def _set_policy_rules(self):
rules = {'compute:get': common_policy.parse_rule(''),
'compute_extension:instance_actions':
common_policy.parse_rule(''),
'compute_extension:instance_actions:events':
common_policy.parse_rule('is_admin:True')}
policy.set_rules(rules)
def _set_policy_rules(self):
rules = {
"compute:get": common_policy.parse_rule(""),
"os_compute_api:os-instance-actions": common_policy.parse_rule(""),
"os_compute_api:os-instance-actions:events": common_policy.parse_rule("is_admin:True"),
}
policy.set_rules(rules)
def _set_policy_rules(self):
rules = {'compute:get': common_policy.parse_rule(''),
'os_compute_api:os-instance-actions':
common_policy.parse_rule(''),
'os_compute_api:os-instance-actions:events':
common_policy.parse_rule('is_admin:True')}
policy.set_rules(rules)
def _set_policy_rules(self):
rules = {
"compute:get": common_policy.parse_rule(""),
"compute_extension:instance_actions": common_policy.parse_rule(""),
"compute_extension:instance_actions:events": common_policy.parse_rule("is_admin:True"),
}
policy.set_rules(rules)
def test_shelve_allowed(self):
rules = {'compute:get': common_policy.parse_rule(''),
'compute_extension:%sshelve' % self.prefix:
common_policy.parse_rule('')}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
self.assertRaises(exception.Forbidden, self.controller._shelve,
self.req, str(uuid.uuid4()), {})
def test_unshelve_allowed(self):
rules = {'compute:get': common_policy.parse_rule(''),
'compute_extension:unshelve': common_policy.parse_rule('')}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.Forbidden, self.controller._unshelve,
req, str(uuid.uuid4()), {})
def test_shelve_offload_allowed(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:v3:shelve_offload':
policy.parse_rule('')})
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
self.assertRaises(exception.Forbidden,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_shelve_allowed(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:shelve':
policy.parse_rule('')})
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
req, str(uuid.uuid4()), {})
def test_create_vol_backed_img_snapshotting_policy_blocks_role(self):
"""Don't permit a snapshot of a volume backed instance if configured
not to based on role
"""
body = {"createImage": {"name": "Snapshot 1"}}
rule_name = "compute:snapshot_volume_backed"
rules = {rule_name: common_policy.parse_rule("role:no_role"), "compute:get": common_policy.parse_rule("")}
policy.set_rules(rules)
with mock.patch.object(compute_api.API, "is_volume_backed_instance", return_value=True):
exc = self.assertRaises(
exception.PolicyNotAuthorized, self.controller._action_create_image, self.req, FAKE_UUID, body=body
)
self.assertEqual("Policy doesn't allow %s to be performed." % rule_name, exc.format_message())
def test_list_actions_restricted_by_project(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:instance_actions':
policy.parse_rule('project_id:%(project_id)s')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id):
return {'name': 'fake', 'project_id': '%s_unequal' %
context.project_id}
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-instance-actions')
self.assertRaises(exception.NotAuthorized, self.controller.index, req,
str(uuid.uuid4()))
def test_get_action_restricted_by_project(self):
rules = policy.Rules(
{
"compute:get": policy.parse_rule(""),
"compute_extension:instance_actions": policy.parse_rule("project_id:%(project_id)s"),
}
)
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id, columns_to_join=None):
return fake_instance.fake_db_instance(**{"name": "fake", "project_id": "%s_unequal" % context.project_id})
self.stubs.Set(db, "instance_get_by_uuid", fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank("/v2/123/servers/12/os-instance-actions/1")
self.assertRaises(exception.NotAuthorized, self.controller.show, req, str(uuid.uuid4()), "1")
def test_keypair_list_pass_policy(self):
rules = {'compute_extension:v3:keypairs:index':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs')
res = self.KeyPairController.index(req)
self.assertIn('keypairs', res)
def test_unshelve_restricted_by_role(self):
rules = {'compute_extension:%sunshelve' % self.prefix:
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden, self.controller._unshelve,
self.req, str(uuid.uuid4()), {})
def test_keypair_delete_fail_policy(self):
rules = {self.policy_path + ':delete':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.delete,
self.req, 'FAKE')
def test_keypair_delete_pass_policy(self):
rules = policy.Rules({"compute_extension:v3:keypairs:delete": policy.parse_rule("")})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank("/v3/keypairs/FAKE")
req.method = "DELETE"
res = self.KeyPairController.delete(req, "FAKE")
self.assertEqual(res.status_int, 202)
def test_keypair_show_pass_policy(self):
rules = {'compute_extension:v3:keypairs:show':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
res = self.KeyPairController.show(req, 'FAKE')
self.assertIn('keypair', res)
def test_keypair_delete_pass_policy(self):
rules = {'compute_extension:v3:keypairs:delete':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
req.method = 'DELETE'
self.assertIsNone(self.KeyPairController.delete(req, 'FAKE'))
def test_keypair_list_fail_policy(self):
rules = {self.policy_path + ':index':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.index,
self.req)
def test_keypair_create_pass_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {self.policy_path + ':create':
common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.create(self.req, body=body)
self.assertIn('keypair', res)
def test_shelve_offload_allowed(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:v3:shelve_offload':
policy.parse_rule('')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id,
columns_to_join=None):
return fake_instance.fake_db_instance(
**{'name': 'fake', 'project_id': '%s_unequal' %
context.project_id})
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v3/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_keypair_create_fail_policy(self):
body = {"keypair": {"name": "create_test"}}
rules = {"compute_extension:keypairs:create": common_policy.parse_rule("role:admin")}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank("/v2/fake/os-keypairs")
req.method = "POST"
self.assertRaises(exception.Forbidden, self.KeyPairController.create, req, body)
def test_keypair_list_pass_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:index':
policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs')
res = self.KeyPairController.index(req)
self.assertTrue('keypairs' in res)
def test_list_actions_restricted_by_project(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:v3:os-server-actions':
policy.parse_rule('project_id:%(project_id)s')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id,
columns_to_join=None, use_slave=False):
return fake_instance.fake_db_instance(
**{'name': 'fake', 'project_id': '%s_unequal' %
context.project_id})
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequestV3.blank('/servers/12/os-server-actions')
self.assertRaises(exception.Forbidden, self.controller.index, req,
str(uuid.uuid4()))
def test_keypair_show_pass_policy(self):
rules = {self.policy_path + ':show':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs/FAKE')
res = self.KeyPairController.show(req, 'FAKE')
self.assertIn('keypair', res)
def test_keypair_list_pass_policy(self):
rules = {self.policy_path + ':index':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs')
res = self.KeyPairController.index(req)
self.assertIn('keypairs', res)
def test_keypair_show_pass_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:show':
policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs/FAKE')
res = self.KeyPairController.show(req, 'FAKE')
self.assertTrue('keypair' in res)
def test_keypair_show_fail_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:show':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs/FAKE')
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.show,
req, 'FAKE')
def test_keypair_delete_pass_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:delete':
policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs/FAKE')
req.method = 'DELETE'
res = self.KeyPairController.delete(req, 'FAKE')
self.assertEqual(res.status_int, 202)
def test_keypair_list_fail_policy(self):
rules = policy.Rules({'compute_extension:keypairs:index':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.index,
req)
def test_shelve_offload_restricted_by_role(self):
rules = policy.Rules({'compute_extension:v3:os-shelve:shelve_offload':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_keypair_list_pass_policy(self):
rules = {self.policy_path + ':index': common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.index(self.req)
self.assertIn('keypairs', res)
def test_keypair_list_pass_policy(self):
rules = {self.policy_path + ':index': common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs')
res = self.KeyPairController.index(req)
self.assertIn('keypairs', res)
def _set_policy_rules(self):
rules = {'compute:get': common_policy.parse_rule(''),
'compute_extension:v3:os-instance-actions':
common_policy.parse_rule('project_id:%(project_id)s')}
policy.set_rules(rules)
def set_rules(self, rules):
common_policy.set_rules(common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
def test_keypair_delete_pass_policy(self):
rules = {self.policy_path + ':delete': common_policy.parse_rule('')}
policy.set_rules(rules)
self.KeyPairController.delete(self.req, 'FAKE')
def set_rules(self, rules):
policy = nova.policy._ENFORCER
policy.set_rules(
dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))
def _set_rules(self, default_rule):
rules = common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in self.rules.items()), default_rule)
common_policy.set_rules(rules)
def _set_rules(self, default_rule):
policy.reset()
rules = {k: common_policy.parse_rule(v) for k, v in self.rules.items()}
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def test_keypair_show_pass_policy(self):
rules = {self.policy_path + ':show': common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.show(self.req, 'FAKE')
self.assertIn('keypair', res)
def test_keypair_create_pass_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {self.policy_path + ':create': common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.create(self.req, body=body)
self.assertIn('keypair', res)
def set_rules(self, rules):
policy = nova.policy._ENFORCER
policy.set_rules(
{k: common_policy.parse_rule(v)
for k, v in rules.items()})
def test_keypair_show_pass_policy(self):
rules = {self.policy_path + ':show': common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs/FAKE')
res = self.KeyPairController.show(req, 'FAKE')
self.assertIn('keypair', res)
