def setUp(self):
super(PolicyTestCase, self).setUp()
rules = [
oslo_policy.RuleDefault("true", '@'),
oslo_policy.RuleDefault("example:allowed", '@'),
oslo_policy.RuleDefault("example:denied", "!"),
oslo_policy.RuleDefault("old_action_not_default", "@"),
oslo_policy.RuleDefault("new_action", "@"),
oslo_policy.RuleDefault("old_action_default", "rule:admin_api"),
oslo_policy.RuleDefault("example:get_http",
"http://www.example.com"),
oslo_policy.RuleDefault("example:my_file",
"role:compute_admin or "
"project_id:%(project_id)s"),
oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
oslo_policy.RuleDefault("example:lowercase_admin",
"role:admin or role:sysadmin"),
oslo_policy.RuleDefault("example:uppercase_admin",
"role:ADMIN or role:sysadmin"),
]
policy.reset()
policy.init()
# before a policy rule can be used, its default has to be registered.
policy._ENFORCER.register_defaults(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyFileTestCase, self).setUp()
policy.reset()
_, self.tmpfilename = tempfile.mkstemp()
self.flags(policy_file=self.tmpfilename)
self.context = context.RequestContext('fake', 'fake')
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = [
oslo_policy.RuleDefault("true", '@'),
oslo_policy.RuleDefault("example:allowed", '@'),
oslo_policy.RuleDefault("example:denied", "!"),
oslo_policy.RuleDefault("old_action_not_default", "@"),
oslo_policy.RuleDefault("new_action", "@"),
oslo_policy.RuleDefault("old_action_default", "rule:admin_api"),
oslo_policy.RuleDefault("example:get_http",
"http://www.example.com"),
oslo_policy.RuleDefault(
"example:my_file", "role:compute_admin or "
"project_id:%(project_id)s"),
oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
oslo_policy.RuleDefault("example:lowercase_admin",
"role:admin or role:sysadmin"),
oslo_policy.RuleDefault("example:uppercase_admin",
"role:ADMIN or role:sysadmin"),
]
policy.reset()
policy.init()
# before a policy rule can be used, its default has to be registered.
policy._ENFORCER.register_defaults(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(NetworkPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.context = context.get_admin_context()
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename, group='oslo_policy')
# NOTE(uni): context construction invokes policy check to determine
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
# NOTE(gmann): We do not need to log policy warnings for unit
# tests.
policy.init(suppress_deprecation_warnings=True)
rule = oslo_policy.RuleDefault('example:test', "")
policy._ENFORCER.register_defaults([rule])
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.authorize(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
self.context, action, self.target)
def setUp(self):
super(PolicyFileTestCase, self).setUp()
policy.reset()
_, self.tmpfilename = tempfile.mkstemp()
self.flags(policy_file=self.tmpfilename)
self.context = context.RequestContext('fake', 'fake')
self.target = {}
def setUp(self):
super(NetworkPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.context = context.get_admin_context()
def test_skip_policy(self):
policy.reset()
rules = {"network:get_all": common_policy.parse_rule("!")}
policy.set_rules(common_policy.Rules(rules))
api = network.API()
self.assertRaises(exception.PolicyNotAuthorized, api.get_all, self.context)
api = network.API(skip_policy_check=True)
api.get_all(self.context)
def test_skip_policy(self):
policy.reset()
rules = {'network:get_all': '!'}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
api = network.API()
self.assertRaises(exception.PolicyNotAuthorized,
api.get_all, self.context)
api = network.API(skip_policy_check=True)
api.get_all(self.context)
def test_skip_policy(self):
policy.reset()
rules = {'network:get_all': '!'}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
api = network.API()
self.assertRaises(exception.PolicyNotAuthorized, api.get_all,
self.context)
api = network.API(skip_policy_check=True)
api.get_all(self.context)
def test_skip_policy(self):
policy.reset()
rules = {'network:get_all': common_policy.parse_rule('!')}
policy.set_rules(common_policy.Rules(rules))
api = network.API()
self.assertRaises(exception.PolicyNotAuthorized,
api.get_all, self.context)
api = network.API(skip_policy_check=True)
api.get_all(self.context)
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {"default": [], "example:exist": [["false:false"]]}
self._set_brain('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"default": [],
"example:exist": [["false:false"]]
}
self._set_brain('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"default": '',
"example:exist": "!",
}
self._set_rules('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"default": '',
"example:exist": "!",
}
self._set_rules('default')
self.context = context.RequestContext('fake', 'fake')
def test_verify_show_cannot_view_other_tenant(self):
req = fakes.HTTPRequest.blank('?start={0!s}&end={1!s}'.format(START.isoformat(), STOP.isoformat()))
req.environ['nova.context'] = self.alt_user_context
rules = {
self.policy_rule_prefix + ":show": [
["role:admin"], ["project_id:%(project_id)s"]]
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
try:
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show, req, 'faketenant_0')
finally:
policy.reset()
def test_verify_show_cannot_view_other_tenant(self):
req = fakes.HTTPRequest.blank('?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.environ['nova.context'] = self.alt_user_context
rules = {
self.policy_rule_prefix + ":show": [["role:admin"],
["project_id:%(project_id)s"]]
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
try:
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show, req, 'faketenant_0')
finally:
policy.reset()
def test_verify_show_cant_view_other_tenant(self):
req = webob.Request.blank(
"/v2/faketenant_1/os-simple-tenant-usage/"
"faketenant_0?start=%s&end=%s" % (START.isoformat(), STOP.isoformat())
)
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {"compute_extension:simple_tenant_usage:show": [["role:admin"], ["project_id:%(project_id)s"]]}
common_policy.set_brain(common_policy.HttpBrain(rules))
try:
res = req.get_response(fakes.wsgi_app(fake_auth_context=self.alt_user_context))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": "@",
"example:allowed": "@",
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or " "project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.context = context.RequestContext("fake", "fake", roles=["member"])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def test_verify_show_cant_view_other_tenant(self):
req = webob.Request.blank('/v2/faketenant_1/os-simple-tenant-usage/'
'faketenant_0?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {
"compute_extension:simple_tenant_usage:show":
[["role:admin"], ["project_id:%(project_id)s"]]
}
common_policy.set_brain(common_policy.HttpBrain(rules))
try:
res = req.get_response(
fakes.wsgi_app(fake_auth_context=self.alt_user_context))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, "policy")
self.flags(policy_file=tmpfilename, group="oslo_policy")
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, self.context, action, self.target)
def test_verify_show_cant_view_other_tenant(self):
req = webob.Request.blank(self.alt_url +
'/faketenant_0?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {
self.policy_rule_prefix + ":show":
common_policy.parse_rule([["role:admin"],
["project_id:%(project_id)s"]])
}
policy.set_rules(rules)
try:
res = req.get_response(self._get_wsgi_app(self.alt_user_context))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename)
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules(dict((k, common_policy.parse_rule(v))
for k, v in rules.items()))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def test_verify_show_cannot_view_other_tenant(self):
req = webob.Request.blank(
self.alt_url + '/faketenant_0?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {
self.policy_rule_prefix + ":show":
common_policy.parse_rule([
["role:admin"], ["project_id:%(project_id)s"]
])
}
policy.set_rules(rules)
try:
res = req.get_response(self._get_wsgi_app(self.alt_user_context))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename)
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ""}""")
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": "!"}""")
# NOTE(vish): reset stored policy cache so we don't have to
# sleep(1)
policy._POLICY_CACHE = {}
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename)
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ""}""")
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": "!"}""")
# NOTE(vish): reset stored policy cache so we don't have to
# sleep(1)
policy._POLICY_CACHE = {}
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
# NOTE(vish): then overload underlying brain
common_policy.set_brain(common_policy.HttpBrain(rules))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
# NOTE(vish): then overload underlying brain
common_policy.set_brain(common_policy.HttpBrain(rules))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
# NOTE(vish): then overload underlying brain
common_policy.set_rules(
common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def test_verify_show_cant_view_other_tenant(self):
req = webob.Request.blank(
'/v3/os-simple-tenant-usage/'
'faketenant_0?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {
"compute_extension:simple_tenant_usage:show":
common_policy.parse_rule([
["role:admin"], ["project_id:%(project_id)s"]
])
}
common_policy.set_rules(common_policy.Rules(rules))
try:
res = req.get_response(fakes.wsgi_app_v3(
fake_auth_context=self.alt_user_context,
init_only=('os-simple-tenant-usage',
'servers')))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def tearDown(self):
super(NetworkPolicyTestCase, self).tearDown()
policy.reset()
def tearDown(self):
policy.reset()
super(PolicyTestCase, self).tearDown()
def tearDown(self):
super(DefaultPolicyTestCase, self).tearDown()
policy.reset()
def tearDown(self):
super(PolicyFileTestCase, self).tearDown()
policy.reset()
def test_policy_checks_with_fresh_init_and_no_policy_override(self):
self.policy = self.useFixture(
policy_fixture.OverridePolicyFixture(rules_in_file={}))
policy.reset()
self.assertEqual(upgradecheck.Code.SUCCESS,
self.cmd._check_policy().code)
def tearDown(self):
super(DefaultPolicyTestCase, self).tearDown()
policy.reset()
def setUp(self):
super(PolicyFileTestCase, self).setUp()
policy.reset()
self.context = context.RequestContext('fake', 'fake')
self.target = {}
def tearDown(self):
super(NetworkPolicyTestCase, self).tearDown()
policy.reset()
def setUp(self):
super(PolicyFileTestCase, self).setUp()
policy.reset()
self.context = context.RequestContext('fake', 'fake')
self.target = {}
def tearDown(self):
super(PolicyFileTestCase, self).tearDown()
policy.reset()
def _set_rules(self, default_rule):
policy.reset()
rules = oslo_policy.Rules.from_dict(self.rules)
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def _set_rules(self, default_rule):
policy.reset()
rules = dict((k, common_policy.parse_rule(v))
for k, v in self.rules.items())
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def tearDown(self):
policy.reset()
super(PolicyTestCase, self).tearDown()
def _set_rules(self, default_rule):
policy.reset()
rules = {k: common_policy.parse_rule(v) for k, v in self.rules.items()}
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def _set_rules(self, default_rule):
policy.reset()
rules = oslo_policy.Rules.from_dict(self.rules)
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def _check_policy(self):
"""Checks to see if policy file is overwritten with the new
defaults.
"""
msg = _("Your policy file contains rules which examine token scope, "
"which may be due to generation with the new defaults. "
"If that is done intentionally to migrate to the new rule "
"format, then you are required to enable the flag "
"'oslo_policy.enforce_scope=True' and educate end users on "
"how to request scoped tokens from Keystone. Another easy "
"and recommended way for you to achieve the same is via two "
"flags, 'oslo_policy.enforce_scope=True' and "
"'oslo_policy.enforce_new_defaults=True' and avoid "
"overwriting the file. Please refer to this document to "
"know the complete migration steps: "
"https://docs.openstack.org/nova/latest/configuration"
"/policy-concepts.html. If you did not intend to migrate "
"to new defaults in this upgrade, then with your current "
"policy file the scope checking rule will fail. A possible "
"reason for such a policy file is that you generated it with "
"'oslopolicy-sample-generator' in json format. "
"Three ways to fix this until you are ready to migrate to "
"scoped policies: 1. Generate the policy file with "
"'oslopolicy-sample-generator' in yaml format, keep "
"the generated content commented out, and update "
"the generated policy.yaml location in "
"``oslo_policy.policy_file``. "
"2. Use a pre-existing sample config file from the Train "
"release. 3. Use an empty or non-existent file to take all "
"the defaults.")
rule = "system_admin_api"
rule_new_default = "role:admin and system_scope:all"
status = upgradecheck.Result(upgradecheck.Code.SUCCESS)
# NOTE(gmann): Initialise the policy if it not initialized.
# We need policy enforcer with all the rules loaded to check
# their value with defaults.
try:
if policy._ENFORCER is None:
policy.init(suppress_deprecation_warnings=True)
# For safer side, recheck that the enforcer is available before
# upgrade checks. If something is wrong on oslo side and enforcer
# is still not available the return warning to avoid any false
# result.
if policy._ENFORCER is not None:
current_rule = str(policy._ENFORCER.rules[rule]).strip("()")
if (current_rule == rule_new_default and
not CONF.oslo_policy.enforce_scope):
status = upgradecheck.Result(upgradecheck.Code.WARNING,
msg)
else:
status = upgradecheck.Result(
upgradecheck.Code.WARNING,
_('Policy is not initialized to check the policy rules'))
except Exception as ex:
status = upgradecheck.Result(
upgradecheck.Code.WARNING,
_('Unable to perform policy checks due to error: %s') %
str(ex))
# reset the policy state so that it can be initialized from fresh if
# operator changes policy file after running this upgrade checks.
policy.reset()
return status
