def test_policy_cfn_default(self): enforcer = policy.Enforcer(scope='cloudformation') ctx = context.RequestContext(roles=[]) for action in self.cfn_actions: # Everything should be allowed enforcer.enforce(ctx, action, {})
def test_policy_cfn_allow_non_stack_user(self): enforcer = policy.Enforcer(scope='cloudformation') ctx = utils.dummy_context(roles=['not_a_stack_user']) for action in self.cfn_actions: # Everything should be allowed enforcer.enforce(ctx, action, is_registered_policy=True)
def test_set_rules_overwrite_false(self): self.stub_policyfile('deny_stack_user.json') enforcer = policy.Enforcer() enforcer.load_rules(True) enforcer.set_rules({'test_heat_rule': 1}, False) self.assertIn('test_heat_rule', enforcer.enforcer.rules)
def test_set_rules_overwrite_true(self): self.stub_policyfile('deny_stack_user.json') enforcer = policy.Enforcer() enforcer.load_rules(True) enforcer.set_rules({'test_heat_rule': 1}, True) self.assertEqual(enforcer.enforcer.rules, {'test_heat_rule': 1})
def test_clear(self): self.stub_policyfile('deny_stack_user.json') enforcer = policy.Enforcer() enforcer.load_rules(force_reload=True) enforcer.clear() self.assertEqual({}, enforcer.enforcer.rules)
def test_load_rules_force_reload_true(self): self.stub_policyfile('deny_stack_user.json') enforcer = policy.Enforcer() enforcer.set_rules({'test_heat_rule': 'test'}) enforcer.load_rules(True) self.assertNotIn({'test_heat_rule': 'test'}, enforcer.enforcer.rules)
def test_load_rules_force_reload_false(self): enforcer = policy.Enforcer() enforcer.load_rules(True) enforcer.load_rules(True) enforcer.set_rules({'test_heat_rule': 'test'}) enforcer.load_rules(False) self.assertIn('test_heat_rule', enforcer.enforcer.rules)
def test_no_such_action(self): ctx = utils.dummy_context(roles=['not_a_stack_user']) enforcer = policy.Enforcer(scope='cloudformation') action = 'no_such_action' msg = 'cloudformation:no_such_action has not been registered' self.assertRaisesRegex(base_policy.PolicyNotRegistered, msg, enforcer.enforce, ctx, action, None, None, True)
def __init__(self, auth_token=None, username=None, password=None, aws_creds=None, tenant=None, user_id=None, tenant_id=None, auth_url=None, roles=None, is_admin=None, read_only=False, show_deleted=False, overwrite=True, trust_id=None, trustor_user_id=None, request_id=None, auth_token_info=None, region_name=None, auth_plugin=None, trusts_auth_plugin=None, **kwargs): """Initialisation of the request context. :param overwrite: Set to False to ensure that the greenthread local copy of the index is not overwritten. :param kwargs: Extra arguments that might be present, but we ignore because they possibly came in from older rpc messages. """ super(RequestContext, self).__init__(auth_token=auth_token, user=username, tenant=tenant, is_admin=is_admin, read_only=read_only, show_deleted=show_deleted, request_id=request_id) self.username = username self.user_id = user_id self.password = password self.region_name = region_name self.aws_creds = aws_creds self.tenant_id = tenant_id self.auth_token_info = auth_token_info self.auth_url = auth_url self.roles = roles or [] self._session = None self._clients = None self.trust_id = trust_id self.trustor_user_id = trustor_user_id self.policy = policy.Enforcer() self._auth_plugin = auth_plugin self._trusts_auth_plugin = trusts_auth_plugin if is_admin is None: self.is_admin = self.policy.check_is_admin(self) else: self.is_admin = is_admin
def test_load_rules_force_reload_false(self): enforcer = policy.Enforcer( policy_file=self.get_policy_file('deny_stack_user.json')) enforcer.load_rules(True) enforcer.load_rules(True) enforcer.set_rules({'test_heat_rule': 'test'}) enforcer.load_rules(False) self.assertIn('test_heat_rule', enforcer.enforcer.rules)
def test_default_rule(self): ctx = utils.dummy_context(roles=['not_a_stack_user']) enforcer = policy.Enforcer( scope='cloudformation', policy_file=self.get_policy_file('deny_stack_user.json'), exc=None, default_rule='!') action = 'no_such_action' self.assertFalse(enforcer.enforce(ctx, action))
def test_enforce_creds(self): enforcer = policy.Enforcer() ctx = utils.dummy_context(roles=['admin']) self.m.StubOutWithMock(base_policy.Enforcer, 'enforce') base_policy.Enforcer.enforce('context_is_admin', {}, ctx.to_dict(), False, exc=None).AndReturn(True) self.m.ReplayAll() self.assertTrue(enforcer.check_is_admin(ctx))
def test_default_rule(self): self.stub_policyfile('deny_stack_user.json') ctx = utils.dummy_context(roles=['not_a_stack_user']) default_rule = base_policy.FalseCheck() enforcer = policy.Enforcer(scope='cloudformation', exc=None, default_rule=default_rule) action = 'no_such_action' self.assertFalse(enforcer.enforce(ctx, action))
def test_policy_cfn_allow_non_stack_user(self): self.stub_policyfile('deny_stack_user.json') enforcer = policy.Enforcer(scope='cloudformation') ctx = utils.dummy_context(roles=['not_a_stack_user']) for action in self.cfn_actions: # Everything should be allowed enforcer.enforce(ctx, action)
def test_policy_cfn_default(self): enforcer = policy.Enforcer( scope='cloudformation', policy_file=self.get_policy_file('deny_stack_user.json')) ctx = utils.dummy_context(roles=[]) for action in self.cfn_actions: # Everything should be allowed enforcer.enforce(ctx, action)
def test_policy_cw_allow_non_stack_user(self): enforcer = policy.Enforcer( scope='cloudwatch', policy_file=self.get_policy_file('deny_stack_user.json')) ctx = utils.dummy_context(roles=['not_a_stack_user']) for action in self.cw_actions: # Everything should be allowed enforcer.enforce(ctx, action)
def test_policy_cfn_notallowed(self): self.stub_policyfile('notallowed.json') enforcer = policy.Enforcer(scope='cloudformation') ctx = utils.dummy_context(roles=[]) for action in self.cfn_actions: # Everything should raise the default exception.Forbidden self.assertRaises(exception.Forbidden, enforcer.enforce, ctx, action, {})
def test_set_rules_overwrite_false(self): pf = policy_path + 'deny_stack_user.json' self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path') base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf) self.m.ReplayAll() enforcer = policy.Enforcer() enforcer.load_rules(True) enforcer.set_rules({'test_heat_rule': 1}, False) self.assertIn('test_heat_rule', enforcer.enforcer.rules)
def test_load_rules_force_reload_true(self): pf = policy_path + 'deny_stack_user.json' self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path') base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf) self.m.ReplayAll() enforcer = policy.Enforcer() enforcer.set_rules({'test_heat_rule': 'test'}) enforcer.load_rules(True) self.assertNotIn({'test_heat_rule': 'test'}, enforcer.enforcer.rules)
def test_policy_cfn_notallowed(self): enforcer = policy.Enforcer( scope='cloudformation', policy_file=self.get_policy_file('notallowed.json')) ctx = utils.dummy_context(roles=[]) for action in self.cfn_actions: # Everything should raise the default exception.Forbidden self.assertRaises(exception.Forbidden, enforcer.enforce, ctx, action, {}, is_registered_policy=True)
def test_check_admin(self): enforcer = policy.Enforcer() ctx = utils.dummy_context(roles=[]) self.assertFalse(enforcer.check_is_admin(ctx)) ctx = utils.dummy_context(roles=['not_admin']) self.assertFalse(enforcer.check_is_admin(ctx)) ctx = utils.dummy_context(roles=['admin']) self.assertTrue(enforcer.check_is_admin(ctx))
def test_clear(self): pf = policy_path + 'deny_stack_user.json' self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path') base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf) self.m.ReplayAll() enforcer = policy.Enforcer() enforcer.load_rules(force_reload=True) enforcer.clear() self.assertEqual(enforcer.enforcer.rules, {}) self.m.VerifyAll()
def test_policy_cfn_deny_stack_user(self): enforcer = policy.Enforcer(scope='cloudformation') ctx = utils.dummy_context(roles=['heat_stack_user']) for action in self.cfn_actions: # Everything apart from DescribeStackResource should be Forbidden if action == "DescribeStackResource": enforcer.enforce(ctx, action, is_registered_policy=True) else: self.assertRaises(exception.Forbidden, enforcer.enforce, ctx, action, {}, is_registered_policy=True)
def _test_policy_allowed(self, scope, actions, personas): enforcer = policy.Enforcer(scope=scope) for persona in personas: ctx = self._get_context(persona) for action in actions: # Everything should be allowed enforcer.enforce( ctx, action, target={"project_id": "test_tenant_id"}, is_registered_policy=True )
def test_policy_cfn_default(self): pf = policy_path + 'deny_stack_user.json' self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path') base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf) self.m.ReplayAll() enforcer = policy.Enforcer(scope='cloudformation') ctx = utils.dummy_context(roles=[]) for action in self.cfn_actions: # Everything should be allowed enforcer.enforce(ctx, action, {})
def _test_policy_notallowed(self, scope, actions, personas): enforcer = policy.Enforcer(scope=scope) for persona in personas: ctx = self._get_context(persona) for action in actions: # Everything should raise the default exception.Forbidden self.assertRaises( exception.Forbidden, enforcer.enforce, ctx, action, target={"project_id": "test_tenant_id"}, is_registered_policy=True)
def test_policy_cw_deny_stack_user(self): self.stub_policyfile('deny_stack_user.json') enforcer = policy.Enforcer(scope='cloudwatch') ctx = utils.dummy_context(roles=['heat_stack_user']) for action in self.cw_actions: # Everything apart from PutMetricData should be Forbidden if action == "PutMetricData": enforcer.enforce(ctx, action) else: self.assertRaises(exception.Forbidden, enforcer.enforce, ctx, action, {})
def test_policy_cfn_allow_non_stack_user(self): pf = policy_path + 'deny_stack_user.json' self.m.StubOutWithMock(policy.Enforcer, '_find_policy_file') policy.Enforcer._find_policy_file().MultipleTimes().AndReturn(pf) self.m.ReplayAll() enforcer = policy.Enforcer(scope='cloudformation') ctx = context.RequestContext(roles=['not_a_stack_user']) for action in self.cfn_actions: # Everything should be allowed enforcer.enforce(ctx, action, {}) self.m.VerifyAll()
def test_default_rule(self): pf = policy_path + 'deny_stack_user.json' self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path') base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf) self.m.ReplayAll() ctx = utils.dummy_context(roles=['not_a_stack_user']) default_rule = base_policy.FalseCheck() enforcer = policy.Enforcer(scope='cloudformation', exc=None, default_rule=default_rule) action = 'no_such_action' self.assertEqual(enforcer.enforce(ctx, action, {}), False) self.m.VerifyAll()
def test_policy_cfn_notallowed(self): pf = policy_path + 'notallowed.json' self.m.StubOutWithMock(policy.Enforcer, '_find_policy_file') policy.Enforcer._find_policy_file().MultipleTimes().AndReturn(pf) self.m.ReplayAll() enforcer = policy.Enforcer(scope='cloudformation') ctx = context.RequestContext(roles=[]) for action in self.cfn_actions: # Everything should raise the default exception.Forbidden self.assertRaises(exception.Forbidden, enforcer.enforce, ctx, action, {}) self.m.VerifyAll()