Example #1
0
 def test_config_policies(self):
     """Test the default config endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(policy.authorize('managesf.config:get',
                                       target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.config:get',
                                      target, credentials))
Example #2
0
 def test_config_policies(self):
     """Test the default config endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(
         policy.authorize('managesf.config:get', target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.config:get', target, credentials))
Example #3
0
 def test_hooks_policies(self):
     """Test the default hooks endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(policy.authorize('managesf.hooks:trigger',
                                       target, credentials))
     credentials = {'username': '******'}
     self.assertFalse(policy.authorize('managesf.hooks:trigger',
                                       target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.hooks:trigger',
                                      target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.hooks:trigger',
                                      target, credentials))
Example #4
0
 def test_hooks_policies(self):
     """Test the default hooks endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(
         policy.authorize('managesf.hooks:trigger', target, credentials))
     credentials = {'username': '******'}
     self.assertFalse(
         policy.authorize('managesf.hooks:trigger', target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.hooks:trigger', target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.hooks:trigger', target, credentials))
Example #5
0
def authorize(rule_name, target):
    if not request.remote_user:
        request.remote_user = request.headers.get('X-Remote-User')
    credentials = {'username': request.remote_user, 'groups': []}
    # TODO(mhu) this must be independent from gerrit
    if request.remote_user:
        code_review = [s for s in SF_SERVICES
                       if isinstance(s, base.BaseCodeReviewServicePlugin)][0]
        user_groups = code_review.project.get_user_groups(request.remote_user)
        credentials['groups'] = [grp['name'] for grp in user_groups]
    return policy.authorize(rule_name, target, credentials)
Example #6
0
def authorize(rule_name, target):
    if not request.remote_user:
        request.remote_user = request.headers.get('X-Remote-User')
    credentials = {'username': request.remote_user, 'groups': []}
    # TODO(mhu) this must be independent from gerrit
    if request.remote_user:
        code_review = [
            s for s in SF_SERVICES
            if isinstance(s, base.BaseCodeReviewServicePlugin)
        ][0]
        user_groups = code_review.project.get_user_groups(request.remote_user)
        credentials['groups'] = [grp['name'] for grp in user_groups]
    return policy.authorize(rule_name, target, credentials)
Example #7
0
 def test_nodes_policies_extra_conditions(self):
     pol_file = self.config['policy']['policy_file']
     with open(pol_file, 'w') as p:
         yaml.dump(
             {"managesf.node:image-update": ("rule:rick-images or "
                                             "rule:admin_or_service"),
              "rick-images": ("username:rick and image:schwifty "
                              "and provider:wub")},
             p, default_flow_style=False)
     credentials = {'username': '******'}
     target = {'image': 'schwifty',
               'provider': 'wub'}
     self.assertTrue(policy.authorize("managesf.node:image-update",
                                      target, credentials))
     with open(pol_file, 'w') as p:
         yaml.dump(
             {"managesf.node:image-update": "rule:admin_or_service"},
             p, default_flow_style=False)
Example #8
0
 def test_nodes_policies_extra_conditions(self):
     pol_file = self.config['policy']['policy_file']
     with open(pol_file, 'w') as p:
         yaml.dump(
             {
                 "managesf.node:image-update": ("rule:rick-images or "
                                                "rule:admin_or_service"),
                 "rick-images": ("username:rick and image:schwifty "
                                 "and provider:wub")
             },
             p,
             default_flow_style=False)
     credentials = {'username': '******'}
     target = {'image': 'schwifty', 'provider': 'wub'}
     self.assertTrue(
         policy.authorize("managesf.node:image-update", target,
                          credentials))
     with open(pol_file, 'w') as p:
         yaml.dump({"managesf.node:image-update": "rule:admin_or_service"},
                   p,
                   default_flow_style=False)
Example #9
0
 def test_htpasswd_policies(self):
     """Test the default htpasswd endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(policy.authorize('managesf.htpasswd:get',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.htpasswd:create_update',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.htpasswd:delete',
                                       target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.htpasswd:get',
                                      target, credentials))
     self.assertTrue(policy.authorize('managesf.htpasswd:create_update',
                                      target, credentials))
     self.assertTrue(policy.authorize('managesf.htpasswd:delete',
                                      target, credentials))
Example #10
0
 def test_backup_policies(self):
     """Test the default backup endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(
         policy.authorize('managesf.backup:create', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.backup:get', target, credentials))
     credentials = {'username': '******'}
     self.assertFalse(
         policy.authorize('managesf.backup:create', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.backup:get', target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.backup:get', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.backup:create', target, credentials))
Example #11
0
 def test_backup_policies(self):
     """Test the default backup endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(policy.authorize('managesf.backup:create',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.backup:get',
                                       target, credentials))
     credentials = {'username': '******'}
     self.assertFalse(policy.authorize('managesf.backup:create',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.backup:get',
                                       target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.backup:get',
                                      target, credentials))
     self.assertTrue(policy.authorize('managesf.backup:create',
                                      target, credentials))
Example #12
0
 def test_htpasswd_policies(self):
     """Test the default htpasswd endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(
         policy.authorize('managesf.htpasswd:get', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.htpasswd:create_update', target,
                          credentials))
     self.assertFalse(
         policy.authorize('managesf.htpasswd:delete', target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.htpasswd:get', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.htpasswd:create_update', target,
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.htpasswd:delete', target, credentials))
Example #13
0
 def test_localuser_policies(self):
     """Test the default localuser endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(policy.authorize('managesf.localuser:get',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.localuser:create_update',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.localuser:delete',
                                       target, credentials))
     self.assertTrue(policy.authorize('managesf.localuser:bind',
                                      target, credentials))
     credentials = {'username': '******',
                    'groups': []}
     self.assertTrue(policy.authorize('managesf.localuser:get',
                                      target, credentials))
     self.assertFalse(policy.authorize('managesf.localuser:create_update',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.localuser:delete',
                                       target, credentials))
     self.assertTrue(policy.authorize('managesf.localuser:bind',
                                      target, credentials))
     target = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.localuser:create_update',
                                      target, credentials))
     self.assertTrue(policy.authorize('managesf.localuser:delete',
                                      target, credentials))
     target = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.localuser:get',
                                      target, credentials))
     self.assertFalse(policy.authorize('managesf.localuser:create_update',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.localuser:delete',
                                       target, credentials))
     credentials['username'] = '******'
     self.assertTrue(policy.authorize('managesf.localuser:create_update',
                                      target, credentials))
     self.assertTrue(policy.authorize('managesf.localuser:delete',
                                      target, credentials))
Example #14
0
 def test_jobs_policies(self):
     """Test the default jobs endpoint policies"""
     credentials = {}
     self.assertTrue(policy.authorize('managesf.job:get', {}, credentials))
     self.assertFalse(policy.authorize('managesf.job:run', {}, credentials))
     self.assertFalse(policy.authorize('managesf.job:stop', {},
                                       credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.job:get', {}, credentials))
     self.assertFalse(policy.authorize('managesf.job:run', {}, credentials))
     self.assertFalse(policy.authorize('managesf.job:stop', {},
                                       credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.job:get', {}, credentials))
     self.assertTrue(policy.authorize('managesf.job:run', {}, credentials))
     self.assertTrue(policy.authorize('managesf.job:stop', {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.job:get', {}, credentials))
     self.assertTrue(policy.authorize('managesf.job:run', {}, credentials))
     self.assertTrue(policy.authorize('managesf.job:stop', {}, credentials))
Example #15
0
 def test_nodes_policies(self):
     """Test the default nodes endpoint policies"""
     credentials = {}
     self.assertTrue(policy.authorize('managesf.node:get', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:hold', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:delete', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:add_authorized_key', {},
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.node:image-get', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:image-start-update', {},
                          credentials))
     self.assertFalse(
         policy.authorize('managesf.node:image-update-status', {},
                          credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.node:get', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:hold', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:delete', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:add_authorized_key', {},
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.node:image-get', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:image-start-update', {},
                          credentials))
     self.assertFalse(
         policy.authorize('managesf.node:image-update-status', {},
                          credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.node:get', {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:hold', {},
                                      credentials))
     self.assertTrue(
         policy.authorize('managesf.node:delete', {}, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:add_authorized_key', {},
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.node:image-get', {}, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:image-start-update', {},
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.node:image-update-status', {},
                          credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.node:get', {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:hold', {},
                                      credentials))
     self.assertTrue(
         policy.authorize('managesf.node:delete', {}, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:add_authorized_key', {},
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.node:image-get', {}, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:image-start-update', {},
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.node:image-update-status', {},
                          credentials))
Example #16
0
 def test_default_policies(self):
     """Test the default policies that come with a default deployment"""
     credentials = {}
     target = {}
     try:
         admin_account = self.config.admin['name']
     except AttributeError:
         admin_account = 'admin'
     self.assertTrue(policy.authorize('any', target, credentials))
     self.assertFalse(policy.authorize('none', target, credentials))
     self.assertFalse(
         policy.authorize('authenticated_api', target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('any', target, credentials))
     self.assertFalse(policy.authorize('none', target, credentials))
     self.assertTrue(
         policy.authorize('authenticated_api', target, credentials))
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     credentials = {'username': admin_account}
     self.assertTrue(
         policy.authorize('authenticated_api', target, credentials))
     self.assertTrue(policy.authorize('any', target, credentials))
     self.assertFalse(policy.authorize('none', target, credentials))
     self.assertTrue(policy.authorize('admin_api', target, credentials))
     self.assertTrue(
         policy.authorize('admin_or_service', target, credentials))
     self.assertFalse(policy.authorize('owner_api', target, credentials))
     self.assertTrue(policy.authorize('admin_or_owner', target,
                                      credentials))
     self.assertFalse(
         policy.authorize('contributor_api', target, credentials))
     credentials = {'username': base.SERVICE_USER}
     self.assertTrue(
         policy.authorize('authenticated_api', target, credentials))
     self.assertTrue(policy.authorize('any', target, credentials))
     self.assertFalse(policy.authorize('none', target, credentials))
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     self.assertTrue(
         policy.authorize('admin_or_service', target, credentials))
     self.assertFalse(policy.authorize('owner_api', target, credentials))
     credentials = {'username': '******'}
     target = {'username': '******'}
     self.assertTrue(
         policy.authorize('authenticated_api', target, credentials))
     self.assertTrue(policy.authorize('any', target, credentials))
     self.assertFalse(policy.authorize('none', target, credentials))
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     self.assertFalse(policy.authorize('owner_api', target, credentials))
     target = {'username': '******'}
     self.assertTrue(policy.authorize('owner_api', target, credentials))
     credentials['groups'] = [
         'p0-dev',
     ]
     target = {'project': 'p1'}
     self.assertTrue(policy.authorize('any', target, credentials))
     self.assertFalse(policy.authorize('dev_api', target, credentials))
     self.assertFalse(policy.authorize('core_api', target, credentials))
     self.assertFalse(policy.authorize('ptl_api', target, credentials))
     self.assertFalse(
         policy.authorize('contributor_api', target, credentials))
     target = {'project': 'p0'}
     self.assertTrue(policy.authorize('dev_api', target, credentials))
     self.assertFalse(policy.authorize('core_api', target, credentials))
     self.assertFalse(policy.authorize('ptl_api', target, credentials))
     self.assertTrue(
         policy.authorize('contributor_api', target, credentials))
     credentials['groups'] = [
         'p0-core',
     ]
     self.assertFalse(policy.authorize('dev_api', target, credentials))
     self.assertTrue(policy.authorize('core_api', target, credentials))
     self.assertFalse(policy.authorize('ptl_api', target, credentials))
     self.assertTrue(
         policy.authorize('contributor_api', target, credentials))
     credentials['groups'] = [
         'p0-ptl',
     ]
     self.assertFalse(policy.authorize('dev_api', target, credentials))
     self.assertFalse(policy.authorize('core_api', target, credentials))
     self.assertTrue(policy.authorize('ptl_api', target, credentials))
     self.assertTrue(
         policy.authorize('contributor_api', target, credentials))
Example #17
0
 def test_change_in_file_policies(self):
     pol_file = self.config['policy']['policy_file']
     with open(pol_file, 'w') as p:
         yaml.dump(
             {"managesf.node:get": "rule:any",
              "managesf.node:create": "rule:none",
              "is_rick": "username:Rick",
              "rick_api": "rule:is_rick"},
             p, default_flow_style=False)
     credentials = {}
     target = {}
     try:
         admin_account = self.config.admin['name']
     except AttributeError:
         admin_account = 'admin'
     # make sure default rules are there
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.node:create',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.node:image-start-update',
                                       target, credentials))
     self.assertFalse(policy.authorize('rick_api',
                                       target, credentials))
     credentials['username'] = '******'
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.node:create',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.node:image-start-update',
                                       target, credentials))
     self.assertTrue(policy.authorize('rick_api',
                                      target, credentials))
     credentials['username'] = '******'
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.node:create',
                                       target, credentials))
     self.assertFalse(policy.authorize('managesf.node:image-start-update',
                                       target, credentials))
     self.assertFalse(policy.authorize('rick_api',
                                       target, credentials))
     credentials['username'] = admin_account
     self.assertTrue(policy.authorize('admin_api',
                                      target, credentials))
     self.assertFalse(policy.authorize('managesf.node:create',
                                       target, credentials))
     # the default rule should be used here
     self.assertTrue(policy.authorize('managesf.node:image-start-update',
                                      target, credentials))
     self.assertFalse(policy.authorize('rick_api',
                                       target, credentials))
     # set back to normal
     with open(pol_file, 'w') as p:
         yaml.dump(
             {"managesf.node:get": "rule:any",
              "managesf.node:create": "rule:any",
              "is_morty": "username:morty",
              "morty_api": "rule:is_morty"},
             p, default_flow_style=False)
Example #18
0
 def test_file_policies(self):
     """Test that the specified policies are taken into account"""
     credentials = {}
     target = {}
     try:
         admin_account = self.config.admin['name']
     except AttributeError:
         admin_account = 'admin'
     # make sure default rules are there
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     self.assertTrue(
         policy.authorize('admin_api', target, {'username': admin_account}))
     self.assertTrue(
         policy.authorize('managesf.node:create', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:get', target, credentials))
     self.assertFalse(policy.authorize('morty_api', target, credentials))
     credentials['username'] = '******'
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:create', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:get', target, credentials))
     self.assertFalse(policy.authorize('morty_api', target, credentials))
     credentials['username'] = '******'
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:get', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.node:create', target, credentials))
     self.assertTrue(policy.authorize('morty_api', target, credentials))
Example #19
0
 def test_file_policies(self):
     """Test that the specified policies are taken into account"""
     credentials = {}
     target = {}
     try:
         admin_account = self.config.admin['name']
     except AttributeError:
         admin_account = 'admin'
     # make sure default rules are there
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('admin_api',
                                      target,
                                      {'username': admin_account}))
     self.assertTrue(policy.authorize('managesf.node:create',
                                      target, credentials))
     self.assertTrue(policy.authorize('managesf.node:get',
                                      target, credentials))
     self.assertFalse(policy.authorize('morty_api',
                                       target, credentials))
     credentials['username'] = '******'
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('managesf.node:create',
                                      target, credentials))
     self.assertTrue(policy.authorize('managesf.node:get',
                                      target, credentials))
     self.assertFalse(policy.authorize('morty_api',
                                       target, credentials))
     credentials['username'] = '******'
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('managesf.node:get',
                                      target, credentials))
     self.assertTrue(policy.authorize('managesf.node:create',
                                      target, credentials))
     self.assertTrue(policy.authorize('morty_api',
                                      target, credentials))
Example #20
0
 def test_default_policies(self):
     """Test the default policies that come with a default deployment"""
     credentials = {}
     target = {}
     try:
         admin_account = self.config.admin['name']
     except AttributeError:
         admin_account = 'admin'
     self.assertTrue(policy.authorize('any',
                                      target, credentials))
     self.assertFalse(policy.authorize('none',
                                       target, credentials))
     self.assertFalse(policy.authorize('authenticated_api',
                                       target, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('any',
                                      target, credentials))
     self.assertFalse(policy.authorize('none',
                                       target, credentials))
     self.assertTrue(policy.authorize('authenticated_api',
                                      target, credentials))
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     credentials = {'username': admin_account}
     self.assertTrue(policy.authorize('authenticated_api',
                                      target, credentials))
     self.assertTrue(policy.authorize('any',
                                      target, credentials))
     self.assertFalse(policy.authorize('none',
                                       target, credentials))
     self.assertTrue(policy.authorize('admin_api',
                                      target, credentials))
     self.assertTrue(policy.authorize('admin_or_service',
                                      target, credentials))
     self.assertFalse(policy.authorize('owner_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('admin_or_owner',
                                      target, credentials))
     self.assertFalse(policy.authorize('contributor_api',
                                       target, credentials))
     credentials = {'username': base.SERVICE_USER}
     self.assertTrue(policy.authorize('authenticated_api',
                                      target, credentials))
     self.assertTrue(policy.authorize('any',
                                      target, credentials))
     self.assertFalse(policy.authorize('none',
                                       target, credentials))
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('admin_or_service',
                                      target, credentials))
     self.assertFalse(policy.authorize('owner_api',
                                       target, credentials))
     credentials = {'username': '******'}
     target = {'username': '******'}
     self.assertTrue(policy.authorize('authenticated_api',
                                      target, credentials))
     self.assertTrue(policy.authorize('any',
                                      target, credentials))
     self.assertFalse(policy.authorize('none',
                                       target, credentials))
     self.assertFalse(policy.authorize('admin_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('owner_api',
                                       target, credentials))
     target = {'username': '******'}
     self.assertTrue(policy.authorize('owner_api',
                                      target, credentials))
     credentials['groups'] = ['p0-dev', ]
     target = {'project': 'p1'}
     self.assertTrue(policy.authorize('any',
                                      target, credentials))
     self.assertFalse(policy.authorize('dev_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('core_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('ptl_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('contributor_api',
                                       target, credentials))
     target = {'project': 'p0'}
     self.assertTrue(policy.authorize('dev_api',
                                      target, credentials))
     self.assertFalse(policy.authorize('core_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('ptl_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('contributor_api',
                                      target, credentials))
     credentials['groups'] = ['p0-core', ]
     self.assertFalse(policy.authorize('dev_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('core_api',
                                      target, credentials))
     self.assertFalse(policy.authorize('ptl_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('contributor_api',
                                      target, credentials))
     credentials['groups'] = ['p0-ptl', ]
     self.assertFalse(policy.authorize('dev_api',
                                       target, credentials))
     self.assertFalse(policy.authorize('core_api',
                                       target, credentials))
     self.assertTrue(policy.authorize('ptl_api',
                                      target, credentials))
     self.assertTrue(policy.authorize('contributor_api',
                                      target, credentials))
Example #21
0
 def test_nodes_policies(self):
     """Test the default nodes endpoint policies"""
     credentials = {}
     self.assertTrue(policy.authorize('managesf.node:get',
                                      {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:hold',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:delete',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:add_authorized_key',
                                       {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:image-get',
                                      {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:image-start-update',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:image-update-status',
                                       {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.node:get',
                                      {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:hold',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:delete',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:add_authorized_key',
                                       {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:image-get',
                                      {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:image-start-update',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.node:image-update-status',
                                       {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.node:get',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:hold',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:delete',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:add_authorized_key',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:image-get',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:image-start-update',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:image-update-status',
                                      {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.node:get',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:hold',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:delete',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:add_authorized_key',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:image-get',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:image-start-update',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.node:image-update-status',
                                      {}, credentials))
Example #22
0
 def test_jobs_policies(self):
     """Test the default jobs endpoint policies"""
     credentials = {}
     self.assertTrue(policy.authorize('managesf.job:get',
                                      {}, credentials))
     self.assertFalse(policy.authorize('managesf.job:run',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.job:stop',
                                       {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.job:get',
                                      {}, credentials))
     self.assertFalse(policy.authorize('managesf.job:run',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.job:stop',
                                       {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.job:get',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.job:run',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.job:stop',
                                      {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.job:get',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.job:run',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.job:stop',
                                      {}, credentials))
Example #23
0
 def test_resources_policies(self):
     """Test the default resources endpoint policies"""
     credentials = {}
     self.assertTrue(policy.authorize('managesf.resources:get',
                                      {}, credentials))
     self.assertFalse(policy.authorize('managesf.resources:validate',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.resources:apply',
                                       {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.resources:get',
                                      {}, credentials))
     self.assertFalse(policy.authorize('managesf.resources:validate',
                                       {}, credentials))
     self.assertFalse(policy.authorize('managesf.resources:apply',
                                       {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.resources:get',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.resources:validate',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.resources:apply',
                                      {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(policy.authorize('managesf.resources:get',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.resources:validate',
                                      {}, credentials))
     self.assertTrue(policy.authorize('managesf.resources:apply',
                                      {}, credentials))
Example #24
0
 def test_resources_policies(self):
     """Test the default resources endpoint policies"""
     credentials = {}
     self.assertTrue(
         policy.authorize('managesf.resources:get', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.resources:validate', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.resources:apply', {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.resources:get', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.resources:validate', {}, credentials))
     self.assertFalse(
         policy.authorize('managesf.resources:apply', {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.resources:get', {}, credentials))
     self.assertTrue(
         policy.authorize('managesf.resources:validate', {}, credentials))
     self.assertTrue(
         policy.authorize('managesf.resources:apply', {}, credentials))
     credentials = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.resources:get', {}, credentials))
     self.assertTrue(
         policy.authorize('managesf.resources:validate', {}, credentials))
     self.assertTrue(
         policy.authorize('managesf.resources:apply', {}, credentials))
Example #25
0
 def test_change_in_file_policies(self):
     pol_file = self.config['policy']['policy_file']
     with open(pol_file, 'w') as p:
         yaml.dump(
             {
                 "managesf.node:get": "rule:any",
                 "managesf.node:create": "rule:none",
                 "is_rick": "username:Rick",
                 "rick_api": "rule:is_rick"
             },
             p,
             default_flow_style=False)
     credentials = {}
     target = {}
     try:
         admin_account = self.config.admin['name']
     except AttributeError:
         admin_account = 'admin'
     # make sure default rules are there
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:create', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:image-start-update', target,
                          credentials))
     self.assertFalse(policy.authorize('rick_api', target, credentials))
     credentials['username'] = '******'
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:create', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:image-start-update', target,
                          credentials))
     self.assertTrue(policy.authorize('rick_api', target, credentials))
     credentials['username'] = '******'
     self.assertFalse(policy.authorize('admin_api', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:create', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:image-start-update', target,
                          credentials))
     self.assertFalse(policy.authorize('rick_api', target, credentials))
     credentials['username'] = admin_account
     self.assertTrue(policy.authorize('admin_api', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.node:create', target, credentials))
     # the default rule should be used here
     self.assertTrue(
         policy.authorize('managesf.node:image-start-update', target,
                          credentials))
     self.assertFalse(policy.authorize('rick_api', target, credentials))
     # set back to normal
     with open(pol_file, 'w') as p:
         yaml.dump(
             {
                 "managesf.node:get": "rule:any",
                 "managesf.node:create": "rule:any",
                 "is_morty": "username:morty",
                 "morty_api": "rule:is_morty"
             },
             p,
             default_flow_style=False)
Example #26
0
 def test_localuser_policies(self):
     """Test the default localuser endpoint policies"""
     credentials = {}
     target = {}
     self.assertFalse(
         policy.authorize('managesf.localuser:get', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.localuser:create_update', target,
                          credentials))
     self.assertFalse(
         policy.authorize('managesf.localuser:delete', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.localuser:bind', target, credentials))
     credentials = {'username': '******', 'groups': []}
     self.assertTrue(
         policy.authorize('managesf.localuser:get', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.localuser:create_update', target,
                          credentials))
     self.assertFalse(
         policy.authorize('managesf.localuser:delete', target, credentials))
     self.assertTrue(
         policy.authorize('managesf.localuser:bind', target, credentials))
     target = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.localuser:create_update', target,
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.localuser:delete', target, credentials))
     target = {'username': '******'}
     self.assertTrue(
         policy.authorize('managesf.localuser:get', target, credentials))
     self.assertFalse(
         policy.authorize('managesf.localuser:create_update', target,
                          credentials))
     self.assertFalse(
         policy.authorize('managesf.localuser:delete', target, credentials))
     credentials['username'] = '******'
     self.assertTrue(
         policy.authorize('managesf.localuser:create_update', target,
                          credentials))
     self.assertTrue(
         policy.authorize('managesf.localuser:delete', target, credentials))