Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-oslo.policy for openSUSE:Factory checked in at 2022-06-04 23:27:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-oslo.policy (Old) and /work/SRC/openSUSE:Factory/.python-oslo.policy.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-oslo.policy" Sat Jun 4 23:27:27 2022 rev:18 rq:980779 version:3.12.1 Changes: -------- --- /work/SRC/openSUSE:Factory/python-oslo.policy/python-oslo.policy.changes 2021-12-12 00:57:40.310586944 +0100 +++ /work/SRC/openSUSE:Factory/.python-oslo.policy.new.1548/python-oslo.policy.changes 2022-06-04 23:27:33.748787751 +0200 @@ -1,0 +2,23 @@ +Sat Jun 4 15:23:47 UTC 2022 - [email protected] + +- update to version 3.12.1 + - Update python testing classifier + - Fix formatting of release list + - make deprecated rule examples explicit + - Update master for stable/yoga + - Refactor scope enforcement in the Enforcer class + - Map system_scope in creds dictionary + - Update master for stable/xena + - Enforce scope check always when rule has scope_types set + - Rules in policy directory files can be deleted. + - Add Python3 zed unit tests + - Increase timeout of the cross-neutron-tox-py38 job + - Add Python3 yoga unit tests + - Don't reset rules without overwriting + - Don't raise InvalidScope exception when do_raise=False + - Add scope_types attribute to the BaseCheck class + - Expand set_defaults() to set other config default value + - Clarify enforce_new_defaults help text + - Only pass exclude-deprecated when True + +------------------------------------------------------------------- Old: ---- oslo.policy-3.8.2.tar.gz New: ---- oslo.policy-3.12.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-oslo.policy.spec ++++++ --- /var/tmp/diff_new_pack.2H9E4R/_old 2022-06-04 23:27:34.228788237 +0200 +++ /var/tmp/diff_new_pack.2H9E4R/_new 2022-06-04 23:27:34.232788241 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-oslo.policy # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,13 @@ Name: python-oslo.policy -Version: 3.8.2 +Version: 3.12.1 Release: 0 Summary: OpenStack Oslo Policy library License: Apache-2.0 Group: Development/Languages/Python URL: https://docs.openstack.org/oslo.policy -Source0: https://files.pythonhosted.org/packages/source/o/oslo.policy/oslo.policy-3.8.2.tar.gz +Source0: https://files.pythonhosted.org/packages/source/o/oslo.policy/oslo.policy-3.12.1.tar.gz BuildRequires: openstack-macros BuildRequires: python3-PyYAML >= 5.1 BuildRequires: python3-oslo.config >= 6.0.0 @@ -73,7 +73,7 @@ Documentation for the Oslo Policy library. %prep -%autosetup -p1 -n oslo.policy-3.8.2 +%autosetup -p1 -n oslo.policy-3.12.1 %py_req_cleanup %build ++++++ oslo.policy-3.8.2.tar.gz -> oslo.policy-3.12.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/.zuul.yaml new/oslo.policy-3.12.1/.zuul.yaml --- old/oslo.policy-3.8.2/.zuul.yaml 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/.zuul.yaml 2022-04-29 11:20:01.000000000 +0200 @@ -27,6 +27,7 @@ parent: openstack-tox description: | Run cross-project unit tests on neutron. + timeout: 3600 vars: zuul_work_dir: src/opendev.org/openstack/neutron tox_envlist: py38 @@ -38,7 +39,7 @@ templates: - check-requirements - lib-forward-testing-python3 - - openstack-python3-xena-jobs + - openstack-python3-zed-jobs - periodic-stable-jobs - publish-openstack-docs-pti - release-notes-jobs-python3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/AUTHORS new/oslo.policy-3.12.1/AUTHORS --- old/oslo.policy-3.8.2/AUTHORS 2021-08-19 14:38:57.000000000 +0200 +++ new/oslo.policy-3.12.1/AUTHORS 2022-04-29 11:20:37.000000000 +0200 @@ -57,6 +57,7 @@ John Dennis <[email protected]> Joshua Harlow <[email protected]> Juan Antonio Osorio Robles <[email protected]> +Julia Kreger <[email protected]> Julien Danjou <[email protected]> Kamil Rykowski <[email protected]> Kenneth Giusti <[email protected]> @@ -70,11 +71,14 @@ Maruti <[email protected]> Mateusz Kowalski <[email protected]> Michael Beaver <[email protected]> +Michael Johnson <[email protected]> Michael McCune <[email protected]> +Mitya_Eremeev <[email protected]> Mois??s Guimar??es de Medeiros <[email protected]> Monty Taylor <[email protected]> Nathan Kinder <[email protected]> OpenStack Release Bot <[email protected]> +Pierre Riteau <[email protected]> Qi Zhang <[email protected]> Raildo Mascena <[email protected]> Rodrigo Duarte Sousa <[email protected]> @@ -123,12 +127,14 @@ likui <[email protected]> loooosy <[email protected]> melissaml <[email protected]> +mitya-eremeev-2 <[email protected]> pengyuesheng <[email protected]> ricolin <[email protected]> sonu.kumar <[email protected]> vponomaryov <[email protected]> wangqi <[email protected]> wangxiyuan <[email protected]> +whoami-rajat <[email protected]> xuanyandong <[email protected]> yangyawei <[email protected]> yatinkarel <[email protected]> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/ChangeLog new/oslo.policy-3.12.1/ChangeLog --- old/oslo.policy-3.8.2/ChangeLog 2021-08-19 14:38:57.000000000 +0200 +++ new/oslo.policy-3.12.1/ChangeLog 2022-04-29 11:20:37.000000000 +0200 @@ -1,6 +1,48 @@ CHANGES ======= +3.12.1 +------ + +* Only pass exclude-deprecated when True + +3.12.0 +------ + +* Don't raise InvalidScope exception when do\_raise=False +* Add Python3 zed unit tests +* Update master for stable/yoga +* make deprecated rule examples explicit + +3.11.0 +------ + +* Expand set\_defaults() to set other config default value +* Fix formatting of release list +* Update python testing classifier + +3.10.1 +------ + +* Enforce scope check always when rule has scope\_types set +* Increase timeout of the cross-neutron-tox-py38 job + +3.10.0 +------ + +* Don't reset rules without overwriting +* Rules in policy directory files can be deleted +* Refactor scope enforcement in the Enforcer class +* Add scope\_types attribute to the BaseCheck class + +3.9.0 +----- + +* Add Python3 yoga unit tests +* Update master for stable/xena +* Clarify enforce\_new\_defaults help text +* Map system\_scope in creds dictionary + 3.8.2 ----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/PKG-INFO new/oslo.policy-3.12.1/PKG-INFO --- old/oslo.policy-3.8.2/PKG-INFO 2021-08-19 14:38:57.778637200 +0200 +++ new/oslo.policy-3.12.1/PKG-INFO 2022-04-29 11:20:37.853400200 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.2 Name: oslo.policy -Version: 3.8.2 +Version: 3.12.1 Summary: Oslo Policy library Home-page: https://docs.openstack.org/oslo.policy/latest/ Author: OpenStack @@ -45,6 +45,7 @@ Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 Classifier: Programming Language :: Python :: 3.8 +Classifier: Programming Language :: Python :: 3.9 Classifier: Programming Language :: Python :: 3 :: Only Classifier: Programming Language :: Python :: Implementation :: CPython Requires-Python: >=3.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/doc/source/cli/common/generator-opts.rst new/oslo.policy-3.12.1/doc/source/cli/common/generator-opts.rst --- old/oslo.policy-3.8.2/doc/source/cli/common/generator-opts.rst 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/doc/source/cli/common/generator-opts.rst 2022-04-29 11:20:01.000000000 +0200 @@ -1,3 +1,8 @@ .. option:: --output-file OUTPUT_FILE Path of the file to write to. Defaults to stdout. + +.. option:: --exclude-deprecated True + + Option allowing the rendered output to be generated *without* deprecated + policy information. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/doc/source/user/sphinxpolicygen.rst new/oslo.policy-3.12.1/doc/source/user/sphinxpolicygen.rst --- old/oslo.policy-3.8.2/doc/source/user/sphinxpolicygen.rst 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/doc/source/user/sphinxpolicygen.rst 2022-04-29 11:20:01.000000000 +0200 @@ -40,6 +40,11 @@ ``_static/nova.policy.yaml.sample``. If this option is not specified, the file will be output to ``sample.policy.yaml``. +``exclude_deprecated`` + Boolean value, default False, controls if the output should include deprecated + policy information or values, as these can be confusing and misleading + in some cases. + Once configured, you can include this configuration file in your source: .. code:: reST diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo.policy.egg-info/PKG-INFO new/oslo.policy-3.12.1/oslo.policy.egg-info/PKG-INFO --- old/oslo.policy-3.8.2/oslo.policy.egg-info/PKG-INFO 2021-08-19 14:38:57.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo.policy.egg-info/PKG-INFO 2022-04-29 11:20:37.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.2 Name: oslo.policy -Version: 3.8.2 +Version: 3.12.1 Summary: Oslo Policy library Home-page: https://docs.openstack.org/oslo.policy/latest/ Author: OpenStack @@ -45,6 +45,7 @@ Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 Classifier: Programming Language :: Python :: 3.8 +Classifier: Programming Language :: Python :: 3.9 Classifier: Programming Language :: Python :: 3 :: Only Classifier: Programming Language :: Python :: Implementation :: CPython Requires-Python: >=3.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo.policy.egg-info/SOURCES.txt new/oslo.policy-3.12.1/oslo.policy.egg-info/SOURCES.txt --- old/oslo.policy-3.8.2/oslo.policy.egg-info/SOURCES.txt 2021-08-19 14:38:57.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo.policy.egg-info/SOURCES.txt 2022-04-29 11:20:37.000000000 +0200 @@ -78,6 +78,7 @@ oslo_policy/tests/test_sphinxext.py oslo_policy/tests/test_sphinxpolicygen.py oslo_policy/tests/token_fixture.py +releasenotes/notes/Fix-map-system-scope-for-creds-dict-e4cbec2f7495f22e.yaml releasenotes/notes/Pass-target-dict-to-oslopolicy-checker-87185d40aec413ee.yaml releasenotes/notes/add-deprecated-metadata-to-DeprecatedRule-79d2e8a3f5d11743.yaml releasenotes/notes/add-policy-convert-json-to-yaml-tool-3c93604aee79f58a.yaml @@ -89,12 +90,16 @@ releasenotes/notes/bug-1779172-c1323c0f647bc44c.yaml releasenotes/notes/bug-1880959-8f1370a59759d40d.yaml releasenotes/notes/bug-1913718-f1b46bbff3231d98.yaml +releasenotes/notes/bug-1943584-fc74f9205039883c.yaml releasenotes/notes/deprecate-policy-file-json-format-e1921f15b5d00287.yaml releasenotes/notes/drop-python27-support-9aa06224812cc352.yaml +releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml releasenotes/notes/enforce_new_defaults-6ae17d8b8d166a2c.yaml releasenotes/notes/enforce_scope_types-1e92f6a34e4173ef.yaml releasenotes/notes/expand-cli-docs-02c2f13adbe251c0.yaml releasenotes/notes/fix-bug-1914095-fa71d81c9639ba94.yaml +releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml +releasenotes/notes/fix-passing-exclude-deprecated-param-317745d23022e544.yaml releasenotes/notes/fix-rendering-for-deprecated-rules-d465292e4155f483.yaml releasenotes/notes/list-redundant-deprecation-warnings-f84a06133efdaedd.yaml releasenotes/notes/oslo-policy-descriptive-support-3ee688c5fa48d751.yaml @@ -113,6 +118,8 @@ releasenotes/source/ussuri.rst releasenotes/source/victoria.rst releasenotes/source/wallaby.rst +releasenotes/source/xena.rst +releasenotes/source/yoga.rst releasenotes/source/_static/.placeholder releasenotes/source/_templates/.placeholder releasenotes/source/locale/en_GB/LC_MESSAGES/releasenotes.po diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo.policy.egg-info/pbr.json new/oslo.policy-3.12.1/oslo.policy.egg-info/pbr.json --- old/oslo.policy-3.8.2/oslo.policy.egg-info/pbr.json 2021-08-19 14:38:57.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo.policy.egg-info/pbr.json 2022-04-29 11:20:37.000000000 +0200 @@ -1 +1 @@ -{"git_version": "c7fd9f4", "is_release": true} \ No newline at end of file +{"git_version": "9673a74", "is_release": true} \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/_checks.py new/oslo.policy-3.12.1/oslo_policy/_checks.py --- old/oslo.policy-3.8.2/oslo_policy/_checks.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/_checks.py 2022-04-29 11:20:01.000000000 +0200 @@ -83,6 +83,8 @@ class BaseCheck(metaclass=abc.ABCMeta): """Abstract base class for Check classes.""" + scope_types = None + @abc.abstractmethod def __str__(self): """String representation of the Check tree rooted at this node.""" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/generator.py new/oslo.policy-3.12.1/oslo_policy/generator.py --- old/oslo.policy-3.8.2/oslo_policy/generator.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/generator.py 2022-04-29 11:20:01.000000000 +0200 @@ -27,6 +27,10 @@ GENERATOR_OPTS = [ cfg.StrOpt('output-file', help='Path of the file to write to. Defaults to stdout.'), + cfg.BoolOpt('exclude-deprecated', + default=False, + help='If True, exclude deprecated entries from the generated ' + 'output.'), ] RULE_OPTS = [ @@ -232,7 +236,16 @@ } if default.name != default.deprecated_rule.name: - text += ('"%(old_name)s": "rule:%(name)s"\n' % + text += ('# WARNING: A rule name change has been identified.\n' + '# This may be an artifact of new rules being\n' + '# included which require legacy fallback\n' + '# rules to ensure proper policy behavior.\n' + '# Alternatively, this may just be an alias.\n' + '# Please evaluate on a case by case basis\n' + '# keeping in mind the format for aliased\n' + '# rules is:\n' + '# "old_rule_name": "new_rule_name".\n') + text += ('# "%(old_name)s": "rule:%(name)s"\n' % {'old_name': default.deprecated_rule.name, 'name': default.name}) text += '\n' @@ -252,7 +265,7 @@ def _sort_and_format_by_section(policies, output_format='yaml', - include_help=True): + include_help=True, exclude_deprecated=False): """Generate a list of policy section texts The text for a section will be created and returned one at a time. The @@ -264,20 +277,24 @@ :param policies: A dict of {section1: [rule_default_1, rule_default_2], section2: [rule_default_3]} :param output_format: The format of the file to output to. + :param exclude_deprecated: If to exclude deprecated policy rule entries, + defaults to False. """ for section in sorted(policies.keys()): rule_defaults = policies[section] for rule_default in rule_defaults: if output_format == 'yaml': - yield _format_rule_default_yaml(rule_default, - include_help=include_help) + yield _format_rule_default_yaml( + rule_default, + include_help=include_help, + add_deprecated_rules=not exclude_deprecated) elif output_format == 'json': LOG.warning(policy.WARN_JSON) yield _format_rule_default_json(rule_default) def _generate_sample(namespaces, output_file=None, output_format='yaml', - include_help=True): + include_help=True, exclude_deprecated=False): """Generate a sample policy file. List all of the policies available via the namespace specified in the @@ -291,6 +308,8 @@ :param include_help: True, generates a sample-policy file with help text along with rules in which everything is commented out. False, generates a sample-policy file with only rules. + :param exclude_deprecated: If to exclude deprecated policy rule entries, + defaults to False. """ policies = get_policies_dict(namespaces) @@ -298,8 +317,10 @@ else sys.stdout) sections_text = [] - for section in _sort_and_format_by_section(policies, output_format, - include_help=include_help): + for section in _sort_and_format_by_section( + policies, output_format, + include_help=include_help, + exclude_deprecated=exclude_deprecated): sections_text.append(section) if output_format == 'yaml': @@ -315,7 +336,7 @@ output_file.close() -def _generate_policy(namespace, output_file=None): +def _generate_policy(namespace, output_file=None, exclude_deprecated=False): """Generate a policy file showing what will be used. This takes all registered policies and merges them with what's defined in @@ -323,6 +344,8 @@ that will be honored by policy checks. :param output_file: The path of a file to output to. stdout used if None. + :param exclude_deprecated: If to exclude deprecated policy rule entries, + defaults to False. """ enforcer = _get_enforcer(namespace) # Ensure that files have been parsed @@ -338,7 +361,9 @@ output_file = (open(output_file, 'w') if output_file else sys.stdout) - for section in _sort_and_format_by_section(policies, include_help=False): + for section in _sort_and_format_by_section( + policies, include_help=False, + exclude_deprecated=exclude_deprecated): output_file.write(section) if output_file != sys.stdout: @@ -520,7 +545,8 @@ conf.register_opts(GENERATOR_OPTS + RULE_OPTS) conf(args) _check_for_namespace_opt(conf) - _generate_sample(conf.namespace, conf.output_file, conf.format) + _generate_sample(conf.namespace, conf.output_file, conf.format, + conf.exclude_deprecated) def generate_policy(args=None): @@ -530,7 +556,8 @@ conf.register_opts(GENERATOR_OPTS + ENFORCER_OPTS) conf(args) _check_for_namespace_opt(conf) - _generate_policy(conf.namespace, conf.output_file) + _generate_policy(conf.namespace, conf.output_file, + conf.exclude_deprecated) def _upgrade_policies(policies, default_policies): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/opts.py new/oslo.policy-3.12.1/oslo_policy/opts.py --- old/oslo.policy-3.8.2/oslo_policy/opts.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/opts.py 2022-04-29 11:20:01.000000000 +0200 @@ -44,7 +44,11 @@ 'defaults, it will be disallowed. It is encouraged to ' 'enable this flag along with the ``enforce_scope`` ' 'flag so that you can get the benefits of new defaults ' - 'and ``scope_type`` together')), + 'and ``scope_type`` together. If ``False``, the ' + 'deprecated policy check string is logically OR\'d ' + 'with the new policy check string, allowing for a ' + 'graceful upgrade experience between releases with ' + 'new policies, which is the default behavior.')), cfg.StrOpt('policy_file', default='policy.json', help=_('The relative or absolute path of a file that maps ' @@ -118,7 +122,7 @@ conf.register_opts(_options, group=_option_group) -def set_defaults(conf, policy_file=None): +def set_defaults(conf, policy_file=None, **kwargs): """Set defaults for configuration variables. Overrides default options values. @@ -129,8 +133,13 @@ :param policy_file: The base filename for the file that defines policies. :type policy_file: unicode + :param kwargs: Any other configuration variable and their new + default value. """ _register(conf) if policy_file is not None: cfg.set_defaults(_options, policy_file=policy_file) + + if kwargs: + cfg.set_defaults(_options, **kwargs) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/policy.py new/oslo.policy-3.12.1/oslo_policy/policy.py --- old/oslo.policy-3.8.2/oslo_policy/policy.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/policy.py 2022-04-29 11:20:01.000000000 +0200 @@ -545,7 +545,6 @@ self.use_conf = use_conf self._need_check_rule = True self.overwrite = overwrite - self._loaded_files = [] self._policy_dir_mtimes = {} self._file_cache = {} self._informed_no_policy_file = False @@ -586,7 +585,6 @@ self.set_rules({}) self.default_rule = None self.policy_path = None - self._loaded_files = [] self._policy_dir_mtimes = {} self._file_cache.clear() self.registered_rules = {} @@ -627,22 +625,48 @@ overwrite=self.overwrite ) - force_reload_policy_dir = force_reload + force_reload_policy_dirs = force_reload if policy_file_rules_changed: - force_reload_policy_dir = True + force_reload_policy_dirs = True + existing_policy_dirs = [] for path in self.conf.oslo_policy.policy_dirs: try: - path = self._get_policy_path(path) + absolute_path = self._get_policy_path(path) + existing_policy_dirs.append(absolute_path) except cfg.ConfigFilesNotFoundError: continue - if (self._is_directory_updated(self._policy_dir_mtimes, path) - or force_reload_policy_dir): + # If change was made in any policy directory or main policy + # file then all policy directories and main file are + # re-calculated from scratch. We don't have separate rule sets + # for every policy folder, we only have the only rule set in + # RAM for all rule configs (self.rules). So it's the only way + # to be consistent. + if self._is_directory_updated(self._policy_dir_mtimes, + absolute_path): + force_reload_policy_dirs = True + if force_reload_policy_dirs and existing_policy_dirs: + # Here we realize that some policy folders or main policy file + # were changed and we need to recalculate all rules from + # scratch. + # If policy_file_rules_changed is True then we know: + # 1. all rules were already reset. + # 2. rules from main policy file were already applied. + # Otherwise main policy file was not changed and rules were not + # reset and. So we reset rules and force to re-calculate + # rules in main policy file. And after that we apply rules + # from every policy directory. + if self.policy_path: + if not policy_file_rules_changed and self.overwrite: + self._load_policy_file(path=self.policy_path, + force_reload=True, + overwrite=self.overwrite + ) + elif self.overwrite: + self.rules = Rules(default_rule=self.default_rule) + for path in existing_policy_dirs: self._walk_through_policy_directory( - path, - self._load_policy_file, - force_reload_policy_dir, False - ) + path, self._load_policy_file, True, False) for default in self.registered_rules.values(): if default.deprecated_for_removal: @@ -917,7 +941,6 @@ self.set_rules(rules, overwrite=overwrite, use_conf=True) rules_changed = True self._record_file_rules(data, overwrite) - self._loaded_files.append(path) LOG.debug('Reloaded policy file: %(path)s', {'path': path}) return rules_changed @@ -982,6 +1005,17 @@ ) raise InvalidContextObject(msg) + # NOTE(lbragstad): We unfortunately have to special case this + # attribute. Originally when the system scope when into oslo.policy, we + # checked for a key called 'system' in creds. The oslo.context library + # uses `system_scope` instead, and the compatibility between + # oslo.policy and oslo.context was an afterthought. We'll have to + # support services who've been setting creds['system'], but we can do + # that by making sure we populate it with what's in the context object + # if it has a system_scope attribute. + if creds.get('system_scope'): + creds['system'] = creds.get('system_scope') + if LOG.isEnabledFor(logging.DEBUG): try: creds_dict = strutils.mask_dict_password(creds) @@ -1007,6 +1041,11 @@ if isinstance(rule, _checks.BaseCheck): # If the thing we're given is a Check, we don't know the # name of the rule, so pass None for current_rule. + if rule.scope_types: + scope_valid = self._enforce_scope(creds, rule, + do_raise=do_raise) + if not scope_valid: + return False result = _checks._check( rule=rule, target=target, @@ -1029,40 +1068,12 @@ # as token_scope is not actually a hardcoded # token. - # Check the scope of the operation against the possible scope - # attributes provided in `creds`. - if creds.get('system'): - token_scope = 'system' # nosec - elif creds.get('domain_id'): - token_scope = 'domain' # nosec - else: - # If the token isn't system-scoped or domain-scoped then - # we're dealing with a project-scoped token. - token_scope = 'project' # nosec - registered_rule = self.registered_rules.get(rule) if registered_rule and registered_rule.scope_types: - if token_scope not in registered_rule.scope_types: - if self.conf.oslo_policy.enforce_scope: - raise InvalidScope( - rule, registered_rule.scope_types, token_scope - ) - # If we don't raise an exception we should at least - # inform operators about policies that are being used - # with improper scopes. - msg = ( - 'Policy %(rule)s failed scope check. The token ' - 'used to make the request was %(token_scope)s ' - 'scoped but the policy requires %(policy_scope)s ' - 'scope. This behavior may change in the future ' - 'where using the intended scope is required' % { - 'rule': rule, - 'token_scope': token_scope, - 'policy_scope': registered_rule.scope_types - } - ) - warnings.warn(msg) - + scope_valid = self._enforce_scope(creds, registered_rule, + do_raise=do_raise) + if not scope_valid: + return False result = _checks._check( rule=to_check, target=target, @@ -1080,6 +1091,44 @@ return result + def _enforce_scope(self, creds, rule, do_raise=True): + # Check the scope of the operation against the possible scope + # attributes provided in `creds`. + if creds.get('system'): + token_scope = 'system' # nosec + elif creds.get('domain_id'): + token_scope = 'domain' # nosec + else: + # If the token isn't system-scoped or domain-scoped then + # we're dealing with a project-scoped token. + token_scope = 'project' # nosec + + result = True + if token_scope not in rule.scope_types: + if self.conf.oslo_policy.enforce_scope: + if do_raise: + raise InvalidScope( + rule, rule.scope_types, token_scope + ) + else: + result = False + # If we don't raise an exception we should at least + # inform operators about policies that are being used + # with improper scopes. + msg = ( + 'Policy %(rule)s failed scope check. The token ' + 'used to make the request was %(token_scope)s ' + 'scoped but the policy requires %(policy_scope)s ' + 'scope. This behavior may change in the future ' + 'where using the intended scope is required' % { + 'rule': rule, + 'token_scope': token_scope, + 'policy_scope': rule.scope_types + } + ) + warnings.warn(msg) + return result + def _map_context_attributes_into_creds(self, context): creds = {} # port public context attributes into the creds dictionary so long as @@ -1088,17 +1137,6 @@ for k, v in context_values.items(): creds[k] = v - # NOTE(lbragstad): We unfortunately have to special case this - # attribute. Originally when the system scope when into oslo.policy, we - # checked for a key called 'system' in creds. The oslo.context library - # uses `system_scope` instead, and the compatibility between - # oslo.policy and oslo.context was an afterthought. We'll have to - # support services who've been setting creds['system'], but we can do - # that by making sure we populate it with what's in the context object - # if it has a system_scope attribute. - if context.system_scope: - creds['system'] = context.system_scope - return creds def register_default(self, default): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/sphinxpolicygen.py new/oslo.policy-3.12.1/oslo_policy/sphinxpolicygen.py --- old/oslo.policy-3.8.2/oslo_policy/sphinxpolicygen.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/sphinxpolicygen.py 2022-04-29 11:20:01.000000000 +0200 @@ -37,18 +37,20 @@ for config_file, base_name in app.config.policy_generator_config_file: if base_name is None: base_name = _get_default_basename(config_file) - _generate_sample(app, config_file, base_name) + _generate_sample(app, config_file, base_name, + app.config.exclude_deprecated) else: _generate_sample(app, app.config.policy_generator_config_file, - app.config.sample_policy_basename) + app.config.sample_policy_basename, + app.config.exclude_deprecated) def _get_default_basename(config_file): return os.path.splitext(os.path.basename(config_file))[0] -def _generate_sample(app, policy_file, base_name): +def _generate_sample(app, policy_file, base_name, exclude_deprecated): def info(msg): LOG.info('[%s] %s' % (__name__, msg)) @@ -83,14 +85,19 @@ # in their documented modules. It's not allowed to register a cli arg after # the args have been parsed once. conf = cfg.ConfigOpts() - generator.generate_sample(args=['--config-file', config_path, - '--output-file', out_file], - conf=conf) + arguments = ['--config-file', config_path, + '--output-file', out_file] + if exclude_deprecated: + arguments += ['--exclude-deprecated'] + generator.generate_sample( + args=arguments, + conf=conf) def setup(app): app.add_config_value('policy_generator_config_file', None, 'env') app.add_config_value('sample_policy_basename', None, 'env') + app.add_config_value('exclude_deprecated', False, 'env') app.connect('builder-inited', generate_sample) return { 'parallel_read_safe': True, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/tests/test_generator.py new/oslo.policy-3.12.1/oslo_policy/tests/test_generator.py --- old/oslo.policy-3.8.2/oslo_policy/tests/test_generator.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/tests/test_generator.py 2022-04-29 11:20:01.000000000 +0200 @@ -223,7 +223,16 @@ # "foo:post_bar":"role:fizz" has been deprecated since N in favor of # "foo:create_bar":"role:fizz". # foo:post_bar is being removed in favor of foo:create_bar -"foo:post_bar": "rule:foo:create_bar" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "foo:post_bar": "rule:foo:create_bar" ''' stdout = self._capture_stdout() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/tests/test_opts.py new/oslo.policy-3.12.1/oslo_policy/tests/test_opts.py --- old/oslo.policy-3.8.2/oslo_policy/tests/test_opts.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/tests/test_opts.py 2022-04-29 11:20:01.000000000 +0200 @@ -37,3 +37,24 @@ opts.set_defaults(self.conf, policy_file='new-value.json') self.assertEqual('new-value.json', self.conf.oslo_policy.policy_file) + + def test_set_defaults_enforce_scope(self): + opts._register(self.conf) + self.assertEqual(False, + self.conf.oslo_policy.enforce_scope) + opts.set_defaults(self.conf, enforce_scope=True) + self.assertEqual(True, + self.conf.oslo_policy.enforce_scope) + + def test_set_defaults_two_opts(self): + opts._register(self.conf) + self.assertEqual(False, + self.conf.oslo_policy.enforce_scope) + self.assertEqual(False, + self.conf.oslo_policy.enforce_new_defaults) + opts.set_defaults(self.conf, enforce_scope=True, + enforce_new_defaults=True) + self.assertEqual(True, + self.conf.oslo_policy.enforce_scope) + self.assertEqual(True, + self.conf.oslo_policy.enforce_new_defaults) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/tests/test_policy.py new/oslo.policy-3.12.1/oslo_policy/tests/test_policy.py --- old/oslo.policy-3.8.2/oslo_policy/tests/test_policy.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/tests/test_policy.py 2022-04-29 11:20:01.000000000 +0200 @@ -238,13 +238,6 @@ super(EnforcerTest, self).setUp() self.create_config_file('policy.json', POLICY_JSON_CONTENTS) - def check_loaded_files(self, filenames): - self.assertEqual( - [self.get_config_file_fullname(n) - for n in filenames], - self.enforcer._loaded_files - ) - def _test_scenario_with_opts_registered(self, scenario, *args, **kwargs): # This test registers some rules, calls the scenario and then checks # the registered rules. The scenario should be a method which loads @@ -291,11 +284,6 @@ loaded_rules = jsonutils.loads(str(self.enforcer.rules)) self.assertEqual('role:fakeB', loaded_rules['default']) self.assertEqual('is_admin:True', loaded_rules['admin']) - self.check_loaded_files([ - 'policy.json', - os.path.join('policy.d', 'a.conf'), - os.path.join('policy.d', 'b.conf'), - ]) def test_load_directory_after_file_update(self): self.create_config_file( @@ -305,10 +293,6 @@ loaded_rules = jsonutils.loads(str(self.enforcer.rules)) self.assertEqual('role:fakeA', loaded_rules['default']) self.assertEqual('is_admin:True', loaded_rules['admin']) - self.check_loaded_files([ - 'policy.json', - os.path.join('policy.d', 'a.conf'), - ]) new_policy_json_contents = jsonutils.dumps({ "default": "rule:admin", "admin": "is_admin:True", @@ -332,12 +316,41 @@ self.assertEqual('role:fakeA', loaded_rules['default']) self.assertEqual('is_admin:True', loaded_rules['admin']) self.assertEqual('rule:bar', loaded_rules['foo']) - self.check_loaded_files([ - 'policy.json', - os.path.join('policy.d', 'a.conf'), - 'policy.json', - os.path.join('policy.d', 'a.conf'), - ]) + + def test_load_directory_after_file_is_emptied(self): + def dict_rules(enforcer_rules): + """Converts enforcer rules to dictionary. + + :param enforcer_rules: enforcer rules represented as a class Rules + :return: enforcer rules represented as a dictionary + """ + return jsonutils.loads(str(enforcer_rules)) + + self.assertEqual(self.enforcer.rules, {}) + + self.enforcer.load_rules() + main_policy_file_rules = jsonutils.loads(POLICY_JSON_CONTENTS) + self.assertEqual(main_policy_file_rules, + dict_rules(self.enforcer.rules)) + + folder_policy_file = os.path.join('policy.d', 'a.conf') + self.create_config_file(folder_policy_file, POLICY_A_CONTENTS) + self.enforcer.load_rules() + expected_rules = main_policy_file_rules.copy() + expected_rules.update(jsonutils.loads(POLICY_A_CONTENTS)) + self.assertEqual(expected_rules, dict_rules(self.enforcer.rules)) + + self.create_config_file(folder_policy_file, '{}') + # Force the mtime change since the unit test may write to this file + # too fast for mtime to actually change. + absolute_folder_policy_file_path = self.get_config_file_fullname( + folder_policy_file) + stinfo = os.stat(absolute_folder_policy_file_path) + os.utime(absolute_folder_policy_file_path, + (stinfo.st_atime + 42, stinfo.st_mtime + 42)) + self.enforcer.load_rules() + self.assertEqual(main_policy_file_rules, + dict_rules(self.enforcer.rules)) def test_load_directory_opts_registered(self): self._test_scenario_with_opts_registered(self.test_load_directory) @@ -364,11 +377,6 @@ loaded_rules = jsonutils.loads(str(self.enforcer.rules)) self.assertEqual('is_admin:True', loaded_rules['admin']) - self.check_loaded_files([ - 'policy.json', - os.path.join('policy.d', 'a.conf'), - os.path.join('policy.d', 'a.conf'), - ]) def test_load_directory_caching_with_files_updated_opts_registered(self): self._test_scenario_with_opts_registered( @@ -392,10 +400,6 @@ loaded_rules = jsonutils.loads(str(self.enforcer.rules)) self.assertEqual('is_admin:True', loaded_rules['admin']) - self.check_loaded_files([ - 'policy.json', - os.path.join('policy.d', 'a.conf'), - ]) def test_load_directory_caching_with_files_same_but_overwrite_false(self): self.test_load_directory_caching_with_files_same(overwrite=False) @@ -453,12 +457,6 @@ loaded_rules = jsonutils.loads(str(self.enforcer.rules)) self.assertEqual('role:fakeC', loaded_rules['default']) self.assertEqual('is_admin:True', loaded_rules['admin']) - self.check_loaded_files([ - 'policy.json', - os.path.join('policy.d', 'a.conf'), - os.path.join('policy.d', 'b.conf'), - os.path.join('policy.2.d', 'fake.conf'), - ]) def test_load_multiple_directories_opts_registered(self): self._test_scenario_with_opts_registered( @@ -474,8 +472,6 @@ self.assertIsNotNone(self.enforcer.rules) self.assertIn('default', self.enforcer.rules) self.assertIn('admin', self.enforcer.rules) - self.check_loaded_files( - ['policy.json', os.path.join('policy.d', 'a.conf')]) def test_load_non_existed_directory_opts_registered(self): self._test_scenario_with_opts_registered( @@ -881,23 +877,6 @@ for k, v in expected_creds.items(): self.assertEqual(expected_creds[k], creds[k]) - @mock.patch('warnings.warn', new=mock.Mock()) - def test_map_context_attributes_populated_system(self): - request_context = context.RequestContext(system_scope='all') - expected_creds = request_context.to_policy_values() - expected_creds['system'] = 'all' - - creds = self.enforcer._map_context_attributes_into_creds( - request_context - ) - - # We don't use self.assertDictEqual here because to_policy_values - # actaully returns a non-dict object that just behaves like a - # dictionary, but does some special handling when people access - # deprecated policy values. - for k, v in expected_creds.items(): - self.assertEqual(expected_creds[k], creds[k]) - def test_enforcer_accepts_policy_values_from_context(self): rule = policy.RuleDefault(name='fake_rule', check_str='role:test') self.enforcer.register_default(rule) @@ -918,6 +897,20 @@ target_dict = {} self.enforcer.enforce('fake_rule', target_dict, ctx) + def test_enforcer_understands_system_scope_creds_dict(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = policy.RuleDefault( + name='fake_rule', check_str='role:test', scope_types=['system'] + ) + self.enforcer.register_default(rule) + + ctx = context.RequestContext() + creds = ctx.to_dict() + creds['system_scope'] = 'all' + + target_dict = {} + self.enforcer.enforce('fake_rule', target_dict, creds) + def test_enforcer_raises_invalid_scope_with_system_scope_type(self): self.conf.set_override('enforce_scope', True, group='oslo_policy') rule = policy.RuleDefault( @@ -930,15 +923,23 @@ target_dict = {} self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, do_raise=True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) # model a project-scoped token, which should fail enforcement ctx = context.RequestContext(project_id='fake') self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) def test_enforcer_understands_domain_scope(self): self.conf.set_override('enforce_scope', True, group='oslo_policy') @@ -963,15 +964,23 @@ target_dict = {} self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) # model a project-scoped token, which should fail enforcement ctx = context.RequestContext(project_id='fake') self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) def test_enforcer_understands_project_scope(self): self.conf.set_override('enforce_scope', True, group='oslo_policy') @@ -996,28 +1005,48 @@ target_dict = {} self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) # model a domain-scoped token, which should fail enforcement ctx = context.RequestContext(domain_id='fake') self.assertRaises( policy.InvalidScope, self.enforcer.enforce, 'fake_rule', - target_dict, ctx + target_dict, ctx, True ) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce( + 'fake_rule', target_dict, ctx, do_raise=False)) + + def test_enforce_scope_with_subclassed_checks_when_scope_not_set(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = None + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.enforcer.enforce(rule, {}, ctx) + + def test_enforcer_raises_invalid_scope_with_subclassed_checks(self): + self.conf.set_override('enforce_scope', True, group='oslo_policy') + rule = _checks.TrueCheck() + rule.scope_types = ['domain'] + ctx = context.RequestContext(system_scope='all', roles=['admin']) + self.assertRaises( + policy.InvalidScope, + self.enforcer.enforce, rule, {}, ctx, do_raise=True) + # and the same should return False if do_raise=False + self.assertFalse( + self.enforcer.enforce(rule, {}, ctx, do_raise=False)) class EnforcerNoPolicyFileTest(base.PolicyBaseTestCase): def setUp(self): super(EnforcerNoPolicyFileTest, self).setUp() - def check_loaded_files(self, filenames): - self.assertEqual( - [self.get_config_file_fullname(n) - for n in filenames], - self.enforcer._loaded_files - ) - def test_load_rules(self): # Check that loading rules with no policy file does not error self.enforcer.load_rules(True) @@ -1043,10 +1072,6 @@ loaded_rules = jsonutils.loads(str(self.enforcer.rules)) self.assertEqual('role:fakeB', loaded_rules['default']) self.assertEqual('is_admin:True', loaded_rules['admin']) - self.check_loaded_files([ - 'policy.d/a.conf', - 'policy.d/b.conf', - ]) class CheckFunctionTestCase(base.PolicyBaseTestCase): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/oslo_policy/tests/test_sphinxpolicygen.py new/oslo.policy-3.12.1/oslo_policy/tests/test_sphinxpolicygen.py --- old/oslo.policy-3.8.2/oslo_policy/tests/test_sphinxpolicygen.py 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/oslo_policy/tests/test_sphinxpolicygen.py 2022-04-29 11:20:01.000000000 +0200 @@ -27,7 +27,8 @@ isdir.return_value = True config = mock.Mock(policy_generator_config_file='nova.conf', - sample_policy_basename='nova') + sample_policy_basename='nova', + exclude_deprecated=False) app = mock.Mock(srcdir='/opt/nova', config=config) sphinxpolicygen.generate_sample(app) @@ -45,13 +46,15 @@ isdir.return_value = True config = mock.Mock(policy_generator_config_file='nova.conf', - sample_policy_basename=None) + sample_policy_basename=None, + exclude_deprecated=True) app = mock.Mock(srcdir='/opt/nova', config=config) sphinxpolicygen.generate_sample(app) sample.assert_called_once_with(args=[ '--config-file', '/opt/nova/nova.conf', - '--output-file', '/opt/nova/sample.policy.yaml'], + '--output-file', '/opt/nova/sample.policy.yaml', + '--exclude-deprecated'], conf=mock.ANY) @mock.patch('os.path.isdir') @@ -66,7 +69,8 @@ config = mock.Mock(policy_generator_config_file=[ ('nova.conf', 'nova'), - ('placement.conf', 'placement')]) + ('placement.conf', 'placement')], + exclude_deprecated=False) app = mock.Mock(srcdir='/opt/nova', config=config) sphinxpolicygen.generate_sample(app) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/releasenotes/notes/Fix-map-system-scope-for-creds-dict-e4cbec2f7495f22e.yaml new/oslo.policy-3.12.1/releasenotes/notes/Fix-map-system-scope-for-creds-dict-e4cbec2f7495f22e.yaml --- old/oslo.policy-3.8.2/releasenotes/notes/Fix-map-system-scope-for-creds-dict-e4cbec2f7495f22e.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-3.12.1/releasenotes/notes/Fix-map-system-scope-for-creds-dict-e4cbec2f7495f22e.yaml 2022-04-29 11:20:01.000000000 +0200 @@ -0,0 +1,5 @@ +--- +fixes: + - | + Fixes the mapping of 'system_scope' to 'system' when enforce is called + with a 'creds' dictionary instead of a RequestContext. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/releasenotes/notes/bug-1943584-fc74f9205039883c.yaml new/oslo.policy-3.12.1/releasenotes/notes/bug-1943584-fc74f9205039883c.yaml --- old/oslo.policy-3.8.2/releasenotes/notes/bug-1943584-fc74f9205039883c.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-3.12.1/releasenotes/notes/bug-1943584-fc74f9205039883c.yaml 2022-04-29 11:20:01.000000000 +0200 @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1943584 <https://bugs.launchpad.net/oslo.policy/+bug/1943584>`_] + If file in policy directory was emptied, rules were not re-calculated. The + only workaround was to restart an application. Now rules are re-calculated + "on the fly", without app restart. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml new/oslo.policy-3.12.1/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml --- old/oslo.policy-3.8.2/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-3.12.1/releasenotes/notes/enforce-scope-checks-always-when-rule-has-scope_types-8f983cdf70766e4f.yaml 2022-04-29 11:20:01.000000000 +0200 @@ -0,0 +1,6 @@ +--- +other: + - | + Scope check is enforced for all rules, registered ones as well as the ones + which are subclasses of the ``BaseCheck`` class if rule has ``scope_types`` + set. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml new/oslo.policy-3.12.1/releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml --- old/oslo.policy-3.8.2/releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-3.12.1/releasenotes/notes/fix-deprecated-rule-handling-c6fe321fce6293a9.yaml 2022-04-29 11:20:01.000000000 +0200 @@ -0,0 +1,19 @@ +--- +fixes: + - | + Fixes handling of deprecated rules when generating sample policy files + such that legacy rules are no longer automatically aliased in the + resulting output. Previously, the behavior led to operator confusion when + attempting to evaluate the output to determine if customized rules were + required, as the aliases were always added as active rules. A warning + is now also added to the generated output. + For more information, please see `launchpad bug #1945336 <https://bugs.launchpad.net/oslo.policy/+bug/1945336>`_. +features: + - Adds the ability to exclude deprecated policies from generated samples by + utilizing the ``--exclude-deprecated`` setting when generating YAML + example files. The Spinx generator can also be controlled using the + ``exclude_deprecated`` environment variable. By default, these rules + will be included, but operators and projects may not desire these + deprecated rules to exist in latest documentation, espescially when + considering the number of policy rules projects have made in the + Secure RBAC effort. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/releasenotes/notes/fix-passing-exclude-deprecated-param-317745d23022e544.yaml new/oslo.policy-3.12.1/releasenotes/notes/fix-passing-exclude-deprecated-param-317745d23022e544.yaml --- old/oslo.policy-3.8.2/releasenotes/notes/fix-passing-exclude-deprecated-param-317745d23022e544.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-3.12.1/releasenotes/notes/fix-passing-exclude-deprecated-param-317745d23022e544.yaml 2022-04-29 11:20:01.000000000 +0200 @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixed passing ``--exclude-deprecated`` boolean value to + sphinx-build command. Now ``--exclude-deprecated`` is only + passed when it is True without bool True/False value. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/releasenotes/source/index.rst new/oslo.policy-3.12.1/releasenotes/source/index.rst --- old/oslo.policy-3.8.2/releasenotes/source/index.rst 2021-08-19 14:38:22.000000000 +0200 +++ new/oslo.policy-3.12.1/releasenotes/source/index.rst 2022-04-29 11:20:01.000000000 +0200 @@ -2,17 +2,19 @@ oslo.policy Release Notes =========================== - .. toctree:: - :maxdepth: 1 +.. toctree:: + :maxdepth: 1 - unreleased - wallaby - victoria - ussuri - train - stein - rocky - queens - pike - ocata - newton + unreleased + yoga + xena + wallaby + victoria + ussuri + train + stein + rocky + queens + pike + ocata + newton diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/releasenotes/source/xena.rst new/oslo.policy-3.12.1/releasenotes/source/xena.rst --- old/oslo.policy-3.8.2/releasenotes/source/xena.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-3.12.1/releasenotes/source/xena.rst 2022-04-29 11:20:01.000000000 +0200 @@ -0,0 +1,6 @@ +========================= +Xena Series Release Notes +========================= + +.. release-notes:: + :branch: stable/xena diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/releasenotes/source/yoga.rst new/oslo.policy-3.12.1/releasenotes/source/yoga.rst --- old/oslo.policy-3.8.2/releasenotes/source/yoga.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/oslo.policy-3.12.1/releasenotes/source/yoga.rst 2022-04-29 11:20:01.000000000 +0200 @@ -0,0 +1,6 @@ +========================= +Yoga Series Release Notes +========================= + +.. release-notes:: + :branch: stable/yoga diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/oslo.policy-3.8.2/setup.cfg new/oslo.policy-3.12.1/setup.cfg --- old/oslo.policy-3.8.2/setup.cfg 2021-08-19 14:38:57.778637200 +0200 +++ new/oslo.policy-3.12.1/setup.cfg 2022-04-29 11:20:37.853400200 +0200 @@ -18,6 +18,7 @@ Programming Language :: Python :: 3.6 Programming Language :: Python :: 3.7 Programming Language :: Python :: 3.8 + Programming Language :: Python :: 3.9 Programming Language :: Python :: 3 :: Only Programming Language :: Python :: Implementation :: CPython
