Add policy to validatedesign
Adds policy enforcement to validatedesign and adds testing for validatedesign endpoint. Also fixes error when raising ValidationException. Change-Id: Ie48fc49a05f7890866d2dd3480c4d6333ef3a087
This commit is contained in:
parent
47bf886ddd
commit
a3b79eabc0
|
@ -1,7 +1,7 @@
|
|||
PKI Catalog
|
||||
===========
|
||||
|
||||
Configuration for certificate generation in the cluster.
|
||||
Configuration for certificate and keypair generation in the cluster.
|
||||
|
||||
|
||||
Sample Document
|
||||
|
|
|
@ -19,6 +19,7 @@ import falcon
|
|||
from promenade.config import Configuration
|
||||
from promenade.control import base
|
||||
from promenade import exceptions
|
||||
from promenade import policy
|
||||
from promenade import validation
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
@ -46,10 +47,12 @@ class ValidateDesignResource(base.BaseResource):
|
|||
"code": status_code,
|
||||
})
|
||||
|
||||
@policy.ApiEnforcer('kubernetes_provisioner:post_validatedesign')
|
||||
def on_post(self, req, resp):
|
||||
href = req.get_param('href', required=True)
|
||||
try:
|
||||
config = Configuration.from_design_ref(href)
|
||||
config = Configuration.from_design_ref(
|
||||
href, allow_missing_substitutions=False)
|
||||
validation.check_design(config)
|
||||
msg = "Promenade validations succeeded"
|
||||
return self._return_msg(resp, falcon.HTTP_200, message=msg)
|
||||
|
|
|
@ -196,7 +196,7 @@ class PromenadeException(Exception):
|
|||
@staticmethod
|
||||
def _gen_ex_message(title, description):
|
||||
ttl = title or 'Exception'
|
||||
dsc = description or 'No additional decsription'
|
||||
dsc = description or 'No additional description'
|
||||
return '{} : {}'.format(ttl, dsc)
|
||||
|
||||
@staticmethod
|
||||
|
|
|
@ -4,30 +4,10 @@ import keystoneauth1.loading
|
|||
OPTIONS = []
|
||||
|
||||
|
||||
def setup(disable=None):
|
||||
if disable is None:
|
||||
disable = []
|
||||
else:
|
||||
disable = disable.split()
|
||||
|
||||
for name, func in GROUPS.items():
|
||||
if name not in disable:
|
||||
func()
|
||||
|
||||
def setup(disable_keystone=False):
|
||||
cfg.CONF([], project='promenade')
|
||||
|
||||
|
||||
def register_application():
|
||||
cfg.CONF.register_opts(OPTIONS)
|
||||
|
||||
|
||||
def register_keystone_auth():
|
||||
cfg.CONF.register_opts(
|
||||
keystoneauth1.loading.get_auth_plugin_conf_options('password'),
|
||||
group='keystone_authtoken')
|
||||
|
||||
|
||||
GROUPS = {
|
||||
'promenade': register_application,
|
||||
'keystone': register_keystone_auth,
|
||||
}
|
||||
if disable_keystone is False:
|
||||
cfg.CONF.register_opts(
|
||||
keystoneauth1.loading.get_auth_plugin_conf_options('password'),
|
||||
group='keystone_authtoken')
|
||||
|
|
|
@ -35,6 +35,12 @@ POLICIES = [
|
|||
'path': '/api/v1.0/join-scripts',
|
||||
'method': 'GET'
|
||||
}]),
|
||||
op.DocumentedRuleDefault('kubernetes_provisioner:post_validatedesign',
|
||||
'role:admin', 'Validate documents',
|
||||
[{
|
||||
'path': '/api/v1.0/validatedesign',
|
||||
'method': 'POST'
|
||||
}]),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -17,8 +17,8 @@ from promenade import logging
|
|||
from promenade import policy
|
||||
|
||||
|
||||
def start_promenade(disable=""):
|
||||
options.setup(disable=disable)
|
||||
def start_promenade(disable=False):
|
||||
options.setup(disable_keystone=disable)
|
||||
|
||||
# Setup root logger
|
||||
logging.setup(verbose=True)
|
||||
|
|
|
@ -73,6 +73,17 @@ render_curl_url() {
|
|||
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
|
||||
}
|
||||
|
||||
render_validate_url() {
|
||||
BASE_URL="${BASE_PROM_URL}/api/v1.0/validatedesign"
|
||||
if [[ ${USE_DECKHAND} == 1 ]]; then
|
||||
HREF="href=deckhand%2Bhttp://deckhand-int.ucp.svc.cluster.local:9000/api/v1.0/revisions/${DECKHAND_REVISION}/rendered-documents"
|
||||
else
|
||||
HREF="href=${NGINX_URL}/promenade.yaml"
|
||||
fi
|
||||
|
||||
echo "${BASE_URL}?${HREF}"
|
||||
}
|
||||
|
||||
mkdir -p "${SCRIPT_DIR}"
|
||||
|
||||
for NAME in "${NODES[@]}"; do
|
||||
|
@ -102,6 +113,9 @@ for NAME in "${NODES[@]}"; do
|
|||
sleep 10
|
||||
done
|
||||
|
||||
log "Validating documents"
|
||||
ssh_cmd "${VIA}" curl -v "${CURL_ARGS[@]}" -X POST "$(render_validate_url)"
|
||||
|
||||
JOIN_CURL_URL="$(render_curl_url "${NAME}" "${LABELS[@]}")"
|
||||
log "Fetching join script via: ${JOIN_CURL_URL}"
|
||||
ssh_cmd "${VIA}" curl "${CURL_ARGS[@]}" \
|
||||
|
|
Loading…
Reference in New Issue