def test_templatized_enforcement(self):
target_mine = {'project_id': 'fake'}
target_not_mine = {'project_id': 'another'}
credentials = {'project_id': 'fake', 'roles': []}
action = "example:my_file"
policy.enforce(credentials, action, target_mine)
self.assertRaises(exception.ForbiddenAction, policy.enforce,
credentials, action, target_not_mine)
def test_ignore_case_role_check(self):
lowercase_action = "example:lowercase_admin"
uppercase_action = "example:uppercase_admin"
# NOTE(dprince): We mix case in the Admin role here to ensure
# case is ignored
admin_credentials = {'roles': ['AdMiN']}
policy.enforce(admin_credentials, lowercase_action, self.target)
policy.enforce(admin_credentials, uppercase_action, self.target)
def test_warning_message_is_logged_if_enforce_scope_is_false(self):
self.config_fixture.config(group='oslo_policy', enforce_scope=False)
expected_msg = (
'Policy foo failed scope check. The token used to make the '
'request was project scoped but the policy requires [\'system\'] '
'scope. This behavior may change in the future where using the '
'intended scope is required')
with mock.patch('warnings.warn') as mock_warn:
policy.enforce(self.credentials, self.action, self.target)
mock_warn.assert_called_with(expected_msg)
def test_modified_policy_reloads(self):
action = "example:test"
empty_credentials = {}
with open(self.tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": []}""")
policy.enforce(empty_credentials, action, self.target)
with open(self.tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ["false:false"]}""")
policy._ENFORCER._enforcer.clear()
self.assertRaises(exception.ForbiddenAction, policy.enforce,
empty_credentials, action, self.target)
def test_warning_message_is_logged_if_enforce_scope_is_false(self):
self.config_fixture.config(group='oslo_policy', enforce_scope=False)
expected_msg = (
'Policy foo failed scope check. The token used to make the '
'request was project scoped but the policy requires [\'system\'] '
'scope. This behavior may change in the future where using the '
'intended scope is required'
)
with mock.patch('warnings.warn') as mock_warn:
policy.enforce(self.credentials, self.action, self.target)
mock_warn.assert_called_with(expected_msg)
def test_early_OR_enforcement(self):
action = "example:early_or_success"
policy.enforce(self.credentials, action, self.target)
def test_enforce_good_action(self):
action = "example:allowed"
policy.enforce(self.credentials, action, self.target)
def enforce(self, credentials, action, target):
msg = 'enforce %(action)s: %(credentials)s'
LOG.debug(msg, {'action': action, 'credentials': credentials})
policy.enforce(credentials, action, target)
def enforce(self, credentials, action, target):
msg = 'enforce %(action)s: %(credentials)s'
LOG.debug(msg, {
'action': action,
'credentials': credentials})
policy.enforce(credentials, action, target)