
+      run: pip3 install --upgrade dist/python_unikorn_openstack_policy-0.1.0-py3-none-any.whl
+    - name: Pylint
+      run: pylint unikorn_openstack_policy
diff --git a/README.md b/README.md
@@ -15,11 +15,19 @@ Oslo policy generation and testing framework.
 
 ```bash
 python3 -m build
-pip3 install --upgrade dist/python_unikorn_openstack_policy-0.1.0-py3-none-any.whl
+pip3 install dist/python_unikorn_openstack_policy-0.1.0-py3-none-any.whl
 ```
 
 ## Generating Policy Files
 
 ```bash
 oslopolicy-sample-generator --namespace unikorn_openstack_policy
 ```
+
+## Coding Standards
+
+You require 10/10 when running:
+
+```bash
+pylint unikorn_openstack_policy
+```
diff --git a/unikorn_openstack_policy/policy.py b/unikorn_openstack_policy/policy.py
@@ -18,42 +18,10 @@
 
 # pylint: disable=line-too-long
 
-from neutron.conf.policies import base
+from neutron.conf.policies import base, network
 from oslo_policy import policy
 
 rules = [
-    # Base rule definitions must be exact copies of the base poilicy.
-    policy.RuleDefault(
-        name='base_create_network',
-        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        description='Create a network',
-    ),
-    policy.RuleDefault(
-        name='base_create_network:segments',
-        check_str=base.ADMIN,
-        description='Specify ``segments`` attribute when creating a network',
-    ),
-    policy.RuleDefault(
-        name='base_create_network:provider:network_type',
-        check_str=base.ADMIN,
-        description='Specify ``provider:network_type`` when creating a network',
-    ),
-    policy.RuleDefault(
-        name='base_create_network:provider:physical_network',
-        check_str=base.ADMIN,
-        description='Specify ``provider:physical_network`` when creating a network',
-    ),
-    policy.RuleDefault(
-        name='base_create_network:provider:segmentation_id',
-        check_str=base.ADMIN,
-        description='Specify ``provider:segmentation_id`` when creating a network',
-    ),
-    policy.RuleDefault(
-        name='base_delete_network',
-        check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        description='Delete a network',
-    ),
-
     # The domain manager has the role 'manager', as defined by
     # https://docs.scs.community/standards/scs-0302-v1-domain-manager-role/
     policy.RuleDefault(
@@ -63,6 +31,9 @@
     ),
 
     # The domain manager can create and delete networks in its domain.
+    # If the domain manager is able to create a network, it can also create provider networks.
+    # Don't be naive enough here to assume the ability to provision a network is enough to
+    # allow provider networks, if the prior rule changes, then we can open up a security hole.
     policy.RuleDefault(
         name='create_network',
         check_str='(rule:is_domain_manager and domain_id:%(domain_id)s) or rule:base_create_network',
@@ -73,10 +44,6 @@
         check_str='(rule:is_domain_manager and domain_id:%(domain_id)s) or rule:base_delete_network',
         description='Delete a network',
     ),
-
-    # If the domain manager is able to create a network, it can also create provider networks.
-    # Don't be naive enough here to assume the ability to provision a network is enough to
-    # allow provider networks, if the prior rule changes, then we can open up a security hole.
     policy.RuleDefault(
         name='create_network:segments',
         check_str='(rule:is_domain_manager and domain_id:%(domain_id)s) or rule:base_create_network:segments',
@@ -99,8 +66,30 @@
     ),
 ]
 
+
+def basify(rule):
+    """Do a copy of the existing rule with a base_ name prefix"""
+
+    return policy.RuleDefault(
+            name='base_' + rule.name, check_str=rule.check_str, description=rule.description)
+
+
+def inherited(rule):
+    """Is the rule inherited by one that we have defined?"""
+
+    return any(rule.name == my_rule.name for my_rule in rules)
+
+
 def list_rules():
     """Implements the "oslo.policy.policies" entry point"""
-    return base.list_rules() + rules
+
+    # Okay now for the "hard" bit.  We reference built in rules directly from neutron so
+    # we can augment the exact rules for a specific version, thus we pick up any changes.
+    # We prefix the existing rules with "base_" as already seen above but only if they
+    # are redefined (and by implication referenced) from one of ours.
+    network_rules = [basify(rule) for rule in network.list_rules() if inherited(rule)]
+
+    # Those rules will also rely on base rules, so include them too in the final output.
+    return base.list_rules() + network_rules + rules
 
 # vi: ts=4 et: