def test_keypair_create_pass_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {self.policy_path + ':create':
common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.create(self.req, body=body)
self.assertIn('keypair', res)
def test_keypair_list_fail_policy(self):
rules = {self.policy_path + ':index':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.index,
self.req)
def test_keypair_show_fail_policy(self):
rules = {
self.policy_path + ':show': common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden, self.KeyPairController.show,
self.req, 'FAKE')
def test_keypair_list_fail_policy(self):
rules = {
self.policy_path + ':index': common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden, self.KeyPairController.index,
self.req)
def test_keypair_delete_fail_policy(self):
rules = {self.policy_path + ':delete':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.delete,
self.req, 'FAKE')
def _set_policy_rules(self):
rules = {
'compute:get':
common_policy.parse_rule(''),
'compute_extension:instance_actions':
common_policy.parse_rule('project_id:%(project_id)s')
}
policy.set_rules(rules)
def test_keypair_create_fail_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {self.policy_path + ':create':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.create,
self.req, body=body)
def _set_policy_rules(self):
rules = {
'compute:get':
common_policy.parse_rule(''),
'os_compute_api:os-instance-actions':
common_policy.parse_rule('project_id:%(project_id)s')
}
policy.set_rules(rules)
def test_shelve_allowed(self):
rules = {
"compute:get": common_policy.parse_rule(""),
"compute_extension:%sshelve" % self.prefix: common_policy.parse_rule(""),
}
policy.set_rules(rules)
self.stubs.Set(db, "instance_get_by_uuid", fake_instance_get_by_uuid)
self.assertRaises(exception.Forbidden, self.controller._shelve, self.req, str(uuid.uuid4()), {})
def test_certificates_create_policy_failed(self):
rules = {
self.certificate_create_extension: common_policy.parse_rule("!")
}
policy.set_rules(rules)
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.create, self.req)
self.assertIn(self.certificate_create_extension, exc.format_message())
def test_shelve_offload_restricted_by_role(self):
rules = {
'compute_extension:%s%s' % (self.prefix, self.offload):
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden, self.controller._shelve_offload,
self.req, str(uuid.uuid4()), {})
def test_skip_policy(self):
policy.reset()
rules = {'network:get_all': common_policy.parse_rule('!')}
policy.set_rules(common_policy.Rules(rules))
api = network.API()
self.assertRaises(exception.PolicyNotAuthorized,
api.get_all, self.context)
api = network.API(skip_policy_check=True)
api.get_all(self.context)
def test_certificates_create_policy_failed(self):
rules = {
self.certificate_create_extension:
common_policy.parse_rule("!")
}
policy.set_rules(rules)
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.create, self.req)
self.assertIn(self.certificate_create_extension,
exc.format_message())
def _set_policy_rules(self):
rules = {
'compute:get':
common_policy.parse_rule(''),
'compute_extension:instance_actions':
common_policy.parse_rule(''),
'compute_extension:instance_actions:events':
common_policy.parse_rule('is_admin:True')
}
policy.set_rules(rules)
def _set_policy_rules(self):
rules = {
'compute:get':
common_policy.parse_rule(''),
'os_compute_api:os-instance-actions':
common_policy.parse_rule(''),
'os_compute_api:os-instance-actions:events':
common_policy.parse_rule('is_admin:True')
}
policy.set_rules(rules)
def test_shelve_allowed(self):
rules = {
'compute:get':
common_policy.parse_rule(''),
'compute_extension:%sshelve' % self.prefix:
common_policy.parse_rule('')
}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
self.assertRaises(exception.Forbidden, self.controller._shelve,
self.req, str(uuid.uuid4()), {})
def test_keypair_create_fail_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {
self.policy_path + ':create':
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.create,
self.req,
body=body)
def test_start_policy_failed(self):
rules = {
self.start_policy:
common_policy.parse_rule("project_id:non_fake")
}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get)
body = dict(start="")
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._start_server,
self.req, 'test_inst', body)
self.assertIn(self.start_policy, exc.format_message())
def _test_fail_policy(self, rule, action, data=None):
rules = {
rule: common_policy.parse_rule("!"),
}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.url + '/20')
if data is not None:
self.assertRaises(exception.PolicyNotAuthorized, action,
req, self.uuid, data)
else:
self.assertRaises(exception.PolicyNotAuthorized, action,
req, self.uuid)
def test_verify_show_cannot_view_other_tenant(self):
req = fakes.HTTPRequest.blank('?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.environ['patron.context'] = self.alt_user_context
rules = {
self.policy_rule_prefix + ":show":
common_policy.parse_rule([["role:admin"],
["project_id:%(project_id)s"]])
}
policy.set_rules(rules)
try:
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show, req, 'faketenant_0')
finally:
policy.reset()
def test_verify_show_cannot_view_other_tenant(self):
req = fakes.HTTPRequest.blank('?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.environ['patron.context'] = self.alt_user_context
rules = {
self.policy_rule_prefix + ":show":
common_policy.parse_rule([
["role:admin"], ["project_id:%(project_id)s"]
])
}
policy.set_rules(rules)
try:
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show, req, 'faketenant_0')
finally:
policy.reset()
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules({k: common_policy.parse_rule(v)
for k, v in rules.items()})
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules(
{k: common_policy.parse_rule(v)
for k, v in rules.items()})
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def test_keypair_list_pass_policy(self):
rules = {self.policy_path + ':index':
common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.index(self.req)
self.assertIn('keypairs', res)
def test_keypair_show_pass_policy(self):
rules = {self.policy_path + ':show':
common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.show(self.req, 'FAKE')
self.assertIn('keypair', res)
def test_keypair_delete_pass_policy(self):
rules = {self.policy_path + ':delete':
common_policy.parse_rule('')}
policy.set_rules(rules)
self.KeyPairController.delete(self.req, 'FAKE')
def test_keypair_delete_pass_policy(self):
rules = {self.policy_path + ':delete': common_policy.parse_rule('')}
policy.set_rules(rules)
self.KeyPairController.delete(self.req, 'FAKE')
def test_keypair_create_pass_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {self.policy_path + ':create': common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.create(self.req, body=body)
self.assertIn('keypair', res)
def set_rules(self, rules):
policy = patron.policy._ENFORCER
policy.set_rules({k: common_policy.parse_rule(v)
for k, v in rules.items()})
def test_keypair_show_pass_policy(self):
rules = {self.policy_path + ':show': common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.show(self.req, 'FAKE')
self.assertIn('keypair', res)
def set_rules(self, rules):
policy = patron.policy._ENFORCER
policy.set_rules(
{k: common_policy.parse_rule(v)
for k, v in rules.items()})
def test_keypair_list_pass_policy(self):
rules = {self.policy_path + ':index': common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.index(self.req)
self.assertIn('keypairs', res)
def test_shelve_offload_restricted_by_role(self):
rules = {"compute_extension:%s%s" % (self.prefix, self.offload): common_policy.parse_rule("role:admin")}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden, self.controller._shelve_offload, self.req, str(uuid.uuid4()), {})
