def setUp(self):
super(PolicyTestCase, self).setUp()
self.conf = self.useFixture(oslo_fixture.Config())
# diltram: this one must be removed after fixing issue in oslo.config
# https://bugs.launchpad.net/oslo.config/+bug/1645868
self.conf.conf.__call__(args=[])
policy.reset()
self.context = context.Context('fake', 'fake', roles=['member'])
self.rules = [
oslo_policy.RuleDefault("true", "@"),
oslo_policy.RuleDefault("example:allowed", "@"),
oslo_policy.RuleDefault("example:denied", "!"),
oslo_policy.RuleDefault("example:get_http",
"http://www.example.com"),
oslo_policy.RuleDefault("example:my_file",
"role:compute_admin or "
"project_id:%(project_id)s"),
oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
oslo_policy.RuleDefault("example:lowercase_admin",
"role:admin or role:sysadmin"),
oslo_policy.RuleDefault("example:uppercase_admin",
"role:ADMIN or role:sysadmin"),
]
policy.get_enforcer().register_defaults(self.rules)
self.target = {}
def test_call_false(self):
check = policy.IsAdminCheck('is_admin', 'False')
self.assertFalse(
check('target', dict(is_admin=True), policy.get_enforcer()))
self.assertTrue(
check('target', dict(is_admin=False), policy.get_enforcer()))
def test_templatized_authorization(self):
target_mine = {'project_id': 'fake'}
target_not_mine = {'project_id': 'another'}
action = "example:my_file"
policy.get_enforcer().authorize(action, target_mine, self.context)
self.assertRaises(exceptions.PolicyForbidden,
policy.get_enforcer().authorize,
action, target_not_mine, self.context)
def test_ignore_case_role_check(self):
lowercase_action = "example:lowercase_admin"
uppercase_action = "example:uppercase_admin"
# NOTE(dprince) we mix case in the Admin role here to ensure
# case is ignored
self.context = context.Context('admin', 'fake', roles=['AdMiN'])
policy.get_enforcer().authorize(lowercase_action, self.target,
self.context)
policy.get_enforcer().authorize(uppercase_action, self.target,
self.context)
def test_check_is_admin_new_defaults(self):
conf = oslo_fixture.Config(config.cfg.CONF)
conf.config(group="oslo_policy", enforce_new_defaults=True)
self.context = context.Context('admin', 'fake', roles=['AdMiN'],
system_scope='all')
self.assertTrue(policy.get_enforcer().check_is_admin(self.context))
def test_authorize_admin_actions_with_nonadmin_context_throws(self):
"""Check if non-admin context passed to admin actions throws
Policy not authorized exception
"""
for action in self.actions:
self.assertRaises(
exceptions.PolicyForbidden, policy.get_enforcer().authorize,
action, self.target, self.context)
def __init__(self, user_id=None, project_id=None, **kwargs):
if project_id:
kwargs['tenant'] = project_id
super().__init__(**kwargs)
self.is_admin = (policy.get_enforcer().check_is_admin(self) or
CONF.api_settings.auth_strategy == constants.NOAUTH)
def __init__(self, user_id=None, project_id=None, **kwargs):
if project_id:
kwargs['tenant'] = project_id
super(Context, self).__init__(**kwargs)
self.is_admin = (policy.get_enforcer().check_is_admin(self) or
CONF.api_settings.auth_strategy == constants.NOAUTH)
def setUp(self):
super(AdminRolePolicyTestCase, self).setUp()
self.conf = self.useFixture(oslo_fixture.Config())
# diltram: this one must be removed after fixing issue in oslo.config
# https://bugs.launchpad.net/oslo.config/+bug/1645868
self.conf.conf.__call__(args=[])
self.context = context.Context('fake', 'fake', roles=['member'])
self.actions = policy.get_enforcer().get_rules().keys()
self.target = {}
def _auth_get_all(self, context, project_id):
# Check authorization to list objects under all projects
action = '{rbac_obj}{action}'.format(
rbac_obj=self.RBAC_TYPE, action=constants.RBAC_GET_ALL_GLOBAL)
target = {'project_id': project_id}
if not policy.get_enforcer().authorize(action, target,
context, do_raise=False):
# Not a global observer or admin
if project_id is None:
project_id = context.project_id
# Check authorization to list objects under this project
self._auth_validate_action(context, project_id,
constants.RBAC_GET_ALL)
if project_id is None:
query_filter = {}
else:
query_filter = {'project_id': project_id}
return query_filter
def _auth_get_all(self, context, project_id):
# Check authorization to list objects under all projects
action = '{rbac_obj}{action}'.format(
rbac_obj=self.RBAC_TYPE, action=constants.RBAC_GET_ALL_GLOBAL)
target = {'project_id': project_id}
if not policy.get_enforcer().authorize(
action, target, context, do_raise=False):
# Not a global observer or admin
if project_id is None:
project_id = context.project_id
# Check authorization to list objects under this project
self._auth_validate_action(context, project_id,
constants.RBAC_GET_ALL)
if project_id is None:
query_filter = {}
else:
query_filter = {'project_id': project_id}
return query_filter
def test_modified_policy_reloads(self):
with tempfile.NamedTemporaryFile(mode='w', delete=True) as tmp:
self.conf.load_raw_values(
group='oslo_policy', policy_file=tmp.name)
tmp.write('{"example:test": ""}')
tmp.flush()
self.context = context.Context('fake', 'fake')
rule = oslo_policy.RuleDefault('example:test', "")
policy.get_enforcer().register_defaults([rule])
action = "example:test"
policy.get_enforcer().authorize(action, self.target, self.context)
tmp.seek(0)
tmp.write('{"example:test": "!"}')
tmp.flush()
policy.get_enforcer().load_rules(True)
self.assertRaises(exceptions.PolicyForbidden,
policy.get_enforcer().authorize,
action, self.target, self.context)
def _auth_validate_action(self, context, project_id, action):
# Check that the user is authorized to do an action in this object
action = '{rbac_obj}{action}'.format(rbac_obj=self.RBAC_TYPE,
action=action)
target = {'project_id': project_id}
policy.get_enforcer().authorize(action, target, context)
def test_authorize_bad_action_throws(self):
action = "example:denied"
self.assertRaises(
exceptions.PolicyForbidden, policy.get_enforcer().authorize,
action, self.target, self.context)
def test_authorize_nonexistent_action_throws(self):
action = "example:noexist"
self.assertRaises(
oslo_policy.PolicyNotRegistered, policy.get_enforcer().authorize,
action, self.target, self.context)
def test_authorize_bad_action_noraise(self):
action = "example:denied"
result = policy.get_enforcer().authorize(action, self.target,
self.context, False)
self.assertFalse(result)
def test_authorize_http(self, req_mock):
req_mock.post('http://www.example.com/', text='False')
action = "example:get_http"
self.assertRaises(exceptions.PolicyForbidden,
policy.get_enforcer().authorize, action, self.target,
self.context)
def test_authorize_good_action(self):
action = "example:allowed"
result = policy.get_enforcer().authorize(action, self.target,
self.context)
self.assertTrue(result)
def test_early_AND_authorization(self):
action = "example:early_and_fail"
self.assertRaises(exceptions.PolicyForbidden,
policy.get_enforcer().authorize, action, self.target,
self.context)
def test_check_is_admin(self):
self.context = context.Context('admin', 'fake', roles=['AdMiN'])
self.assertTrue(policy.get_enforcer().check_is_admin(self.context))
def test_check_is_admin_fail(self):
self.assertFalse(policy.get_enforcer().check_is_admin(self.context))
def _auth_validate_action(self, context, project_id, action):
# Check that the user is authorized to do an action in this object
action = '{rbac_obj}{action}'.format(
rbac_obj=self.RBAC_TYPE, action=action)
target = {'project_id': project_id}
policy.get_enforcer().authorize(action, target, context)
def test_early_OR_authorization(self):
action = "example:early_or_success"
policy.get_enforcer().authorize(action, self.target, self.context)
