def setUp(self): super(ApmecPolicyTestCase, self).setUp() self.skipTest("Not ready yet") policy.reset() policy.init() self.addCleanup(policy.reset) self.admin_only_legacy = "role:admin" self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s" # Add a Fake 'something' resource to RESOURCE_ATTRIBUTE_MAP attributes.RESOURCE_ATTRIBUTE_MAP.update(FAKE_RESOURCE) self.rules = dict((k, common_policy.parse_rule(v)) for k, v in { "context_is_admin": "role:admin", "admin_or_network_owner": "rule:context_is_admin or " "tenant_id:%(network:tenant_id)s", "admin_or_owner": ("rule:context_is_admin or " "tenant_id:%(tenant_id)s"), "admin_only": "rule:context_is_admin", "regular_user": "******", "shared": "field:networks:shared=True", "external": "field:networks:router:external=True", "default": '@', "create_network": "rule:admin_or_owner", "create_network:shared": "rule:admin_only", "update_network": '@', "update_network:shared": "rule:admin_only", "get_network": "rule:admin_or_owner or " "rule:shared or " "rule:external", "create_port:mac": "rule:admin_or_network_owner", "create_something": "rule:admin_or_owner", "create_something:attr": "rule:admin_or_owner", "create_something:attr:sub_attr_1": "rule:admin_or_owner", "create_something:attr:sub_attr_2": "rule:admin_only", "get_firewall_policy": "rule:admin_or_owner or " "rule:shared", "get_firewall_rule": "rule:admin_or_owner or " "rule:shared" }.items()) def fakepolicyinit(): common_policy.set_rules(common_policy.Rules(self.rules)) def remove_fake_resource(): del attributes.RESOURCE_ATTRIBUTE_MAP["%ss" % FAKE_RESOURCE_NAME] self.patcher = mock.patch.object(apmec.policy, 'init', new=fakepolicyinit) self.patcher.start() self.addCleanup(remove_fake_resource) self.context = context.Context('fake', 'fake', roles=['user']) plugin_klass = importutils.import_class( "apmec.db.db_base_plugin_v2.ApmecDbPluginV2") self.manager_patcher = mock.patch('apmec.manager.ApmecManager') fake_manager = self.manager_patcher.start() fake_manager_instance = fake_manager.return_value fake_manager_instance.plugin = plugin_klass()
def test_apmec_context_overwrite(self): ctx1 = context.Context('user_id', 'tenant_id') self.assertEqual(oslo_context.get_current().request_id, ctx1.request_id) # If overwrite is not specified, request_id should be updated. ctx2 = context.Context('user_id', 'tenant_id') self.assertNotEqual(ctx2.request_id, ctx1.request_id) self.assertEqual(oslo_context.get_current().request_id, ctx2.request_id) # If overwrite is specified, request_id should be kept. ctx3 = context.Context('user_id', 'tenant_id', overwrite=False) self.assertNotEqual(ctx3.request_id, ctx2.request_id) self.assertEqual(oslo_context.get_current().request_id, ctx2.request_id)
def test_apmec_context_get_admin_context_not_update_local_store(self): ctx = context.Context('user_id', 'tenant_id') req_id_before = oslo_context.get_current().request_id self.assertEqual(req_id_before, ctx.request_id) ctx_admin = context.get_admin_context() self.assertEqual(req_id_before, oslo_context.get_current().request_id) self.assertNotEqual(req_id_before, ctx_admin.request_id)
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_admin" uppercase_action = "example:uppercase_admin" # NOTE(dprince) we mix case in the Admin role here to ensure # case is ignored admin_context = context.Context('admin', 'fake', roles=['AdMiN']) policy.enforce(admin_context, lowercase_action, self.target) policy.enforce(admin_context, uppercase_action, self.target)
def test_apmec_context_elevated_retains_request_id(self): ctx = context.Context('user_id', 'tenant_id') self.assertFalse(ctx.is_admin) req_id_before = ctx.request_id elevated_ctx = ctx.elevated() self.assertTrue(elevated_ctx.is_admin) self.assertEqual(req_id_before, elevated_ctx.request_id)
def setUp(self): super(PolicyFileTestCase, self).setUp() self.skipTest("Not ready yet") policy.reset() self.addCleanup(policy.reset) self.context = context.Context('fake', 'fake', is_admin=False) self.target = {} self.tempdir = self.useFixture(fixtures.TempDir())
def test_apmec_context_to_dict_with_name(self): ctx = context.Context('user_id', 'tenant_id', tenant_name='tenant_name', user_name='user_name') ctx_dict = ctx.to_dict() self.assertEqual('user_name', ctx_dict['user_name']) self.assertEqual('tenant_name', ctx_dict['tenant_name']) self.assertEqual('tenant_name', ctx_dict['project_name'])
def test_apmec_context_create(self): ctx = context.Context('user_id', 'tenant_id') self.assertEqual('user_id', ctx.user_id) self.assertEqual('tenant_id', ctx.project_id) self.assertEqual('tenant_id', ctx.tenant_id) self.assertThat(ctx.request_id, matchers.StartsWith('req-')) self.assertEqual('user_id', ctx.user) self.assertEqual('tenant_id', ctx.tenant) self.assertIsNone(ctx.user_name) self.assertIsNone(ctx.tenant_name)
def test_apmec_context_to_dict(self): ctx = context.Context('user_id', 'tenant_id') ctx_dict = ctx.to_dict() self.assertEqual('user_id', ctx_dict['user_id']) self.assertEqual('tenant_id', ctx_dict['project_id']) self.assertEqual(ctx.request_id, ctx_dict['request_id']) self.assertEqual('user_id', ctx_dict['user']) self.assertEqual('tenant_id', ctx_dict['tenant']) self.assertIsNone(ctx_dict['user_name']) self.assertIsNone(ctx_dict['tenant_name']) self.assertIsNone(ctx_dict['project_name'])
def test_apmec_context_create_with_name(self): ctx = context.Context('user_id', 'tenant_id', tenant_name='tenant_name', user_name='user_name') # Check name is set self.assertEqual('user_name', ctx.user_name) self.assertEqual('tenant_name', ctx.tenant_name) # Check user/tenant contains its ID even if user/tenant_name is passed self.assertEqual('user_id', ctx.user) self.assertEqual('tenant_id', ctx.tenant)
def setUp(self): super(DefaultPolicyTestCase, self).setUp() self.skipTest("Not ready yet") policy.reset() policy.init() self.addCleanup(policy.reset) self.rules = { "default": '', "example:exist": '!', } self._set_rules('default') self.context = context.Context('fake', 'fake')
def __call__(self, req): # Determine the user ID user_id = req.headers.get('X_USER_ID') if not user_id: LOG.debug("X_USER_ID is not found in request") return webob.exc.HTTPUnauthorized() # Determine the tenant tenant_id = req.headers.get('X_PROJECT_ID') # Suck out the roles roles = [r.strip() for r in req.headers.get('X_ROLES', '').split(',')] # Human-friendly names tenant_name = req.headers.get('X_PROJECT_NAME') user_name = req.headers.get('X_USER_NAME') # Use request_id if already set req_id = req.environ.get(request_id.ENV_REQUEST_ID) # Get the auth token auth_token = req.headers.get('X_AUTH_TOKEN', req.headers.get('X_STORAGE_TOKEN')) # Create a context with the authentication data ctx = context.Context(user_id, tenant_id, roles=roles, user_name=user_name, tenant_name=tenant_name, request_id=req_id, auth_token=auth_token) # Inject the context... req.environ['apmec.context'] = ctx return self.application
def setUp(self): super(PolicyTestCase, self).setUp() self.skipTest("Not ready yet") policy.reset() self.addCleanup(policy.reset) # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": '@', "example:allowed": '@', "example:denied": '!', "example:get_http": "http:http://www.example.com", "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying rules common_policy.set_rules(common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context('fake', 'fake', roles=['member']) self.target = {}
def test_context_with_apmec_context(self): self.skip("Not ready yet") ctxt = context.Context('fake_user', 'fake_tenant') self.req.environ['apmec.context'] = ctxt self.assertEqual(ctxt, self.req.context)
def _test_nonadmin_action_on_attr(self, action, attr, value, exception=None): user_context = context.Context('', "user", roles=['user']) self._test_action_on_attr(user_context, action, attr, value, exception)
def test_apmec_context_create_with_request_id(self): ctx = context.Context('user_id', 'tenant_id', request_id='req_id_xxx') self.assertEqual('req_id_xxx', ctx.request_id)
def test_apmec_context_create_logs_unknown_kwarg(self): with mock.patch.object(context.LOG, 'debug') as mock_log: context.Context('user_id', 'tenant_id', foo=None) self.assertEqual(1, mock_log.call_count)