def test_policy_cfn_default(self):
enforcer = policy.Enforcer(scope='cloudformation')
ctx = context.RequestContext(roles=[])
for action in self.cfn_actions:
# Everything should be allowed
enforcer.enforce(ctx, action, {})
def test_policy_cfn_allow_non_stack_user(self):
enforcer = policy.Enforcer(scope='cloudformation')
ctx = utils.dummy_context(roles=['not_a_stack_user'])
for action in self.cfn_actions:
# Everything should be allowed
enforcer.enforce(ctx, action, is_registered_policy=True)
def test_set_rules_overwrite_false(self):
self.stub_policyfile('deny_stack_user.json')
enforcer = policy.Enforcer()
enforcer.load_rules(True)
enforcer.set_rules({'test_heat_rule': 1}, False)
self.assertIn('test_heat_rule', enforcer.enforcer.rules)
def test_set_rules_overwrite_true(self):
self.stub_policyfile('deny_stack_user.json')
enforcer = policy.Enforcer()
enforcer.load_rules(True)
enforcer.set_rules({'test_heat_rule': 1}, True)
self.assertEqual(enforcer.enforcer.rules, {'test_heat_rule': 1})
def test_clear(self):
self.stub_policyfile('deny_stack_user.json')
enforcer = policy.Enforcer()
enforcer.load_rules(force_reload=True)
enforcer.clear()
self.assertEqual({}, enforcer.enforcer.rules)
def test_load_rules_force_reload_true(self):
self.stub_policyfile('deny_stack_user.json')
enforcer = policy.Enforcer()
enforcer.set_rules({'test_heat_rule': 'test'})
enforcer.load_rules(True)
self.assertNotIn({'test_heat_rule': 'test'}, enforcer.enforcer.rules)
def test_load_rules_force_reload_false(self):
enforcer = policy.Enforcer()
enforcer.load_rules(True)
enforcer.load_rules(True)
enforcer.set_rules({'test_heat_rule': 'test'})
enforcer.load_rules(False)
self.assertIn('test_heat_rule', enforcer.enforcer.rules)
def test_no_such_action(self):
ctx = utils.dummy_context(roles=['not_a_stack_user'])
enforcer = policy.Enforcer(scope='cloudformation')
action = 'no_such_action'
msg = 'cloudformation:no_such_action has not been registered'
self.assertRaisesRegex(base_policy.PolicyNotRegistered, msg,
enforcer.enforce, ctx, action, None, None, True)
def __init__(self,
auth_token=None,
username=None,
password=None,
aws_creds=None,
tenant=None,
user_id=None,
tenant_id=None,
auth_url=None,
roles=None,
is_admin=None,
read_only=False,
show_deleted=False,
overwrite=True,
trust_id=None,
trustor_user_id=None,
request_id=None,
auth_token_info=None,
region_name=None,
auth_plugin=None,
trusts_auth_plugin=None,
**kwargs):
"""Initialisation of the request context.
:param overwrite: Set to False to ensure that the greenthread local
copy of the index is not overwritten.
:param kwargs: Extra arguments that might be present, but we ignore
because they possibly came in from older rpc messages.
"""
super(RequestContext, self).__init__(auth_token=auth_token,
user=username,
tenant=tenant,
is_admin=is_admin,
read_only=read_only,
show_deleted=show_deleted,
request_id=request_id)
self.username = username
self.user_id = user_id
self.password = password
self.region_name = region_name
self.aws_creds = aws_creds
self.tenant_id = tenant_id
self.auth_token_info = auth_token_info
self.auth_url = auth_url
self.roles = roles or []
self._session = None
self._clients = None
self.trust_id = trust_id
self.trustor_user_id = trustor_user_id
self.policy = policy.Enforcer()
self._auth_plugin = auth_plugin
self._trusts_auth_plugin = trusts_auth_plugin
if is_admin is None:
self.is_admin = self.policy.check_is_admin(self)
else:
self.is_admin = is_admin
def test_load_rules_force_reload_false(self):
enforcer = policy.Enforcer(
policy_file=self.get_policy_file('deny_stack_user.json'))
enforcer.load_rules(True)
enforcer.load_rules(True)
enforcer.set_rules({'test_heat_rule': 'test'})
enforcer.load_rules(False)
self.assertIn('test_heat_rule', enforcer.enforcer.rules)
def test_default_rule(self):
ctx = utils.dummy_context(roles=['not_a_stack_user'])
enforcer = policy.Enforcer(
scope='cloudformation',
policy_file=self.get_policy_file('deny_stack_user.json'),
exc=None, default_rule='!')
action = 'no_such_action'
self.assertFalse(enforcer.enforce(ctx, action))
def test_enforce_creds(self):
enforcer = policy.Enforcer()
ctx = utils.dummy_context(roles=['admin'])
self.m.StubOutWithMock(base_policy.Enforcer, 'enforce')
base_policy.Enforcer.enforce('context_is_admin', {}, ctx.to_dict(),
False, exc=None).AndReturn(True)
self.m.ReplayAll()
self.assertTrue(enforcer.check_is_admin(ctx))
def test_default_rule(self):
self.stub_policyfile('deny_stack_user.json')
ctx = utils.dummy_context(roles=['not_a_stack_user'])
default_rule = base_policy.FalseCheck()
enforcer = policy.Enforcer(scope='cloudformation',
exc=None, default_rule=default_rule)
action = 'no_such_action'
self.assertFalse(enforcer.enforce(ctx, action))
def test_policy_cfn_allow_non_stack_user(self):
self.stub_policyfile('deny_stack_user.json')
enforcer = policy.Enforcer(scope='cloudformation')
ctx = utils.dummy_context(roles=['not_a_stack_user'])
for action in self.cfn_actions:
# Everything should be allowed
enforcer.enforce(ctx, action)
def test_policy_cfn_default(self):
enforcer = policy.Enforcer(
scope='cloudformation',
policy_file=self.get_policy_file('deny_stack_user.json'))
ctx = utils.dummy_context(roles=[])
for action in self.cfn_actions:
# Everything should be allowed
enforcer.enforce(ctx, action)
def test_policy_cw_allow_non_stack_user(self):
enforcer = policy.Enforcer(
scope='cloudwatch',
policy_file=self.get_policy_file('deny_stack_user.json'))
ctx = utils.dummy_context(roles=['not_a_stack_user'])
for action in self.cw_actions:
# Everything should be allowed
enforcer.enforce(ctx, action)
def test_policy_cfn_notallowed(self):
self.stub_policyfile('notallowed.json')
enforcer = policy.Enforcer(scope='cloudformation')
ctx = utils.dummy_context(roles=[])
for action in self.cfn_actions:
# Everything should raise the default exception.Forbidden
self.assertRaises(exception.Forbidden, enforcer.enforce, ctx,
action, {})
def test_set_rules_overwrite_false(self):
pf = policy_path + 'deny_stack_user.json'
self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path')
base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf)
self.m.ReplayAll()
enforcer = policy.Enforcer()
enforcer.load_rules(True)
enforcer.set_rules({'test_heat_rule': 1}, False)
self.assertIn('test_heat_rule', enforcer.enforcer.rules)
def test_load_rules_force_reload_true(self):
pf = policy_path + 'deny_stack_user.json'
self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path')
base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf)
self.m.ReplayAll()
enforcer = policy.Enforcer()
enforcer.set_rules({'test_heat_rule': 'test'})
enforcer.load_rules(True)
self.assertNotIn({'test_heat_rule': 'test'}, enforcer.enforcer.rules)
def test_policy_cfn_notallowed(self):
enforcer = policy.Enforcer(
scope='cloudformation',
policy_file=self.get_policy_file('notallowed.json'))
ctx = utils.dummy_context(roles=[])
for action in self.cfn_actions:
# Everything should raise the default exception.Forbidden
self.assertRaises(exception.Forbidden, enforcer.enforce, ctx,
action, {}, is_registered_policy=True)
def test_check_admin(self):
enforcer = policy.Enforcer()
ctx = utils.dummy_context(roles=[])
self.assertFalse(enforcer.check_is_admin(ctx))
ctx = utils.dummy_context(roles=['not_admin'])
self.assertFalse(enforcer.check_is_admin(ctx))
ctx = utils.dummy_context(roles=['admin'])
self.assertTrue(enforcer.check_is_admin(ctx))
def test_clear(self):
pf = policy_path + 'deny_stack_user.json'
self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path')
base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf)
self.m.ReplayAll()
enforcer = policy.Enforcer()
enforcer.load_rules(force_reload=True)
enforcer.clear()
self.assertEqual(enforcer.enforcer.rules, {})
self.m.VerifyAll()
def test_policy_cfn_deny_stack_user(self):
enforcer = policy.Enforcer(scope='cloudformation')
ctx = utils.dummy_context(roles=['heat_stack_user'])
for action in self.cfn_actions:
# Everything apart from DescribeStackResource should be Forbidden
if action == "DescribeStackResource":
enforcer.enforce(ctx, action, is_registered_policy=True)
else:
self.assertRaises(exception.Forbidden, enforcer.enforce, ctx,
action, {}, is_registered_policy=True)
def _test_policy_allowed(self, scope, actions, personas):
enforcer = policy.Enforcer(scope=scope)
for persona in personas:
ctx = self._get_context(persona)
for action in actions:
# Everything should be allowed
enforcer.enforce(
ctx,
action,
target={"project_id": "test_tenant_id"},
is_registered_policy=True
)
def test_policy_cfn_default(self):
pf = policy_path + 'deny_stack_user.json'
self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path')
base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf)
self.m.ReplayAll()
enforcer = policy.Enforcer(scope='cloudformation')
ctx = utils.dummy_context(roles=[])
for action in self.cfn_actions:
# Everything should be allowed
enforcer.enforce(ctx, action, {})
def _test_policy_notallowed(self, scope, actions, personas):
enforcer = policy.Enforcer(scope=scope)
for persona in personas:
ctx = self._get_context(persona)
for action in actions:
# Everything should raise the default exception.Forbidden
self.assertRaises(
exception.Forbidden,
enforcer.enforce, ctx,
action,
target={"project_id": "test_tenant_id"},
is_registered_policy=True)
def test_policy_cw_deny_stack_user(self):
self.stub_policyfile('deny_stack_user.json')
enforcer = policy.Enforcer(scope='cloudwatch')
ctx = utils.dummy_context(roles=['heat_stack_user'])
for action in self.cw_actions:
# Everything apart from PutMetricData should be Forbidden
if action == "PutMetricData":
enforcer.enforce(ctx, action)
else:
self.assertRaises(exception.Forbidden, enforcer.enforce, ctx,
action, {})
def test_policy_cfn_allow_non_stack_user(self):
pf = policy_path + 'deny_stack_user.json'
self.m.StubOutWithMock(policy.Enforcer, '_find_policy_file')
policy.Enforcer._find_policy_file().MultipleTimes().AndReturn(pf)
self.m.ReplayAll()
enforcer = policy.Enforcer(scope='cloudformation')
ctx = context.RequestContext(roles=['not_a_stack_user'])
for action in self.cfn_actions:
# Everything should be allowed
enforcer.enforce(ctx, action, {})
self.m.VerifyAll()
def test_default_rule(self):
pf = policy_path + 'deny_stack_user.json'
self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path')
base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf)
self.m.ReplayAll()
ctx = utils.dummy_context(roles=['not_a_stack_user'])
default_rule = base_policy.FalseCheck()
enforcer = policy.Enforcer(scope='cloudformation',
exc=None,
default_rule=default_rule)
action = 'no_such_action'
self.assertEqual(enforcer.enforce(ctx, action, {}), False)
self.m.VerifyAll()
def test_policy_cfn_notallowed(self):
pf = policy_path + 'notallowed.json'
self.m.StubOutWithMock(policy.Enforcer, '_find_policy_file')
policy.Enforcer._find_policy_file().MultipleTimes().AndReturn(pf)
self.m.ReplayAll()
enforcer = policy.Enforcer(scope='cloudformation')
ctx = context.RequestContext(roles=[])
for action in self.cfn_actions:
# Everything should raise the default exception.Forbidden
self.assertRaises(exception.Forbidden, enforcer.enforce, ctx,
action, {})
self.m.VerifyAll()
