Ejemplo n.º 1
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     self.skipTest("Not ready yet")
     policy.reset()
     self.addCleanup(policy.reset)
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": '@',
         "example:allowed": '@',
         "example:denied": '!',
         "example:get_http": "http:http://www.example.com",
         "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     # NOTE(vish): then overload underlying rules
     common_policy.set_rules(
         common_policy.Rules(
             dict((k, common_policy.parse_rule(v))
                  for k, v in rules.items())))
     self.context = context.Context('fake', 'fake', roles=['member'])
     self.target = {}
Ejemplo n.º 2
0
    def get_rules(self):
        rules = policy.Rules()
        # Check whether policy file exists and attempt to read it.
        for path in self.policy_files[self.service]:
            try:
                with open(path, 'r') as fp:
                    for k, v in policy.Rules.load(fp.read()).items():
                        if k not in rules:
                            rules[k] = v
                        # If the policy name and rule are the same, no
                        # ambiguity, so no reason to warn.
                        elif str(v) != str(rules[k]):
                            msg = ("The same policy name: %s was found in "
                                   "multiple policies files for service %s. "
                                   "This can lead to policy rule ambiguity. "
                                   "Using rule: %s; Rule from file: %s")
                            LOG.warning(msg, k, self.service, rules[k], v)
            except (ValueError, IOError):
                LOG.warning("Failed to read policy file '%s' for service %s.",
                            path, self.service)

        # Check whether policy actions are defined in code. Nova and Keystone,
        # for example, define their default policy actions in code.
        mgr = stevedore.named.NamedExtensionManager(
            'oslo.policy.policies',
            names=[self.service],
            invoke_on_load=True,
            warn_on_missing_entrypoint=False)

        if mgr:
            policy_generator = {plc.name: plc.obj for plc in mgr}
            if self.service in policy_generator:
                for rule in policy_generator[self.service]:
                    if rule.name not in rules:
                        if CONF.patrole.validate_deprecated_rules:
                            # NOTE (sergey.vilgelm):
                            # The `DocumentedRuleDefault` object has no
                            # `deprecated_rule` attribute in Pike
                            if getattr(rule, 'deprecated_rule', False):
                                rule = self._handle_deprecated_rule(rule)
                        rules[rule.name] = rule.check
                    elif str(rule.check) != str(rules[rule.name]):
                        msg = ("The same policy name: %s was found in the "
                               "policies files and in the code for service "
                               "%s. This can lead to policy rule ambiguity. "
                               "Using rule: %s; Rule from code: %s")
                        LOG.warning(msg, rule.name, self.service,
                                    rules[rule.name], rule.check)

        if not rules:
            msg = (
                'Policy files for {0} service were not found among the '
                'registered in-code policies or in any of the possible policy '
                'files: {1}.'.format(self.service, [
                    loc % self.service
                    for loc in CONF.patrole.custom_policy_files
                ]))
            raise rbac_exceptions.RbacParsingException(msg)

        return rules
Ejemplo n.º 3
0
 def test_get_roles_with_rule_check(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         policy.ADMIN_CTX_POLICY: "rule:some_other_rule",
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     self.assertEqual(['admin'], policy.get_admin_roles())
Ejemplo n.º 4
0
    def test_str_true(self):
        exemplar = """{
    "admin_or_owner": ""
}"""
        rules = policy.Rules(dict(admin_or_owner=_checks.TrueCheck(), ))

        self.assertEqual(exemplar, str(rules))
Ejemplo n.º 5
0
 def test_get_roles_context_is_admin_rule_missing(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     # 'admin' role is expected for bw compatibility
     self.assertEqual(['admin'], policy.get_admin_roles())
Ejemplo n.º 6
0
    def test_str(self):
        exemplar = jsonutils.dumps(
            {"admin_or_owner": "role:admin or project_id:%(project_id)s"},
            indent=4)
        rules = policy.Rules(
            dict(admin_or_owner='role:admin or project_id:%(project_id)s', ))

        self.assertEqual(exemplar, str(rules))
Ejemplo n.º 7
0
    def test_str(self):
        exemplar = """{
    "admin_or_owner": "role:admin or project_id:%(project_id)s"
}"""
        rules = policy.Rules(
            dict(admin_or_owner='role:admin or project_id:%(project_id)s', ))

        self.assertEqual(exemplar, str(rules))
Ejemplo n.º 8
0
    def test_str_true(self):
        exemplar = jsonutils.dumps({
            "admin_or_owner": ""
        }, indent=4)
        rules = policy.Rules(dict(
            admin_or_owner=_checks.TrueCheck(),
        ))

        self.assertEqual(exemplar, str(rules))
Ejemplo n.º 9
0
    def test_no_default(self):
        rules = policy.Rules(dict(a=1, b=2, c=3))

        self.assertRaises(KeyError, lambda: rules['d'])
Ejemplo n.º 10
0
    def test_init(self):
        rules = policy.Rules(dict(a=1, b=2, c=3), 'a')

        self.assertEqual(dict(a=1, b=2, c=3), rules)
        self.assertEqual('a', rules.default_rule)
Ejemplo n.º 11
0
    def test_init_basic(self):
        rules = policy.Rules()

        self.assertEqual({}, rules)
        self.assertIsNone(rules.default_rule)
Ejemplo n.º 12
0
    def test_retrieval(self):
        rules = policy.Rules(dict(a=1, b=2, c=3), 'b')

        self.assertEqual(1, rules['a'])
        self.assertEqual(2, rules['b'])
        self.assertEqual(3, rules['c'])
Ejemplo n.º 13
0
 def _set_rules(self, default_rule):
     rules = common_policy.Rules(
         dict((k, common_policy.parse_rule(v))
              for k, v in self.rules.items()), default_rule)
     common_policy.set_rules(rules)
Ejemplo n.º 14
0
 def fakepolicyinit(self, **kwargs):
     enf = policy._ENFORCER
     enf.set_rules(oslo_policy.Rules(self.rules))
Ejemplo n.º 15
0
 def fakepolicyinit(self, **kwargs):
     policy._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
     policy._ENFORCER.set_rules(oslo_policy.Rules(self.rules))
Ejemplo n.º 16
0
    def test_missing_default(self):
        rules = policy.Rules(dict(a=1, c=3), 'b')

        self.assertRaises(KeyError, lambda: rules['d'])
Ejemplo n.º 17
0
    def test_with_default(self):
        rules = policy.Rules(dict(a=1, b=2, c=3), 'b')

        self.assertEqual(2, rules['d'])
Ejemplo n.º 18
0
 def fakepolicyinit():
     common_policy.set_rules(common_policy.Rules(self.rules))
Ejemplo n.º 19
0
 def set_rules(self, rules, overwrite=True):
     """Create a new Rules object based on the provided dict of rules."""
     rules_obj = policy.Rules(rules, self.default_rule)
     self.enforcer.set_rules(rules_obj, overwrite)
Ejemplo n.º 20
0
    def test_retrieval(self):
        rules = policy.Rules(dict(a=1, b=2, c=3), 'b')

        self.assertEqual(rules['a'], 1)
        self.assertEqual(rules['b'], 2)
        self.assertEqual(rules['c'], 3)