def test_read_policy_from_file_default_only(self):
"""
Test that reading a policy file with only a preset section works
correctly.
"""
policy_file = tempfile.NamedTemporaryFile(
dir=self.temp_dir,
delete=False
)
with open(policy_file.name, 'w') as f:
f.write(
'{"test": '
'{"preset": {"SPLIT_KEY": {"GET": "ALLOW_ALL"}}}}'
)
policies = policy.read_policy_from_file(policy_file.name)
self.assertEqual(1, len(policies))
self.assertIn('test', policies.keys())
expected = {
'preset': {
enums.ObjectType.SPLIT_KEY: {
enums.Operation.GET: enums.Policy.ALLOW_ALL
}
}
}
self.assertEqual(expected, policies.get('test'))
def test_read_policy_from_file_legacy(self):
"""
Test that reading a legacy policy file works correctly.
Note: legacy policy file support may be removed in the future.
"""
policy_file = tempfile.NamedTemporaryFile(
dir=self.temp_dir,
delete=False
)
with open(policy_file.name, 'w') as f:
f.write(
'{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}'
)
policies = policy.read_policy_from_file(policy_file.name)
self.assertEqual(1, len(policies))
self.assertIn('test', policies.keys())
expected = {
'preset': {
enums.ObjectType.CERTIFICATE: {
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL
}
}
}
self.assertEqual(expected, policies.get('test'))
def test_read_policy_from_file_empty_policy(self):
"""
Test that reading a file with an empty policy is handled correctly.
"""
policy_file = tempfile.NamedTemporaryFile(dir=self.temp_dir,
delete=False)
with open(policy_file.name, 'w') as f:
f.write('{"test": {}}')
policies = policy.read_policy_from_file(policy_file.name)
self.assertEqual(0, len(policies))
def scan_policies(self):
"""
Scan the policy directory for policy data.
"""
policy_files = get_json_files(self.policy_directory)
for f in set(policy_files) - set(self.policy_files):
self.file_timestamps[f] = 0
for f in set(self.policy_files) - set(policy_files):
self.logger.info("Removing policies for file: {}".format(f))
self.file_timestamps.pop(f, None)
for p in self.policy_cache.keys():
self.disassociate_policy_and_file(p, f)
for p in [k for k, v in self.policy_map.items() if v == f]:
self.restore_or_delete_policy(p)
self.policy_files = policy_files
for f in sorted(self.file_timestamps.keys()):
t = os.path.getmtime(f)
if t > self.file_timestamps[f]:
self.logger.info("Loading policies for file: {}".format(f))
self.file_timestamps[f] = t
old_p = [k for k, v in self.policy_map.items() if v == f]
try:
new_p = operation_policy.read_policy_from_file(f)
except ValueError:
self.logger.error("Failure loading file: {}".format(f))
self.logger.debug("", exc_info=True)
continue
for p in new_p.keys():
self.logger.info("Loading policy: {}".format(p))
if p in self.reserved_policies:
self.logger.warning(
"Policy '{}' overwrites a reserved policy and "
"will be thrown out.".format(p))
continue
if p in sorted(self.policy_store.keys()):
self.logger.debug("Policy '{}' overwrites an existing "
"policy.".format(p))
if f != self.policy_map.get(p):
self.policy_cache.get(p).append(
(time.time(), self.policy_map.get(p),
self.policy_store.get(p)))
else:
self.policy_cache[p] = []
self.policy_store[p] = new_p.get(p)
self.policy_map[p] = f
for p in set(old_p) - set(new_p.keys()):
self.disassociate_policy_and_file(p, f)
self.restore_or_delete_policy(p)
def test_read_policy_from_file(self):
policy_file = tempfile.NamedTemporaryFile(dir=self.temp_dir,
delete=False)
with open(policy_file.name, 'w') as f:
f.write('{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}')
policies = policy.read_policy_from_file(policy_file.name)
self.assertEqual(1, len(policies))
self.assertIn('test', policies.keys())
test_policy = {
enums.ObjectType.CERTIFICATE: {
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL
}
}
self.assertEqual(test_policy, policies.get('test'))
def _load_operation_policies(self, policy_path):
if (policy_path is None) or (not os.path.isdir(policy_path)):
self._logger.warning(
"The specified operation policy directory{0} is not "
"valid. No user-defined policies will be loaded.".format(
" (" + policy_path + ")" if policy_path else ''))
return dict()
else:
self._logger.info(
"Loading user-defined operation policy files from: {0}".format(
policy_path))
for filename in os.listdir(policy_path):
file_path = os.path.join(policy_path, filename)
if os.path.isfile(file_path):
self._logger.info("Loading user-defined operation policies "
"from file: {0}".format(file_path))
try:
policies = operation_policy.read_policy_from_file(
file_path)
except ValueError as e:
self._logger.error(
"A failure occurred while loading policies.")
self._logger.exception(e)
continue
reserved_policies = ['default', 'public']
for policy_name in six.iterkeys(policies):
if policy_name in reserved_policies:
self._logger.warning(
"Loaded policy '{0}' overwrites a reserved "
"policy and will be thrown out.".format(
policy_name))
elif policy_name in six.iterkeys(self._operation_policies):
self._logger.warning(
"Loaded policy '{0}' overwrites a "
"preexisting policy and will be thrown "
"out.".format(policy_name))
else:
self._operation_policies.update([
(policy_name, policies.get(policy_name))
])
def test_read_policy_from_file(self):
policy_file = tempfile.NamedTemporaryFile(
dir=self.temp_dir,
delete=False
)
with open(policy_file.name, 'w') as f:
f.write(
'{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}'
)
policies = policy.read_policy_from_file(policy_file.name)
self.assertEqual(1, len(policies))
self.assertIn('test', policies.keys())
test_policy = {
enums.ObjectType.CERTIFICATE: {
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL
}
}
self.assertEqual(test_policy, policies.get('test'))
