def _parse_check(rule): """Parse a single base check rule into an appropriate Check object.""" # Handle the special checks if rule == '!': return _checks.FalseCheck() elif rule == '@': return _checks.TrueCheck() try: kind, match = rule.split(':', 1) except Exception: LOG.exception('Failed to understand rule %s', rule) # If the rule is invalid, we'll fail closed return _checks.FalseCheck() # Find what implements the check extension_checks = _checks.get_extensions() if kind in extension_checks: return extension_checks[kind](kind, match) elif kind in _checks.registered_checks: return _checks.registered_checks[kind](kind, match) elif None in _checks.registered_checks: return _checks.registered_checks[None](kind, match) else: LOG.error('No handler for matches of kind %s', kind) return _checks.FalseCheck()
def test_check_raise_default(self): # When do_raise=True and exc is not used then PolicyNotAuthorized is # raised. self.enforcer.set_rules(dict(default=_checks.FalseCheck())) self.assertRaises(policy.PolicyNotAuthorized, self.enforcer.enforce, 'rule', 'target', 'creds', True)
def test_check_raise_custom_exception(self): self.enforcer.set_rules(dict(default=_checks.FalseCheck())) exc = self.assertRaises( MyException, self.enforcer.enforce, 'rule', 'target', 'creds', True, MyException, 'arg1', 'arg2', kw1='kwarg1', kw2='kwarg2') self.assertEqual(('arg1', 'arg2'), exc.args) self.assertEqual(dict(kw1='kwarg1', kw2='kwarg2'), exc.kwargs)
def test_check_raise_default(self): # When do_raise=True and exc is not used then PolicyNotAuthorized is # raised. self.enforcer.set_rules(dict(default=_checks.FalseCheck())) creds = {} self.assertRaisesRegex(policy.PolicyNotAuthorized, " is disallowed by policy", self.enforcer.enforce, 'rule', 'target', creds, True)
def test_check_raises(self): self.enforcer.set_rules(dict(default=_checks.FalseCheck())) try: self.enforcer.enforce('rule', 'target', 'creds', True, MyException, 'arg1', 'arg2', kw1='kwarg1', kw2='kwarg2') except MyException as exc: self.assertEqual(('arg1', 'arg2'), exc.args) self.assertEqual(dict(kw1='kwarg1', kw2='kwarg2'), exc.kwargs) else: self.fail('enforcer.enforce() failed to raise requested exception')
def _parse_list_rule(rule): """Translates the old list-of-lists syntax into a tree of Check objects. Provided for backwards compatibility. """ # Empty rule defaults to True if not rule: return _checks.TrueCheck() # Outer list is joined by "or"; inner list by "and" or_list = [] for inner_rule in rule: # Skip empty inner lists if not inner_rule: continue # Handle bare strings if isinstance(inner_rule, six.string_types): inner_rule = [inner_rule] # Parse the inner rules into Check objects and_list = [_parse_check(r) for r in inner_rule] # Append the appropriate check to the or_list if len(and_list) == 1: or_list.append(and_list[0]) else: or_list.append(_checks.AndCheck(and_list)) # If we have only one check, omit the "or" if not or_list: return _checks.FalseCheck() elif len(or_list) == 1: return or_list[0] return _checks.OrCheck(or_list)
def _parse_text_rule(rule): """Parses policy to the tree. Translates a policy written in the policy language into a tree of Check objects. """ # Empty rule means always accept if not rule: return _checks.TrueCheck() # Parse the token stream state = ParseState() for tok, value in _parse_tokenize(rule): state.shift(tok, value) try: return state.result except ValueError: # Couldn't parse the rule LOG.exception(_LE('Failed to understand rule %s'), rule) # Fail closed return _checks.FalseCheck()
def test_call_false(self): rule = _checks.FalseCheck() check = _checks.NotCheck(rule) self.assertTrue(check('target', 'cred', None))
def test_call(self): check = _checks.FalseCheck() self.assertFalse(check('target', 'creds', None))
def test_str(self): check = _checks.FalseCheck() self.assertEqual('!', str(check))