Beispiel #1
0
    def test_modified_policy_reloads(self):
        """Creates a temporary placement-policy.yaml file and tests
        authorizations against a fake rule between updates to the physical
        policy file.
        """
        with utils.tempdir() as tmpdir:
            tmpfilename = os.path.join(tmpdir, 'placement-policy.yaml')

            self.conf.set_default(
                'policy_file', tmpfilename, group='placement')

            action = 'placement:test'
            # Expect PolicyNotRegistered since defaults are not yet loaded.
            self.assertRaises(oslo_policy.PolicyNotRegistered,
                              policy.authorize, self.ctxt, action, self.target)

            # Load the default action and rule (defaults to "any").
            enforcer = policy.get_enforcer()
            rule = oslo_policy.RuleDefault(action, '')
            enforcer.register_default(rule)

            # Now auth should work because the action is registered and anyone
            # can perform the action.
            policy.authorize(self.ctxt, action, self.target)

            # Now update the policy file and reload it to disable the action
            # from all users.
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('"%s": "!"' % action)
            enforcer.load_rules(force_reload=True)
            self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
                              self.ctxt, action, self.target)
Beispiel #2
0
    def test_modified_policy_reloads(self):
        """Creates a temporary placement-policy.yaml file and tests
        authorizations against a fake rule between updates to the physical
        policy file.
        """
        tempdir = self.useFixture(fixtures.TempDir())
        tmpfilename = os.path.join(tempdir.path, 'placement-policy.yaml')

        self.conf_fixture.config(group='placement', policy_file=tmpfilename)

        action = 'placement:test'

        # Load the default action and rule (defaults to "any").
        enforcer = policy._get_enforcer(self.conf_fixture.conf)
        rule = oslo_policy.RuleDefault(action, '')
        enforcer.register_default(rule)

        # Now auth should work because the action is registered and anyone
        # can perform the action.
        policy.authorize(self.ctxt, action, self.target)

        # Now update the policy file and reload it to disable the action
        # from all users.
        with open(tmpfilename, "w") as policyfile:
            policyfile.write('"%s": "!"' % action)
        enforcer.load_rules(force_reload=True)
        self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
                          self.ctxt, action, self.target)
Beispiel #3
0
    def can(self, action, target=None, fatal=True):
        """Verifies that the given action is valid on the target in this
        context.

        :param action: string representing the action to be checked.
        :param target: As much information about the object being operated on
            as possible. The target argument should be a dict instance or an
            instance of a class that fully supports the Mapping abstract base
            class and deep copying. For object creation this should be a
            dictionary representing the location of the object e.g.
            ``{'project_id': context.project_id}``. If None, then this default
            target will be considered::

                {'project_id': self.project_id, 'user_id': self.user_id}
        :param fatal: if False, will return False when an
            exception.PolicyNotAuthorized occurs.
        :raises placement.exception.PolicyNotAuthorized:
            if verification fails and fatal is True.
        :return: returns a non-False value (not necessarily "True") if
            authorized and False if not authorized and fatal is False.
        """
        if target is None:
            target = {'project_id': self.project_id, 'user_id': self.user_id}
        try:
            return policy.authorize(self, action, target)
        except exception.PolicyNotAuthorized:
            if fatal:
                raise
            return False
Beispiel #4
0
 def test_authorize_do_raise_false(self):
     """Tests that authorize does not raise an exception when the check
     fails.
     """
     fixture = self.useFixture(policy_fixture.PlacementPolicyFixture())
     fixture.set_rules({'placement': '!'})
     self.assertFalse(
         policy.authorize(
             self.ctxt, 'placement', self.target, do_raise=False))
Beispiel #5
0
 def test_authorize_do_raise_false(self):
     """Tests that authorize does not raise an exception when the check
     fails.
     """
     fixture = self.useFixture(
         policy_fixture.PolicyFixture(self.conf_fixture))
     # It doesn't matter which policy we use here so long as it's
     # registered.
     policy_name = 'placement:resource_providers:list'
     fixture.set_rules({policy_name: '!'})
     self.assertFalse(
         policy.authorize(self.ctxt,
                          policy_name,
                          self.target,
                          do_raise=False))