Merge "Add allowlist and denylist for action providers and actions"

2025-04-23 21:59:31 +00:00 · 2025-04-23 21:59:31 +00:00 · ffef2f4a79
commit ffef2f4a79
parent 688c4e5743 11785d1e31
6 changed files with 205 additions and 0 deletions
--- a/mistral/actions/legacy.py
+++ b/mistral/actions/legacy.py
@ -99,7 +99,17 @@ class LegacyActionProvider(ml_actions.ActionProvider):
            invoke_on_load=False
        )
        allowlist = CONF.legacy_action_provider.allowlist
        denylist = CONF.legacy_action_provider.denylist
        for action_name in ext_mgr.names():
            if allowlist:
                if action_name not in allowlist:
                    continue
            elif denylist:
                if action_name in denylist:
                    continue
            action_cls = ext_mgr[action_name].plugin
            if CONF.legacy_action_provider.only_builtin_actions:
--- a/mistral/config.py
+++ b/mistral/config.py
@ -64,6 +64,29 @@ auth_type_opt = cfg.StrOpt(
    help=_('Authentication type (valid options: keystone, keycloak-oidc)')
 )
 action_providers_opts = [
    cfg.ListOpt(
        'allowlist',
        default=[],
        help=_(
            'Allowlist with action providers that is allowed to be '
            'loaded from the entry point "mistral.action.providers", '
            'if empty all action providers will be allowed unless '
            'denylist is set.'
        ),
    ),
    cfg.ListOpt(
        'denylist',
        default=[],
        help=_(
            'Denylist with action providers that is not allowed to '
            'be loaded from the entry point "mistral.action.providers", '
            'allowlist takes precendence, if empty all action providers '
            'will be allowed.'
        ),
    ),
 ]
 legacy_action_provider_opts = [
    cfg.BoolOpt(
        'load_action_plugins',
@ -91,6 +114,25 @@ legacy_action_provider_opts = [
            'This property is needed mostly for testing.'
        )
    ),
    cfg.ListOpt(
        'allowlist',
        default=[],
        help=_(
            'Allowlist with actions that is allowed to be '
            'loaded from the entry point "mistral.actions", '
            'if empty all actions will be allowed.'
        ),
    ),
    cfg.ListOpt(
        'denylist',
        default=[],
        help=_(
            'Denylist with actions that is not allowed to '
            'be loaded from the entry point "mistral.actions", '
            'allowlist takes precedence, if empty all actions '
            'will be allowed.'
        ),
    ),
 ]
 api_opts = [
@ -755,6 +797,7 @@ healthcheck_opts = [
 CONF = cfg.CONF
 ACTION_PROVIDERS_GROUP = 'action_providers'
 LEGACY_ACTION_PROVIDER_GROUP = 'legacy_action_provider'
 API_GROUP = 'api'
 ENGINE_GROUP = 'engine'
@ -785,6 +828,7 @@ CONF.register_opt(oslo_rpc_executor)
 CONF.register_opt(expiration_token_duration)
 CONF.register_opts(service_opts.service_opts)
 CONF.register_opts(action_providers_opts, group=ACTION_PROVIDERS_GROUP)
 CONF.register_opts(
    legacy_action_provider_opts,
    group=LEGACY_ACTION_PROVIDER_GROUP
@ -842,6 +886,7 @@ _DEFAULT_LOG_LEVELS = [
 def list_opts():
    return [
        (ACTION_PROVIDERS_GROUP, action_providers_opts),
        (API_GROUP, api_opts),
        (ENGINE_GROUP, engine_opts),
        (EXECUTOR_GROUP, executor_opts),
--- a/mistral/services/actions.py
+++ b/mistral/services/actions.py
@ -18,6 +18,7 @@ collection of functions for accessing information about actions
 available in the system.
 """
 from oslo_config import cfg
 from oslo_log import log as logging
 from stevedore import extension
@ -39,7 +40,17 @@ def _get_registered_providers():
        invoke_on_load=False
    )
    allowlist = cfg.CONF.action_providers.allowlist
    denylist = cfg.CONF.action_providers.denylist
    for provider_name in mgr.names():
        if allowlist:
            if provider_name not in allowlist:
                continue
        elif denylist:
            if provider_name in denylist:
                continue
        provider_cls = mgr[provider_name].plugin
        try:
--- a/mistral/tests/unit/actions/test_legacy_action_provider.py
+++ b/mistral/tests/unit/actions/test_legacy_action_provider.py
@ -202,3 +202,61 @@ class LegacyActionProviderTest(base.BaseTest):
        )
        self.assertEqual('Goodbye, Lieutenant Dan!', goodbye_action.run(None))
    def test_allowlist(self):
        self.override_config(
            'load_action_generators',
            False,
            'legacy_action_provider'
        )
        self.override_config(
            'allowlist', ['std.noop'],
            'legacy_action_provider'
        )
        provider = legacy.LegacyActionProvider()
        action_descs = provider.find_all()
        self.assertEqual(1, len(action_descs))
        self.assertIsNotNone(provider.find('std.noop'))
    def test_denylist(self):
        self.override_config(
            'load_action_generators',
            False,
            'legacy_action_provider'
        )
        self.override_config(
            'denylist', ['std.noop'],
            'legacy_action_provider'
        )
        provider = legacy.LegacyActionProvider()
        action_descs = provider.find_all()
        self.assertTrue(
            all(
                [
                    a_d.name != 'std.noop'
                    for a_d in action_descs
                ]
            )
        )
    def test_allowlist_and_denylist(self):
        self.override_config(
            'load_action_generators',
            False,
            'legacy_action_provider'
        )
        self.override_config(
            'allowlist', ['std.noop'],
            'legacy_action_provider'
        )
        self.override_config(
            'denylist', ['std.fail'],
            'legacy_action_provider'
        )
        provider = legacy.LegacyActionProvider()
        action_descs = provider.find_all()
        self.assertEqual(1, len(action_descs))
        self.assertIsNotNone(provider.find('std.noop'))
--- a/mistral/tests/unit/services/test_actions.py
+++ b/mistral/tests/unit/services/test_actions.py
@ -0,0 +1,71 @@
 # Copyright 2025 Binero.
 #
 #    Licensed under the Apache License, Version 2.0 (the "License");
 #    you may not use this file except in compliance with the License.
 #    You may obtain a copy of the License at
 #
 #        http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS,
 #    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 #    See the License for the specific language governing permissions and
 #    limitations under the License.
 from unittest import mock
 from mistral import config
 from mistral.services.actions import _get_registered_providers
 from mistral.tests.unit import base
 class FakeExtManager:
    def __init__(self):
        self.plugins = ['adhoc', 'dynamic', 'legacy']
    def names(self):
        return self.plugins
 class ActionsTest(base.DbTestCase):
    def setUp(self):
        super(ActionsTest, self).setUp()
    @mock.patch('stevedore.enabled.ExtensionManager')
    def test_get_registered_providers(self, mock_ext_mgr):
        mock_ext_mgr.return_value = FakeExtManager()
        providers = _get_registered_providers()
        self.assertEqual(3, len(providers))
        self.assertEqual('adhoc', providers[0].name)
        self.assertEqual('dynamic', providers[1].name)
        self.assertEqual('legacy', providers[2].name)
    @mock.patch('stevedore.enabled.ExtensionManager')
    def test_get_registered_providers_allowlist(self, mock_ext_mgr):
        self.override_config(
            'allowlist', ['dynamic'], config.ACTION_PROVIDERS_GROUP)
        mock_ext_mgr.return_value = FakeExtManager()
        providers = _get_registered_providers()
        self.assertEqual(1, len(providers))
        self.assertEqual('dynamic', providers[0].name)
    @mock.patch('stevedore.enabled.ExtensionManager')
    def test_get_registered_providers_denylist(self, mock_ext_mgr):
        self.override_config(
            'denylist', ['legacy'], config.ACTION_PROVIDERS_GROUP)
        mock_ext_mgr.return_value = FakeExtManager()
        providers = _get_registered_providers()
        self.assertEqual(2, len(providers))
        self.assertEqual('adhoc', providers[0].name)
        self.assertEqual('dynamic', providers[1].name)
    @mock.patch('stevedore.enabled.ExtensionManager')
    def test_get_registered_providers_allow_and_deny(self, mock_ext_mgr):
        self.override_config(
            'allowlist', ['adhoc'], group=config.ACTION_PROVIDERS_GROUP)
        self.override_config(
            'denylist', ['dynamic'], group=config.ACTION_PROVIDERS_GROUP)
        mock_ext_mgr.return_value = FakeExtManager()
        providers = _get_registered_providers()
        self.assertEqual(1, len(providers))
        self.assertEqual('adhoc', providers[0].name)
--- a/releasenotes/notes/action-providers-actions-allowlist-denylist-57c033279e27772e.yaml
+++ b/releasenotes/notes/action-providers-actions-allowlist-denylist-57c033279e27772e.yaml
@ -0,0 +1,10 @@
 ---
 features:
  - |
    Added mutually exclusive config options ``[action_providers]/allowlist``
    and ``[action_providers]/denylist`` that can be used to filter what action
    providers is loaded.
  - |
    Added mutually exclusive config options ``[legacy_action_provider]/allowlist``
    and ``[legacy_action_provider]/denylist`` that can be used to filter what
    actions is loaded by the legacy action provider.