Ejemplo n.º 1
0
 def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self):
     project_id = "123456"
     user_id = "A1234"
     tenant_id = "abcd"
     self.fake_context.project_id = project_id
     self.fake_context.user_id = user_id
     obj = {
         "limits": {
             "rate": [],
             "absolute": {},
         },
     }
     target = {
         "project_id": tenant_id,
         "user_id": user_id
     }
     fake_req = FakeRequest(self.fake_context)
     fake_req.GET = {'tenant_id': tenant_id}
     self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True)
     self.authorize_for_admin(self.fake_context, target=target). \
         AndRaise(exception.PolicyNotAuthorized(
         action="compute_extension:used_limits_for_admin"))
     self.mox.ReplayAll()
     res = wsgi.ResponseObject(obj)
     self.assertRaises(exception.PolicyNotAuthorized, self.controller.index,
                       fake_req, res)
Ejemplo n.º 2
0
 def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self):
     project_id = "123456"
     user_id = "A1234"
     tenant_id = "abcd"
     self.fake_context.project_id = project_id
     self.fake_context.user_id = user_id
     obj = {
         "limits": {
             "rate": [],
             "absolute": {},
         },
     }
     target = {"project_id": tenant_id, "user_id": user_id}
     fake_req = FakeRequest(self.fake_context)
     fake_req.GET = {'tenant_id': tenant_id}
     if self.ext_mgr is not None:
         self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True)
     self.mock_can.side_effect = exception.PolicyNotAuthorized(
         action=self.used_limit_extension)
     self.mox.ReplayAll()
     res = wsgi.ResponseObject(obj)
     self.assertRaises(exception.PolicyNotAuthorized, self.controller.index,
                       fake_req, res)
     self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME,
                                           target)
Ejemplo n.º 3
0
def enforce(context, action, target):
    """Verifies that the action is valid on the target in this context.

       :param context: nova context
       :param action: string representing the action to be checked
           this should be colon separated for clarity.
           i.e. compute:create_instance
                compute:attach_volume
                volume:attach_volume

       :param object: dictionary representing the object of the action
           for object creation this should be a dictionary representing the
           location of the object e.g. {'project_id': context.project_id}

       :raises: `nova.exception.PolicyNotAllowed` if verification fails.

    """
    init()

    match_list = ('rule:%s' % action, )
    credentials = context.to_dict()

    try:
        policy.enforce(match_list, target, credentials)
    except policy.NotAuthorized:
        raise exception.PolicyNotAuthorized(action=action)
Ejemplo n.º 4
0
    def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self):
        project_id = "123456"
        user_id = "A1234"
        tenant_id = "abcd"
        self.fake_context.project_id = project_id
        self.fake_context.user_id = user_id
        obj = {
            "limits": {
                "rate": [],
                "absolute": {},
            },
        }
        target = {"project_id": tenant_id, "user_id": user_id}
        fake_req = FakeRequest(self.fake_context)
        fake_req.GET = webob.request.MultiDict({'tenant_id': tenant_id})

        self.mock_can.side_effect = exception.PolicyNotAuthorized(
            action=self.used_limit_extension)

        res = wsgi.ResponseObject(obj)
        self.assertRaises(exception.PolicyNotAuthorized, self.controller.index,
                          fake_req, res)

        self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME,
                                              target)
Ejemplo n.º 5
0
 def _test_core_authorizer_throws_exception_if_policy_fails(
         self, rule, authorize):
     target = {'project_id': '1234', 'user_id': '5678'}
     self.mox.StubOutWithMock(nova.policy, 'enforce')
     nova.policy.enforce(self.fake_context, rule, target).AndRaise(
         exception.PolicyNotAuthorized(action=rule))
     self.mox.ReplayAll()
     self.assertRaises(exception.PolicyNotAuthorized,
                       authorize,
                       self.fake_context,
                       target=target)
Ejemplo n.º 6
0
    def test_unlock_not_authorized(self):
        self.mox.StubOutWithMock(self.compute_api, 'unlock')

        instance = self._stub_instance_get()

        self.compute_api.unlock(self.context, instance).AndRaise(
            exception.PolicyNotAuthorized(action='unlock'))

        self.mox.ReplayAll()
        body = {}
        self.assertRaises(self.authorization_error, self.controller._unlock,
                          self.req, instance.uuid, body)
Ejemplo n.º 7
0
    def test_unlock_not_authorized(self):
        self.mox.StubOutWithMock(self.compute_api, 'unlock')

        instance = self._stub_instance_get(objects=False)

        self.compute_api.unlock(self.context, instance).AndRaise(
            exception.PolicyNotAuthorized(action='unlock'))

        self.mox.ReplayAll()

        res = self._make_request('/servers/%s/action' % instance['uuid'],
                                 {'unlock': None})
        self.assertEqual(403, res.status_int)
Ejemplo n.º 8
0
 def test_core_authorizer_throws_exception_if_policy_fails(self):
     target = {'project_id': '1234', 'user_id': '5678'}
     self.mox.StubOutWithMock(nova.policy, 'enforce')
     nova.policy.enforce(self.fake_context, "compute:used_limits_for_admin",
                         target).AndRaise(
                             exception.PolicyNotAuthorized(
                                 action="compute:used_limits_for_admin"))
     self.mox.ReplayAll()
     authorize = base_extensions.core_authorizer('compute',
                                                 'used_limits_for_admin')
     self.assertRaises(exception.PolicyNotAuthorized,
                       authorize,
                       self.fake_context,
                       target=target)
Ejemplo n.º 9
0
    def test_unlock_not_authorized(self):
        instance = self._stub_instance_get()

        body = {}
        with mock.patch.object(
                self.compute_api, 'unlock',
                side_effect=exception.PolicyNotAuthorized(
                    action='unlock')) as mock_unlock:
            self.assertRaises(self.authorization_error,
                              self.controller._unlock,
                              self.req, instance.uuid, body)
            mock_unlock.assert_called_once_with(self.context, instance)
        self.mock_get.assert_called_once_with(self.context, instance.uuid,
                                              expected_attrs=None)
Ejemplo n.º 10
0
    def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self):
        project_id = "123456"
        user_id = "A1234"
        tenant_id = "abcd"
        target = {"project_id": tenant_id, "user_id": user_id}
        req = fakes.HTTPRequest.blank('/?tenant_id=%s' % tenant_id)
        context = nova.context.RequestContext(user_id, project_id)
        req.environ["nova.context"] = context

        self.mock_can.side_effect = exception.PolicyNotAuthorized(
            action="os_compute_api:os-used-limits")
        self.assertRaises(exception.PolicyNotAuthorized,
                          self.view_builder.build, req, self.absolute_limits)

        self.mock_can.assert_called_with(ul_policies.BASE_POLICY_NAME, target)
Ejemplo n.º 11
0
 def test_network_create_exception_policy_failed(self):
     ex = exception.PolicyNotAuthorized(action='dummy')
     expex = webob.exc.HTTPForbidden
     self._test_network_create_exception(ex, expex)
Ejemplo n.º 12
0
 def fake_authorize(context, target=None, action=None):
     raise exception.PolicyNotAuthorized(action='index')
Ejemplo n.º 13
0
 def fake_func():
     raise exception.PolicyNotAuthorized(action="foo")
Ejemplo n.º 14
0
 def fake_unlock(*args, **kwargs):
     raise exception.PolicyNotAuthorized(action='unlock')