Add policy to validatedesign
Adds policy enforcement to validatedesign and adds testing for validatedesign endpoint. Also fixes error when raising ValidationException. Change-Id: Ie48fc49a05f7890866d2dd3480c4d6333ef3a087
This commit is contained in:
parent
47bf886ddd
commit
a3b79eabc0
|
@ -1,7 +1,7 @@
|
||||||
PKI Catalog
|
PKI Catalog
|
||||||
===========
|
===========
|
||||||
|
|
||||||
Configuration for certificate generation in the cluster.
|
Configuration for certificate and keypair generation in the cluster.
|
||||||
|
|
||||||
|
|
||||||
Sample Document
|
Sample Document
|
||||||
|
|
|
@ -19,6 +19,7 @@ import falcon
|
||||||
from promenade.config import Configuration
|
from promenade.config import Configuration
|
||||||
from promenade.control import base
|
from promenade.control import base
|
||||||
from promenade import exceptions
|
from promenade import exceptions
|
||||||
|
from promenade import policy
|
||||||
from promenade import validation
|
from promenade import validation
|
||||||
|
|
||||||
LOG = logging.getLogger(__name__)
|
LOG = logging.getLogger(__name__)
|
||||||
|
@ -46,10 +47,12 @@ class ValidateDesignResource(base.BaseResource):
|
||||||
"code": status_code,
|
"code": status_code,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
@policy.ApiEnforcer('kubernetes_provisioner:post_validatedesign')
|
||||||
def on_post(self, req, resp):
|
def on_post(self, req, resp):
|
||||||
href = req.get_param('href', required=True)
|
href = req.get_param('href', required=True)
|
||||||
try:
|
try:
|
||||||
config = Configuration.from_design_ref(href)
|
config = Configuration.from_design_ref(
|
||||||
|
href, allow_missing_substitutions=False)
|
||||||
validation.check_design(config)
|
validation.check_design(config)
|
||||||
msg = "Promenade validations succeeded"
|
msg = "Promenade validations succeeded"
|
||||||
return self._return_msg(resp, falcon.HTTP_200, message=msg)
|
return self._return_msg(resp, falcon.HTTP_200, message=msg)
|
||||||
|
|
|
@ -196,7 +196,7 @@ class PromenadeException(Exception):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def _gen_ex_message(title, description):
|
def _gen_ex_message(title, description):
|
||||||
ttl = title or 'Exception'
|
ttl = title or 'Exception'
|
||||||
dsc = description or 'No additional decsription'
|
dsc = description or 'No additional description'
|
||||||
return '{} : {}'.format(ttl, dsc)
|
return '{} : {}'.format(ttl, dsc)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
|
|
|
@ -4,30 +4,10 @@ import keystoneauth1.loading
|
||||||
OPTIONS = []
|
OPTIONS = []
|
||||||
|
|
||||||
|
|
||||||
def setup(disable=None):
|
def setup(disable_keystone=False):
|
||||||
if disable is None:
|
|
||||||
disable = []
|
|
||||||
else:
|
|
||||||
disable = disable.split()
|
|
||||||
|
|
||||||
for name, func in GROUPS.items():
|
|
||||||
if name not in disable:
|
|
||||||
func()
|
|
||||||
|
|
||||||
cfg.CONF([], project='promenade')
|
cfg.CONF([], project='promenade')
|
||||||
|
|
||||||
|
|
||||||
def register_application():
|
|
||||||
cfg.CONF.register_opts(OPTIONS)
|
cfg.CONF.register_opts(OPTIONS)
|
||||||
|
if disable_keystone is False:
|
||||||
|
cfg.CONF.register_opts(
|
||||||
def register_keystone_auth():
|
keystoneauth1.loading.get_auth_plugin_conf_options('password'),
|
||||||
cfg.CONF.register_opts(
|
group='keystone_authtoken')
|
||||||
keystoneauth1.loading.get_auth_plugin_conf_options('password'),
|
|
||||||
group='keystone_authtoken')
|
|
||||||
|
|
||||||
|
|
||||||
GROUPS = {
|
|
||||||
'promenade': register_application,
|
|
||||||
'keystone': register_keystone_auth,
|
|
||||||
}
|
|
||||||
|
|
|
@ -35,6 +35,12 @@ POLICIES = [
|
||||||
'path': '/api/v1.0/join-scripts',
|
'path': '/api/v1.0/join-scripts',
|
||||||
'method': 'GET'
|
'method': 'GET'
|
||||||
}]),
|
}]),
|
||||||
|
op.DocumentedRuleDefault('kubernetes_provisioner:post_validatedesign',
|
||||||
|
'role:admin', 'Validate documents',
|
||||||
|
[{
|
||||||
|
'path': '/api/v1.0/validatedesign',
|
||||||
|
'method': 'POST'
|
||||||
|
}]),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -17,8 +17,8 @@ from promenade import logging
|
||||||
from promenade import policy
|
from promenade import policy
|
||||||
|
|
||||||
|
|
||||||
def start_promenade(disable=""):
|
def start_promenade(disable=False):
|
||||||
options.setup(disable=disable)
|
options.setup(disable_keystone=disable)
|
||||||
|
|
||||||
# Setup root logger
|
# Setup root logger
|
||||||
logging.setup(verbose=True)
|
logging.setup(verbose=True)
|
||||||
|
|
|
@ -73,6 +73,17 @@ render_curl_url() {
|
||||||
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
|
echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
render_validate_url() {
|
||||||
|
BASE_URL="${BASE_PROM_URL}/api/v1.0/validatedesign"
|
||||||
|
if [[ ${USE_DECKHAND} == 1 ]]; then
|
||||||
|
HREF="href=deckhand%2Bhttp://deckhand-int.ucp.svc.cluster.local:9000/api/v1.0/revisions/${DECKHAND_REVISION}/rendered-documents"
|
||||||
|
else
|
||||||
|
HREF="href=${NGINX_URL}/promenade.yaml"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "${BASE_URL}?${HREF}"
|
||||||
|
}
|
||||||
|
|
||||||
mkdir -p "${SCRIPT_DIR}"
|
mkdir -p "${SCRIPT_DIR}"
|
||||||
|
|
||||||
for NAME in "${NODES[@]}"; do
|
for NAME in "${NODES[@]}"; do
|
||||||
|
@ -102,6 +113,9 @@ for NAME in "${NODES[@]}"; do
|
||||||
sleep 10
|
sleep 10
|
||||||
done
|
done
|
||||||
|
|
||||||
|
log "Validating documents"
|
||||||
|
ssh_cmd "${VIA}" curl -v "${CURL_ARGS[@]}" -X POST "$(render_validate_url)"
|
||||||
|
|
||||||
JOIN_CURL_URL="$(render_curl_url "${NAME}" "${LABELS[@]}")"
|
JOIN_CURL_URL="$(render_curl_url "${NAME}" "${LABELS[@]}")"
|
||||||
log "Fetching join script via: ${JOIN_CURL_URL}"
|
log "Fetching join script via: ${JOIN_CURL_URL}"
|
||||||
ssh_cmd "${VIA}" curl "${CURL_ARGS[@]}" \
|
ssh_cmd "${VIA}" curl "${CURL_ARGS[@]}" \
|
||||||
|
|
Loading…
Reference in New Issue