refactor genertor: integrate domain isolation, utilize personas.yaml for test generation

.env.example

@@ -0,0 +1,5 @@
+KEYSTONE_IMAGE=quay.io/airshipit/keystone:latest
+NOVA_IMAGE=quay.io/airshipit/nova:latest
+CINDER_IMAGE=quay.io/airshipit/cinder:latest
+NEUTRON_IMAGE=quay.io/airshipit/neutron:latest
+GLANCE_IMAGE=quay.io/airshipit/glance:latest

.gitignore

@@ -1,3 +1,4 @@
+.env
 *.pyc
 *.sw?
 *.egg*/

Dockerfile

@@ -1,19 +1,22 @@
-FROM python:3.11-slim
+ARG BASE_IMAGE
 
-ARG OS_RELEASE=2025.2
-ENV CONSTRAINTS_URL=https://releases.openstack.org/constraints/upper/${OS_RELEASE}
+FROM ${BASE_IMAGE}
+
+USER root
+
+# The pf9-* images use a virtualenv at /var/lib/openstack
+ENV PIP=/var/lib/openstack/bin/pip3
+ENV PYTHON=/var/lib/openstack/bin/python3
 
-# Add build tools (gcc, etc.)
 RUN apt-get update && apt-get install -y --no-install-recommends \
     build-essential \
     git \
-    libssl-dev \
   && rm -rf /var/lib/apt/lists/*
 
-RUN python -m pip install --upgrade pip
-RUN python -m pip install -c ${CONSTRAINTS_URL} \
-    keystone neutron cinder nova glance
+RUN ${PIP} install --upgrade pip
 
 WORKDIR /work
 COPY . /work
-RUN python -m pip install -e /work
+RUN ${PIP} install -e /work
+
+ENTRYPOINT ["/var/lib/openstack/bin/oslopolicy-opa-policy-generator"]

Makefile

@@ -0,0 +1,28 @@
+-include .env
+
+OUTPUT_DIR ?= $(CURDIR)/opa_out
+POLICY_DIR ?= $(CURDIR)/oslo_policies
+
+.PHONY: generate fmt clean
+
+generate:
+	@test -n "$(KEYSTONE_IMAGE)" || { echo "error: set service images in .env (see .env.example)"; exit 1; }
+	KEYSTONE_IMAGE=$(KEYSTONE_IMAGE) \
+	NOVA_IMAGE=$(NOVA_IMAGE) \
+	CINDER_IMAGE=$(CINDER_IMAGE) \
+	NEUTRON_IMAGE=$(NEUTRON_IMAGE) \
+	GLANCE_IMAGE=$(GLANCE_IMAGE) \
+	./tools/generate_mixed_release_opa_out.sh $(OUTPUT_DIR) $(POLICY_DIR)
+	@if command -v opa >/dev/null 2>&1; then \
+		echo "formatting with opa fmt"; \
+		find $(OUTPUT_DIR) -name '*.rego' -exec opa fmt -w {} +; \
+	else \
+		echo "warning: opa not found, skipping format pass"; \
+	fi
+
+fmt:
+	@command -v opa >/dev/null 2>&1 || { echo "error: opa not found"; exit 1; }
+	find $(OUTPUT_DIR) -name '*.rego' -exec opa fmt -w {} +
+
+clean:
+	rm -rf $(OUTPUT_DIR)

opa_out/cinder/backup/backup-import.rego

@@ -1,13 +1,12 @@
 package backup.backup_import
 
-import data.lib
+import data.cinder_lib
 
 # Import backup.
 # POST  /backups/{backup_id}/import_record
-#"backup:backup-import": "rule:admin_api"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:backup-import": "rule:admin_api"
 
 allow if {
-  lib.admin_api
+	cinder_lib.admin_api
 }
-

opa_out/cinder/backup/backup-import_test.rego

@@ -2,5 +2,4 @@ package backup_backup_import_test
 
 import data.backup.backup_import
 
-test_backup_import_0 if backup_import.allow with input as {"credentials": {"is_admin": true}}
-test_backup_import_1 if backup_import.allow with input as {"credentials": {"roles": ["admin"], "is_admin_project": true}}
+test_system_admin_0 if backup_import.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}

opa_out/cinder/backup/backup_project_attribute.rego

@@ -1,14 +1,13 @@
 package backup.backup_project_attribute
 
-import data.lib
+import data.cinder_lib
 
 # List backups or show backup with project attributes.
 # GET  /backups/{backup_id}
 # GET  /backups/detail
-#"backup:backup_project_attribute": "rule:admin_api"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:backup_project_attribute": "rule:admin_api"
 
 allow if {
-  lib.admin_api
+	cinder_lib.admin_api
 }
-

opa_out/cinder/backup/backup_project_attribute_test.rego

@@ -2,5 +2,4 @@ package backup_backup_project_attribute_test
 
 import data.backup.backup_project_attribute
 
-test_backup_project_attribute_0 if backup_project_attribute.allow with input as {"credentials": {"is_admin": true}}
-test_backup_project_attribute_1 if backup_project_attribute.allow with input as {"credentials": {"roles": ["admin"], "is_admin_project": true}}
+test_system_admin_0 if backup_project_attribute.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}

opa_out/cinder/backup/create.rego

@@ -1,13 +1,12 @@
 package backup.create
 
-import data.lib
+import data.cinder_lib
 
 # Create backup.
 # POST  /backups
-#"backup:create": "rule:xena_system_admin_or_project_member"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:create": "rule:xena_system_admin_or_project_member"
 
 allow if {
-  lib.xena_system_admin_or_project_member
+	cinder_lib.xena_system_admin_or_project_member
 }
-

opa_out/cinder/backup/create_test.rego

@@ -2,5 +2,5 @@ package backup_create_test
 
 import data.backup.create
 
-test_create_0 if create.allow with input as {"credentials": {"roles": ["admin"]}}
-test_create_1 if create.allow with input as {"credentials": {"roles": ["member"], "project_id": "foo"}, "target": {"project_id": "foo"}}
+test_system_admin_0 if create.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}
+test_project_member_1 if create.allow with input as {"credentials": {"project_id": "project-a", "user_id": "member-user-1", "user_domain_id": "domain-a", "project_domain_id": "domain-a", "is_admin": false, "is_admin_project": false, "roles": ["member"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}

opa_out/cinder/backup/delete.rego

@@ -1,13 +1,12 @@
 package backup.delete
 
-import data.lib
+import data.cinder_lib
 
 # Delete backup.
 # DELETE  /backups/{backup_id}
-#"backup:delete": "rule:xena_system_admin_or_project_member"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:delete": "rule:xena_system_admin_or_project_member"
 
 allow if {
-  lib.xena_system_admin_or_project_member
+	cinder_lib.xena_system_admin_or_project_member
 }
-

opa_out/cinder/backup/delete_test.rego

@@ -2,5 +2,5 @@ package backup_delete_test
 
 import data.backup.delete
 
-test_delete_0 if delete.allow with input as {"credentials": {"roles": ["admin"]}}
-test_delete_1 if delete.allow with input as {"credentials": {"roles": ["member"], "project_id": "foo"}, "target": {"project_id": "foo"}}
+test_system_admin_0 if delete.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}
+test_project_member_1 if delete.allow with input as {"credentials": {"project_id": "project-a", "user_id": "member-user-1", "user_domain_id": "domain-a", "project_domain_id": "domain-a", "is_admin": false, "is_admin_project": false, "roles": ["member"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}

opa_out/cinder/backup/export-import.rego

@@ -1,13 +1,12 @@
 package backup.export_import
 
-import data.lib
+import data.cinder_lib
 
 # Export backup.
 # POST  /backups/{backup_id}/export_record
-#"backup:export-import": "rule:admin_api"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:export-import": "rule:admin_api"
 
 allow if {
-  lib.admin_api
+	cinder_lib.admin_api
 }
-

opa_out/cinder/backup/export-import_test.rego

@@ -2,5 +2,4 @@ package backup_export_import_test
 
 import data.backup.export_import
 
-test_export_import_0 if export_import.allow with input as {"credentials": {"is_admin": true}}
-test_export_import_1 if export_import.allow with input as {"credentials": {"roles": ["admin"], "is_admin_project": true}}
+test_system_admin_0 if export_import.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}

opa_out/cinder/backup/get.rego

@@ -1,13 +1,12 @@
 package backup.get
 
-import data.lib
+import data.cinder_lib
 
 # Show backup.
 # GET  /backups/{backup_id}
-#"backup:get": "rule:xena_system_admin_or_project_reader"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:get": "rule:xena_system_admin_or_project_reader"
 
 allow if {
-  lib.xena_system_admin_or_project_reader
+	cinder_lib.xena_system_admin_or_project_reader
 }
-

opa_out/cinder/backup/get_all.rego

@@ -1,14 +1,13 @@
 package backup.get_all
 
-import data.lib
+import data.cinder_lib
 
 # List backups.
 # GET  /backups
 # GET  /backups/detail
-#"backup:get_all": "rule:xena_system_admin_or_project_reader"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:get_all": "rule:xena_system_admin_or_project_reader"
 
 allow if {
-  lib.xena_system_admin_or_project_reader
+	cinder_lib.xena_system_admin_or_project_reader
 }
-

opa_out/cinder/backup/get_all_test.rego

@@ -2,5 +2,5 @@ package backup_get_all_test
 
 import data.backup.get_all
 
-test_get_all_0 if get_all.allow with input as {"credentials": {"roles": ["admin"]}}
-test_get_all_1 if get_all.allow with input as {"credentials": {"roles": ["reader"], "project_id": "foo"}, "target": {"project_id": "foo"}}
+test_system_admin_0 if get_all.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}
+test_project_reader_1 if get_all.allow with input as {"credentials": {"project_id": "project-a", "user_id": "reader-user-1", "user_domain_id": "domain-a", "project_domain_id": "domain-a", "is_admin": false, "is_admin_project": false, "roles": ["reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}

opa_out/cinder/backup/get_test.rego

@@ -2,5 +2,5 @@ package backup_get_test
 
 import data.backup.get
 
-test_get_0 if get.allow with input as {"credentials": {"roles": ["admin"]}}
-test_get_1 if get.allow with input as {"credentials": {"roles": ["reader"], "project_id": "foo"}, "target": {"project_id": "foo"}}
+test_system_admin_0 if get.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}
+test_project_reader_1 if get.allow with input as {"credentials": {"project_id": "project-a", "user_id": "reader-user-1", "user_domain_id": "domain-a", "project_domain_id": "domain-a", "is_admin": false, "is_admin_project": false, "roles": ["reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}

opa_out/cinder/backup/restore.rego

@@ -1,13 +1,12 @@
 package backup.restore
 
-import data.lib
+import data.cinder_lib
 
 # Restore backup.
 # POST  /backups/{backup_id}/restore
-#"backup:restore": "rule:xena_system_admin_or_project_member"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:restore": "rule:xena_system_admin_or_project_member"
 
 allow if {
-  lib.xena_system_admin_or_project_member
+	cinder_lib.xena_system_admin_or_project_member
 }
-

opa_out/cinder/backup/restore_test.rego

@@ -2,5 +2,5 @@ package backup_restore_test
 
 import data.backup.restore
 
-test_restore_0 if restore.allow with input as {"credentials": {"roles": ["admin"]}}
-test_restore_1 if restore.allow with input as {"credentials": {"roles": ["member"], "project_id": "foo"}, "target": {"project_id": "foo"}}
+test_system_admin_0 if restore.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}
+test_project_member_1 if restore.allow with input as {"credentials": {"project_id": "project-a", "user_id": "member-user-1", "user_domain_id": "domain-a", "project_domain_id": "domain-a", "is_admin": false, "is_admin_project": false, "roles": ["member"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}

opa_out/cinder/backup/update.rego

@@ -1,13 +1,12 @@
 package backup.update
 
-import data.lib
+import data.cinder_lib
 
 # Update backup.
 # PUT  /backups/{backup_id}
-#"backup:update": "rule:xena_system_admin_or_project_member"
-
+# Target attrs: availability_zone, container, created_at, data_timestamp, deleted, deleted_at, display_description, display_name, domain_id, encryption_key_id, fail_reason, host, id, num_dependent_backups, object_count, parent_id, project_id, restore_volume_id, service, service_metadata, size, snapshot_id, status, temp_snapshot_id, temp_volume_id, updated_at, user_id, volume_id
+# "backup:update": "rule:xena_system_admin_or_project_member"
 
 allow if {
-  lib.xena_system_admin_or_project_member
+	cinder_lib.xena_system_admin_or_project_member
 }
-

opa_out/cinder/backup/update_test.rego

@@ -2,5 +2,5 @@ package backup_update_test
 
 import data.backup.update
 
-test_update_0 if update.allow with input as {"credentials": {"roles": ["admin"]}}
-test_update_1 if update.allow with input as {"credentials": {"roles": ["member"], "project_id": "foo"}, "target": {"project_id": "foo"}}
+test_system_admin_0 if update.allow with input as {"credentials": {"project_id": "sys-project-1", "user_id": "sys-admin-user", "user_domain_id": "default", "project_domain_id": "default", "domain_id": "default", "system_scope": "all", "is_admin": true, "is_admin_project": true, "roles": ["admin", "member", "reader"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}
+test_project_member_1 if update.allow with input as {"credentials": {"project_id": "project-a", "user_id": "member-user-1", "user_domain_id": "domain-a", "project_domain_id": "domain-a", "is_admin": false, "is_admin_project": false, "roles": ["member"], "service_roles": []}, "target": {"project_id": "project-a", "domain_id": "domain-a"}}