pyjuju

Merge lp:~hazmat/pyjuju/security-policy-with-topology into lp:pyjuju

  1. security-policy-with-topology
  2. Merge into trunk
Proposed by Kapil Thangavelu
Status: Approved
Approved by: Gustavo Niemeyer
Approved revision: 324
Proposed branch: lp:~hazmat/pyjuju/security-policy-with-topology
Merge into: lp:pyjuju
Prerequisite: lp:~hazmat/pyjuju/states-with-principals
Diff against target: 138 lines (+71/-4)
2 files modified
juju/state/security.py (+17/-2)
juju/state/tests/test_security.py (+54/-2)
To merge this branch: bzr merge lp:~hazmat/pyjuju/security-policy-with-topology
Reviewer Review Type Date Requested Status
Benjamin Saller (community) Approve
Gustavo Niemeyer Approve
Review via email: mp+70488@code.launchpad.net

Description of the change

security policies now have a topology accessor for rules and can be created or applied with a modified topology.

To post a comment you must log in.
lp:~hazmat/pyjuju/security-policy-with-topology updated
318. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

319. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

320. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

321. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

322. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

323. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

324. By Kapil Thangavelu

resurrect policy.get_token earlier into branch pipeline, yank policy.client access.

325. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

Revision history for this message
Gustavo Niemeyer (niemeyer) wrote :

This looks good. +1, assuming the pre-req is sorted.

review: Approve
Reply
Revision history for this message
Benjamin Saller (bcsaller) wrote :

This looks good to me. As we talked about I think its good policy that we allow the topology to be passed as an argument here.

Also, I like the way this test works

+ def test_policy_with_given_topology(self):

+1

review: Approve
Reply
lp:~hazmat/pyjuju/security-policy-with-topology updated
326. By Kapil Thangavelu

merge trunk and resolve conflict

327. By Kapil Thangavelu

merge trunk

328. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

329. By Kapil Thangavelu

merge states-with-principals

Unmerged revisions

329. By Kapil Thangavelu

merge states-with-principals

328. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

327. By Kapil Thangavelu

merge trunk

326. By Kapil Thangavelu

merge trunk and resolve conflict

325. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

324. By Kapil Thangavelu

resurrect policy.get_token earlier into branch pipeline, yank policy.client access.

323. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

322. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

321. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

320. By Kapil Thangavelu

Merged states-with-principals into security-policy-with-topology.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'juju/state/security.py'
2--- juju/state/security.py 2012-04-02 14:10:24 +0000
3+++ juju/state/security.py 2012-04-02 14:10:24 +0000
4@@ -13,6 +13,7 @@
5 from juju.state.auth import make_identity, make_ace
6 from juju.state.errors import (
7 StateChanged, StateNotFound, PrincipalNotFound)
8+from juju.state.topology import InternalTopology
9 from juju.state.utils import YAMLState
10 from juju.state import securityrules
11
12@@ -29,8 +30,9 @@
13 """Apply security policy ACL to the given path."""
14 token_db = TokenDatabase(client)
15 policy = SecurityPolicy(
16- client, token_db, securityrules.get_default_rules())
17- acl = yield policy(path, topology)
18+ client, token_db, securityrules.get_default_rules(),
19+ topology)
20+ acl = yield policy(path)
21 yield client.set_acl(path, acl)
22
23 apply_security_rules = apply_rules
24@@ -377,6 +379,7 @@
25 self._rules = list(rules)
26 self._token_db = token_db
27 self._owner = None
28+ self._topology = topology
29
30 def set_owner(self, principal):
31 """If an owner is set all nodes ACLs will grant access to the owner.
32@@ -384,6 +387,18 @@
33 assert not self._owner, "Owner already assigned"
34 self._owner = principal
35
36+ def get_token(self, principal_name):
37+ return self._token_db.get(principal_name)
38+
39+ @inlineCallbacks
40+ def get_topology(self):
41+ if not self._topology:
42+ content, stat = yield self._client.get("/topology")
43+ self._topology = InternalTopology()
44+ if content:
45+ self._topology.parse(content)
46+ returnValue(self._topology)
47+
48 def add_rule(self, rule):
49 """Add a security rule to the policy.
50
51
52=== modified file 'juju/state/tests/test_security.py'
53--- juju/state/tests/test_security.py 2012-04-02 14:10:24 +0000
54+++ juju/state/tests/test_security.py 2012-04-02 14:10:24 +0000
55@@ -2,7 +2,7 @@
56 import yaml
57 import zookeeper
58
59-from twisted.internet.defer import inlineCallbacks, succeed
60+from twisted.internet.defer import inlineCallbacks, succeed, returnValue
61
62 from juju.state.auth import make_identity, make_ace
63 from juju.state.errors import (
64@@ -12,6 +12,7 @@
65 ACL, Principal, GroupPrincipal, OTPPrincipal, TokenDatabase,
66 SecurityPolicy, SecurityPolicyConnection, apply_security_rules)
67
68+from juju.state.topology import InternalTopology
69 from juju.lib.testing import TestCase
70 from juju.state.tests.common import StateTestBase, security_test
71 from juju.tests.common import get_test_zookeeper_address
72@@ -363,6 +364,57 @@
73 self.client.close()
74
75 @inlineCallbacks
76+ def test_policy_with_topology(self):
77+ """A security policy has a topology accessible from it.
78+ """
79+ topology = InternalTopology()
80+ topology.add_machine("m-1")
81+ data = topology.dump()
82+ yield self.client.create("/topology", data)
83+ topology = yield self.policy.get_topology()
84+ self.assertEqual(topology.dump(), data)
85+
86+ @inlineCallbacks
87+ def test_policy_with_empty_topology(self):
88+ """A topology can be utilized even with empty node contents.
89+ """
90+ yield self.client.create("/topology")
91+ topology = yield self.policy.get_topology()
92+ self.assertEqual(topology.get_machines(), [])
93+
94+ @inlineCallbacks
95+ def test_policy_with_given_topology(self):
96+ """A modified topology can be passed and used by rules.
97+ """
98+ yield self.client.create("/topology")
99+
100+ topology = InternalTopology()
101+ topology.add_machine("m-1")
102+ topology.add_machine("m-2")
103+
104+ @inlineCallbacks
105+ def rule(policy, path):
106+ topology = yield policy.get_topology()
107+ self.assertEqual(
108+ topology.get_machines(),
109+ ["m-1", "m-2"])
110+
111+ returnValue(
112+ [make_ace("m-1:", read=True)])
113+
114+ policy = SecurityPolicy(
115+ self.client, self.tokens, [rule], topology=topology)
116+
117+ acl = yield policy("/zoo")
118+ self.assertACE(acl, name="m-1")
119+
120+ @inlineCallbacks
121+ def test_get_token(self):
122+ self.assertEqual(
123+ (yield self.policy.get_token("admin")),
124+ Principal("admin", "admin").get_token())
125+
126+ @inlineCallbacks
127 def test_default_no_owner_no_rules_gives_admin_access(self):
128 """By default the policy setups a global access for the cli admins.
129 """
130@@ -371,7 +423,7 @@
131 make_ace(Principal("admin", "admin").get_token(), all=True), acl)
132
133 @inlineCallbacks
134- def test_default_no_rules_gives_global_authenticated_access(self):
135+ def test_default_no_rules_gives_global_access(self):
136 """If no rules match, the default acl gives authenticated users access.
137
138 XXX/TODO: This is intended as a temporary crutch for

Subscribers

People subscribed via source and target branches

to status/vote changes: