def test_templatized_authorization(self): target_mine = {'project_id': 'fake'} target_not_mine = {'project_id': 'another'} action = "example:my_file" policy.authorize(self.context, action, target_mine) self.assertRaises(exception.PolicyNotAuthorized, policy.authorize, self.context, action, target_not_mine)
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_admin" uppercase_action = "example:uppercase_admin" # NOTE(dprince) we mix case in the Admin role here to ensure # case is ignored admin_context = context.RequestContext('admin', 'fake', roles=['AdMiN']) policy.authorize(admin_context, lowercase_action, self.target) policy.authorize(admin_context, uppercase_action, self.target)
def can(self, action, target=None, fatal=True): """Verifies that the given action is valid on the target in this context. :param action: string representing the action to be checked. :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}``. If None, then this default target will be considered: {'project_id': self.project_id, 'user_id': self.user_id} :param fatal: if False, will return False when an exception.Forbidden occurs. :raises nova.exception.Forbidden: if verification fails and fatal is True. :return: returns a non-False value (not necessarily "True") if authorized and False if not authorized and fatal is False. """ if target is None: target = {'project_id': self.project_id, 'user_id': self.user_id} try: return policy.authorize(self, action, target) except exception.Forbidden: if fatal: raise return False
def test_authorize_http_true(self, req_mock): req_mock.post('http://www.example.com/', text='True') action = "example:get_http" target = {} result = policy.authorize(self.context, action, target) self.assertTrue(result)
def test_modified_policy_reloads(self): with utils.tempdir() as tmpdir: tmpfilename = os.path.join(tmpdir, 'policy') self.flags(policy_file=tmpfilename, group='oslo_policy') # NOTE(uni): context construction invokes policy check to determine # is_admin or not. As a side-effect, policy reset is needed here # to flush existing policy cache. policy.reset() policy.init() rule = oslo_policy.RuleDefault('example:test', "") policy._ENFORCER.register_defaults([rule]) action = "example:test" with open(tmpfilename, "w") as policyfile: policyfile.write('{"example:test": ""}') policy.authorize(self.context, action, self.target) with open(tmpfilename, "w") as policyfile: policyfile.write('{"example:test": "!"}') policy._ENFORCER.load_rules(True) self.assertRaises(exception.PolicyNotAuthorized, policy.authorize, self.context, action, self.target)
def test_early_OR_authorization(self): action = "example:early_or_success" policy.authorize(self.context, action, self.target)
def test_authorize_good_action(self): action = "example:allowed" result = policy.authorize(self.context, action, self.target) self.assertTrue(result)
def can(self, rule, target=None): if target is None: target = {'project_id': self.project_id, 'user_id': self.user_id} return policy.authorize(self, rule, target)
def test_admin_or_owner_rules(self): for rule in self.admin_or_owner_rules: self.assertRaises(exception.PolicyNotAuthorized, policy.authorize, self.non_admin_context, rule, self.target) policy.authorize(self.non_admin_context, rule, {'project_id': 'fake', 'user_id': 'fake'})
def test_non_admin_only_rules(self): for rule in self.non_admin_only_rules: self.assertRaises(exception.PolicyNotAuthorized, policy.authorize, self.admin_context, rule, self.target) policy.authorize(self.non_admin_context, rule, self.target)
def test_authorize_bad_action_noraise(self): action = "example:denied" result = policy.authorize(self.context, action, self.target, False) self.assertFalse(result)
def test_allow_all_rules(self): for rule in self.allow_all_rules: policy.authorize(self.non_admin_context, rule, self.target)