def policy_checker(controller, req, **kwargs): # Enable project_id based target check rule = "%s:%s" % (controller.REQUEST_SCOPE, handler.__name__) allowed = policy.enforce(context=req.context, rule=rule, target={}) if not allowed: raise exc.HTTPForbidden() return handler(controller, req, **kwargs)
def test_enforce(self, enforce): mock_enforcer = mock.Mock() mock_res = mock.Mock() mock_enforcer.enforce.return_value = mock_res enforce.return_value = mock_enforcer target = mock.Mock() res = policy.enforce(self.ctx, 'RULE1', target, do_raise=True) self.assertEqual(res, mock_res) enforce.assert_called_once_with() mock_enforcer.enforce.assert_called_once_with( 'RULE1', target, self.ctx.to_dict(), True, exc=exception.Forbidden)
def __init__(self, auth_token=None, user=None, project=None, domain=None, user_domain=None, project_domain=None, is_admin=None, read_only=False, show_deleted=False, request_id=None, auth_url=None, trusts=None, user_name=None, project_name=None, domain_name=None, user_domain_name=None, project_domain_name=None, auth_token_info=None, region_name=None, roles=None, password=None, **kwargs): '''Initializer of request context.''' # We still have 'tenant' param because oslo_context still use it. super(RequestContext, self).__init__( auth_token=auth_token, user=user, tenant=project, domain=domain, user_domain=user_domain, project_domain=project_domain, read_only=read_only, show_deleted=show_deleted, request_id=request_id) # request_id might be a byte array self.request_id = encodeutils.safe_decode(self.request_id) # we save an additional 'project' internally for use self.project = project # Session for DB access self._session = None self.auth_url = auth_url self.trusts = trusts self.user_name = user_name self.project_name = project_name self.domain_name = domain_name self.user_domain_name = user_domain_name self.project_domain_name = project_domain_name self.auth_token_info = auth_token_info self.region_name = region_name self.roles = roles or [] self.password = password # Check user is admin or not if is_admin is None: self.is_admin = policy.enforce(self, 'context_is_admin', target={'project': self.project}, do_raise=False) else: self.is_admin = is_admin
def __init__(self, auth_token=None, user=None, project=None, domain=None, user_domain=None, project_domain=None, is_admin=None, read_only=False, show_deleted=False, request_id=None, auth_url=None, trusts=None, user_name=None, project_name=None, domain_name=None, user_domain_name=None, project_domain_name=None, auth_token_info=None, region_name=None, roles=None, password=None, **kwargs): '''Initializer of request context.''' # We still have 'tenant' param because oslo_context still use it. super(RequestContext, self).__init__( auth_token=auth_token, user=user, tenant=project, domain=domain, user_domain=user_domain, project_domain=project_domain, read_only=read_only, show_deleted=show_deleted, request_id=request_id, roles=roles) # request_id might be a byte array self.request_id = encodeutils.safe_decode(self.request_id) # we save an additional 'project' internally for use self.project = project # Session for DB access self._session = None self.auth_url = auth_url self.trusts = trusts self.user_name = user_name self.project_name = project_name self.domain_name = domain_name self.user_domain_name = user_domain_name self.project_domain_name = project_domain_name self.auth_token_info = auth_token_info self.region_name = region_name self.password = password # Check user is admin or not if is_admin is None: self.is_admin = policy.enforce(self, 'context_is_admin', target={'project': self.project}, do_raise=False) else: self.is_admin = is_admin
def test_enforce(self, enforce): mock_enforcer = mock.Mock() mock_res = mock.Mock() mock_enforcer.enforce.return_value = mock_res enforce.return_value = mock_enforcer target = mock.Mock() res = policy.enforce(self.ctx, 'RULE1', target, do_raise=True) self.assertEqual(res, mock_res) enforce.assert_called_once_with() mock_enforcer.enforce.assert_called_once_with('RULE1', target, self.ctx.to_dict(), True, exc=exception.Forbidden)
def __init__(self, auth_token=None, user_id=None, project_id=None, domain_id=None, user_domain_id=None, project_domain_id=None, is_admin=None, read_only=False, show_deleted=False, request_id=None, auth_url=None, trusts=None, user_name=None, project_name=None, domain_name=None, user_domain_name=None, project_domain_name=None, auth_token_info=None, region_name=None, roles=None, password=None, api_version=None, **kwargs): """Initializer of request context.""" # We still have 'tenant' param because oslo_context still use it. super(RequestContext, self).__init__( auth_token=auth_token, user_id=user_id, project_id=project_id, domain_id=domain_id, user_domain_id=user_domain_id, project_domain_id=project_domain_id, read_only=read_only, show_deleted=show_deleted, request_id=request_id, roles=roles) # request_id might be a byte array self.request_id = encodeutils.safe_decode(self.request_id) self.auth_url = auth_url self.trusts = trusts self.user_id = user_id self.user_name = user_name self.project_id = project_id self.project_name = project_name self.domain_id = domain_id self.domain_name = domain_name self.user_domain_name = user_domain_name self.project_domain_name = project_domain_name self.auth_token_info = auth_token_info self.region_name = region_name self.password = password self.api_version = api_version # Check user is admin or not if is_admin is None: self.is_admin = policy.enforce(self, 'context_is_admin', target={'project': self.project_id}, do_raise=False) else: self.is_admin = is_admin