ó
±EYc@s†
dZd
dl
Z
d
dlZd
dlZd
dlmZ
d
dlmZ
d
dl	m
Z

d
dlmZ
d
dl
Z
d
dlmZ
d
dlmZmZ
d
d	lmZ
ejZejeƒ
Zdad
g
Zgaejdƒ
Zd„Zddded
„Z d„Z!d„Z"ee#d„Z$edd„Z%d„Z&e
j'dƒ
de
j(f
d„ƒYƒ
Z)d„Z*d„Z+d„Z,dS(sPolicy Engine For Nova.iÿÿÿÿN(
tcfg(
tlog(
tpolicy(
texcutils(
t	exception(t_LEt_LW(
tpoliciessos-keypairss%\((\w+)\)sc
Cstrtj
ƒ
dandS(
N(t	_ENFORCERtcleartNone(((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pytreset.s


c
Cs…tsDt
jtd
|d|
d|d|ƒ
attƒ

tjƒ
ntj}t|ƒ
}t|krt	|ƒ

t
j|ƒ
andS(së
Init an Enforcer class.

       :param policy_file: Custom policy file to use, if none is specified,
                           `CONF.policy_file` will be used.
       :param rules: Default dictionary / Rules to use. It will be
                     considered just in the first instantiation.
       :param default_rule: Default rule to use, CONF.default_rule will
                            be used if none is specified.
       :param use_conf: Whether to load rules from config file.
    tpolicy_filetrulestdefault_ruletuse_confN(RRtEnforcertCONFtregister_rulest
load_rulest
file_rulest_serialize_rulestsaved_file_rulest(_warning_for_deprecated_user_based_rulestcopytdeepcopy(RR
RRtcurrent_file_rules((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pytinit5s




	



	



c
CsGgtj
|ƒ
D]\}
}|
t|ƒ
f^q}t|d
d„ƒ

S(sYSerialize all the Rule object as string which is used to compare the
    rules list.
    tkeyc

Ss|d
S(Ni((
trule((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyt<lambda>]s(tsixt	iteritemststrtsorted(R
t	rule_nameRtresult((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyRWs
1
c
Cszxs|D]k}
gtD]}||
d
kr|^qr<qndt
j|
dƒ
krtjtdƒ
|
d
ƒ
qqWdS(s`Warning user based policy enforcement used in the rule but the rule
    doesn't support it.
    ituser_idi
sThe user_id attribute isn't supported in the rule '%s'. All the user_id based policy enforcement will be removed in the future.N(tUSER_BASED_RESOURCEStKEY_EXPRtfindalltLOGtwarningR(R
Rtresource((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyR`s





cCs$td
t
ƒ

tj||
|ƒ
dS(s7
Set rules based on the provided dict of rules.

       :param rules: New rules to use. It should be an instance of dict.
       :param overwrite: Whether to overwrite current rules or update them
                         with the new rules.
       :param use_conf: Whether to reload rules from config file.
    RN(RtFalseRt	set_rules(R
t	overwriteR((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyR-qs	

c
Csâtƒ
|j
ƒ}|s%tj}ny+tj|
||d
|d|d|
ƒ}Wn‹tjk
rŒ


tj	ƒ
t
jtdƒ
ƒ

WdQXnRtk
rÝ


|j
ddƒ
tj	ƒ#
t
jdi|
d6|d6ƒ
WdQXn
X|S(	saVerifies that the action is valid on the target in this context.

       :param context: nova context
       :param action: string representing the action to be checked
           this should be colon separated for clarity.
           i.e. ``compute:create_instance``,
           ``compute:attach_volume``,
           ``volume:attach_volume``
       :param target: dictionary representing the object of the action
           for object creation this should be a dictionary representing the
           location of the object e.g. ``{'project_id': context.project_id}``
       :param do_raise: if True (the default), raises PolicyNotAuthorized;
           if False, returns False
       :param exc: Class of the exception to raise if the check fails.
                   Any remaining arguments passed to :meth:`authorize` (both
                   positional and keyword arguments) will be passed to
                   the exception class. If not specified,
                   :class:`PolicyNotAuthorized` will be used.

       :raises nova.exception.PolicyNotAuthorized: if verification fails
           and do_raise is True. Or if 'exc' is specified it will raise an
           exception of that type.

       :return: returns a non-False value (not necessarily "True") if
           authorized, and the exact value False if not authorized and
           do_raise is False.
    tdo_raisetexctactionsPolicy not registeredNt
auth_tokensCPolicy check for %(action)s failed with credentials %(credentials)stcredentials(Rtto_dictRtPolicyNotAuthorizedRt	authorizeRtPolicyNotRegisteredRtsave_and_reraise_exceptionR)Rt	ExceptiontpopR
tdebug(tcontextR1ttargetR/R0R3R$((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyR6~s 















	
c
Cs,tƒ
|j
ƒ}
|
}tjd
||
ƒS(sMWhether or not roles contains 'admin' role according to policy setting.

    tcontext_is_admin(RR4RR6(R<R3R=((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pytcheck_is_admin­s

tis_admintIsAdminCheckc
Bs eZ
dZd
„Zd„ZRS(sAn explicit check for is_admin.cCs;|jƒd
k|_
tt|ƒj|
t|j
ƒ
ƒ
dS(sInitialize the check.ttrueN(tlowertexpectedtsuperRAt__init__R!(tselftkindtmatch((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyRF½scCs|d
|jkS(s7Determine whether is_admin matches the requested value.R@(
RD(RGR=tcredstenforcer((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyt__call__Äs(t__name__t
__module__t__doc__RFRL(((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyRA¹s	c
Cstr
tj
SdS(
N(RR
(((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyt	get_rulesÊs

c

Cs|jt
jƒƒ

dS(
N(tregister_defaultsRt
list_rules(
RK((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyRÏs
cCsg}d
}
xc|
tt
jƒ
krqt
j|
jdƒ
dkrP|
d7}
qn|jt
j|
ƒ

|
d
7}
qWtj|ddƒ


tƒ
tS(	Ni
t
-t	namespacesoutput-fileitprojecttnova(s	namespacesoutput-file(	tlentsystargvtstriptappendRRRR(t	conf_argst
i((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pytget_enforcerÓs








(-RORtreRXtoslo_configRtoslo_logR
tloggingtoslo_policyRt
oslo_utilsRRRVRt	nova.i18nRRRRt	getLoggerRMR)R
RR&RtcompileR'RtTrueRRRR,R-R6R?tregistertCheckRARPRR^(((s@/home/tvault/.virtenv/lib/python2.7/site-packages/nova/policy.pyt<module>s:








	

	
	"			
/