def test_config_policies(self):
"""Test the default config endpoint policies"""
credentials = {}
target = {}
self.assertFalse(policy.authorize('managesf.config:get',
target, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.config:get',
target, credentials))
def test_config_policies(self):
"""Test the default config endpoint policies"""
credentials = {}
target = {}
self.assertFalse(
policy.authorize('managesf.config:get', target, credentials))
credentials = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.config:get', target, credentials))
def test_hooks_policies(self):
"""Test the default hooks endpoint policies"""
credentials = {}
target = {}
self.assertFalse(policy.authorize('managesf.hooks:trigger',
target, credentials))
credentials = {'username': '******'}
self.assertFalse(policy.authorize('managesf.hooks:trigger',
target, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.hooks:trigger',
target, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.hooks:trigger',
target, credentials))
def test_hooks_policies(self):
"""Test the default hooks endpoint policies"""
credentials = {}
target = {}
self.assertFalse(
policy.authorize('managesf.hooks:trigger', target, credentials))
credentials = {'username': '******'}
self.assertFalse(
policy.authorize('managesf.hooks:trigger', target, credentials))
credentials = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.hooks:trigger', target, credentials))
credentials = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.hooks:trigger', target, credentials))
def authorize(rule_name, target):
if not request.remote_user:
request.remote_user = request.headers.get('X-Remote-User')
credentials = {'username': request.remote_user, 'groups': []}
# TODO(mhu) this must be independent from gerrit
if request.remote_user:
code_review = [s for s in SF_SERVICES
if isinstance(s, base.BaseCodeReviewServicePlugin)][0]
user_groups = code_review.project.get_user_groups(request.remote_user)
credentials['groups'] = [grp['name'] for grp in user_groups]
return policy.authorize(rule_name, target, credentials)
def authorize(rule_name, target):
if not request.remote_user:
request.remote_user = request.headers.get('X-Remote-User')
credentials = {'username': request.remote_user, 'groups': []}
# TODO(mhu) this must be independent from gerrit
if request.remote_user:
code_review = [
s for s in SF_SERVICES
if isinstance(s, base.BaseCodeReviewServicePlugin)
][0]
user_groups = code_review.project.get_user_groups(request.remote_user)
credentials['groups'] = [grp['name'] for grp in user_groups]
return policy.authorize(rule_name, target, credentials)
def test_nodes_policies_extra_conditions(self):
pol_file = self.config['policy']['policy_file']
with open(pol_file, 'w') as p:
yaml.dump(
{"managesf.node:image-update": ("rule:rick-images or "
"rule:admin_or_service"),
"rick-images": ("username:rick and image:schwifty "
"and provider:wub")},
p, default_flow_style=False)
credentials = {'username': '******'}
target = {'image': 'schwifty',
'provider': 'wub'}
self.assertTrue(policy.authorize("managesf.node:image-update",
target, credentials))
with open(pol_file, 'w') as p:
yaml.dump(
{"managesf.node:image-update": "rule:admin_or_service"},
p, default_flow_style=False)
def test_nodes_policies_extra_conditions(self):
pol_file = self.config['policy']['policy_file']
with open(pol_file, 'w') as p:
yaml.dump(
{
"managesf.node:image-update": ("rule:rick-images or "
"rule:admin_or_service"),
"rick-images": ("username:rick and image:schwifty "
"and provider:wub")
},
p,
default_flow_style=False)
credentials = {'username': '******'}
target = {'image': 'schwifty', 'provider': 'wub'}
self.assertTrue(
policy.authorize("managesf.node:image-update", target,
credentials))
with open(pol_file, 'w') as p:
yaml.dump({"managesf.node:image-update": "rule:admin_or_service"},
p,
default_flow_style=False)
def test_htpasswd_policies(self):
"""Test the default htpasswd endpoint policies"""
credentials = {}
target = {}
self.assertFalse(policy.authorize('managesf.htpasswd:get',
target, credentials))
self.assertFalse(policy.authorize('managesf.htpasswd:create_update',
target, credentials))
self.assertFalse(policy.authorize('managesf.htpasswd:delete',
target, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.htpasswd:get',
target, credentials))
self.assertTrue(policy.authorize('managesf.htpasswd:create_update',
target, credentials))
self.assertTrue(policy.authorize('managesf.htpasswd:delete',
target, credentials))
def test_backup_policies(self):
"""Test the default backup endpoint policies"""
credentials = {}
target = {}
self.assertFalse(
policy.authorize('managesf.backup:create', target, credentials))
self.assertFalse(
policy.authorize('managesf.backup:get', target, credentials))
credentials = {'username': '******'}
self.assertFalse(
policy.authorize('managesf.backup:create', target, credentials))
self.assertFalse(
policy.authorize('managesf.backup:get', target, credentials))
credentials = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.backup:get', target, credentials))
self.assertTrue(
policy.authorize('managesf.backup:create', target, credentials))
def test_backup_policies(self):
"""Test the default backup endpoint policies"""
credentials = {}
target = {}
self.assertFalse(policy.authorize('managesf.backup:create',
target, credentials))
self.assertFalse(policy.authorize('managesf.backup:get',
target, credentials))
credentials = {'username': '******'}
self.assertFalse(policy.authorize('managesf.backup:create',
target, credentials))
self.assertFalse(policy.authorize('managesf.backup:get',
target, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.backup:get',
target, credentials))
self.assertTrue(policy.authorize('managesf.backup:create',
target, credentials))
def test_htpasswd_policies(self):
"""Test the default htpasswd endpoint policies"""
credentials = {}
target = {}
self.assertFalse(
policy.authorize('managesf.htpasswd:get', target, credentials))
self.assertFalse(
policy.authorize('managesf.htpasswd:create_update', target,
credentials))
self.assertFalse(
policy.authorize('managesf.htpasswd:delete', target, credentials))
credentials = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.htpasswd:get', target, credentials))
self.assertTrue(
policy.authorize('managesf.htpasswd:create_update', target,
credentials))
self.assertTrue(
policy.authorize('managesf.htpasswd:delete', target, credentials))
def test_localuser_policies(self):
"""Test the default localuser endpoint policies"""
credentials = {}
target = {}
self.assertFalse(policy.authorize('managesf.localuser:get',
target, credentials))
self.assertFalse(policy.authorize('managesf.localuser:create_update',
target, credentials))
self.assertFalse(policy.authorize('managesf.localuser:delete',
target, credentials))
self.assertTrue(policy.authorize('managesf.localuser:bind',
target, credentials))
credentials = {'username': '******',
'groups': []}
self.assertTrue(policy.authorize('managesf.localuser:get',
target, credentials))
self.assertFalse(policy.authorize('managesf.localuser:create_update',
target, credentials))
self.assertFalse(policy.authorize('managesf.localuser:delete',
target, credentials))
self.assertTrue(policy.authorize('managesf.localuser:bind',
target, credentials))
target = {'username': '******'}
self.assertTrue(policy.authorize('managesf.localuser:create_update',
target, credentials))
self.assertTrue(policy.authorize('managesf.localuser:delete',
target, credentials))
target = {'username': '******'}
self.assertTrue(policy.authorize('managesf.localuser:get',
target, credentials))
self.assertFalse(policy.authorize('managesf.localuser:create_update',
target, credentials))
self.assertFalse(policy.authorize('managesf.localuser:delete',
target, credentials))
credentials['username'] = '******'
self.assertTrue(policy.authorize('managesf.localuser:create_update',
target, credentials))
self.assertTrue(policy.authorize('managesf.localuser:delete',
target, credentials))
def test_jobs_policies(self):
"""Test the default jobs endpoint policies"""
credentials = {}
self.assertTrue(policy.authorize('managesf.job:get', {}, credentials))
self.assertFalse(policy.authorize('managesf.job:run', {}, credentials))
self.assertFalse(policy.authorize('managesf.job:stop', {},
credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.job:get', {}, credentials))
self.assertFalse(policy.authorize('managesf.job:run', {}, credentials))
self.assertFalse(policy.authorize('managesf.job:stop', {},
credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.job:get', {}, credentials))
self.assertTrue(policy.authorize('managesf.job:run', {}, credentials))
self.assertTrue(policy.authorize('managesf.job:stop', {}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.job:get', {}, credentials))
self.assertTrue(policy.authorize('managesf.job:run', {}, credentials))
self.assertTrue(policy.authorize('managesf.job:stop', {}, credentials))
def test_nodes_policies(self):
"""Test the default nodes endpoint policies"""
credentials = {}
self.assertTrue(policy.authorize('managesf.node:get', {}, credentials))
self.assertFalse(
policy.authorize('managesf.node:hold', {}, credentials))
self.assertFalse(
policy.authorize('managesf.node:delete', {}, credentials))
self.assertFalse(
policy.authorize('managesf.node:add_authorized_key', {},
credentials))
self.assertTrue(
policy.authorize('managesf.node:image-get', {}, credentials))
self.assertFalse(
policy.authorize('managesf.node:image-start-update', {},
credentials))
self.assertFalse(
policy.authorize('managesf.node:image-update-status', {},
credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.node:get', {}, credentials))
self.assertFalse(
policy.authorize('managesf.node:hold', {}, credentials))
self.assertFalse(
policy.authorize('managesf.node:delete', {}, credentials))
self.assertFalse(
policy.authorize('managesf.node:add_authorized_key', {},
credentials))
self.assertTrue(
policy.authorize('managesf.node:image-get', {}, credentials))
self.assertFalse(
policy.authorize('managesf.node:image-start-update', {},
credentials))
self.assertFalse(
policy.authorize('managesf.node:image-update-status', {},
credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.node:get', {}, credentials))
self.assertTrue(policy.authorize('managesf.node:hold', {},
credentials))
self.assertTrue(
policy.authorize('managesf.node:delete', {}, credentials))
self.assertTrue(
policy.authorize('managesf.node:add_authorized_key', {},
credentials))
self.assertTrue(
policy.authorize('managesf.node:image-get', {}, credentials))
self.assertTrue(
policy.authorize('managesf.node:image-start-update', {},
credentials))
self.assertTrue(
policy.authorize('managesf.node:image-update-status', {},
credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.node:get', {}, credentials))
self.assertTrue(policy.authorize('managesf.node:hold', {},
credentials))
self.assertTrue(
policy.authorize('managesf.node:delete', {}, credentials))
self.assertTrue(
policy.authorize('managesf.node:add_authorized_key', {},
credentials))
self.assertTrue(
policy.authorize('managesf.node:image-get', {}, credentials))
self.assertTrue(
policy.authorize('managesf.node:image-start-update', {},
credentials))
self.assertTrue(
policy.authorize('managesf.node:image-update-status', {},
credentials))
def test_default_policies(self):
"""Test the default policies that come with a default deployment"""
credentials = {}
target = {}
try:
admin_account = self.config.admin['name']
except AttributeError:
admin_account = 'admin'
self.assertTrue(policy.authorize('any', target, credentials))
self.assertFalse(policy.authorize('none', target, credentials))
self.assertFalse(
policy.authorize('authenticated_api', target, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('any', target, credentials))
self.assertFalse(policy.authorize('none', target, credentials))
self.assertTrue(
policy.authorize('authenticated_api', target, credentials))
self.assertFalse(policy.authorize('admin_api', target, credentials))
credentials = {'username': admin_account}
self.assertTrue(
policy.authorize('authenticated_api', target, credentials))
self.assertTrue(policy.authorize('any', target, credentials))
self.assertFalse(policy.authorize('none', target, credentials))
self.assertTrue(policy.authorize('admin_api', target, credentials))
self.assertTrue(
policy.authorize('admin_or_service', target, credentials))
self.assertFalse(policy.authorize('owner_api', target, credentials))
self.assertTrue(policy.authorize('admin_or_owner', target,
credentials))
self.assertFalse(
policy.authorize('contributor_api', target, credentials))
credentials = {'username': base.SERVICE_USER}
self.assertTrue(
policy.authorize('authenticated_api', target, credentials))
self.assertTrue(policy.authorize('any', target, credentials))
self.assertFalse(policy.authorize('none', target, credentials))
self.assertFalse(policy.authorize('admin_api', target, credentials))
self.assertTrue(
policy.authorize('admin_or_service', target, credentials))
self.assertFalse(policy.authorize('owner_api', target, credentials))
credentials = {'username': '******'}
target = {'username': '******'}
self.assertTrue(
policy.authorize('authenticated_api', target, credentials))
self.assertTrue(policy.authorize('any', target, credentials))
self.assertFalse(policy.authorize('none', target, credentials))
self.assertFalse(policy.authorize('admin_api', target, credentials))
self.assertFalse(policy.authorize('owner_api', target, credentials))
target = {'username': '******'}
self.assertTrue(policy.authorize('owner_api', target, credentials))
credentials['groups'] = [
'p0-dev',
]
target = {'project': 'p1'}
self.assertTrue(policy.authorize('any', target, credentials))
self.assertFalse(policy.authorize('dev_api', target, credentials))
self.assertFalse(policy.authorize('core_api', target, credentials))
self.assertFalse(policy.authorize('ptl_api', target, credentials))
self.assertFalse(
policy.authorize('contributor_api', target, credentials))
target = {'project': 'p0'}
self.assertTrue(policy.authorize('dev_api', target, credentials))
self.assertFalse(policy.authorize('core_api', target, credentials))
self.assertFalse(policy.authorize('ptl_api', target, credentials))
self.assertTrue(
policy.authorize('contributor_api', target, credentials))
credentials['groups'] = [
'p0-core',
]
self.assertFalse(policy.authorize('dev_api', target, credentials))
self.assertTrue(policy.authorize('core_api', target, credentials))
self.assertFalse(policy.authorize('ptl_api', target, credentials))
self.assertTrue(
policy.authorize('contributor_api', target, credentials))
credentials['groups'] = [
'p0-ptl',
]
self.assertFalse(policy.authorize('dev_api', target, credentials))
self.assertFalse(policy.authorize('core_api', target, credentials))
self.assertTrue(policy.authorize('ptl_api', target, credentials))
self.assertTrue(
policy.authorize('contributor_api', target, credentials))
def test_change_in_file_policies(self):
pol_file = self.config['policy']['policy_file']
with open(pol_file, 'w') as p:
yaml.dump(
{"managesf.node:get": "rule:any",
"managesf.node:create": "rule:none",
"is_rick": "username:Rick",
"rick_api": "rule:is_rick"},
p, default_flow_style=False)
credentials = {}
target = {}
try:
admin_account = self.config.admin['name']
except AttributeError:
admin_account = 'admin'
# make sure default rules are there
self.assertFalse(policy.authorize('admin_api',
target, credentials))
self.assertFalse(policy.authorize('managesf.node:create',
target, credentials))
self.assertFalse(policy.authorize('managesf.node:image-start-update',
target, credentials))
self.assertFalse(policy.authorize('rick_api',
target, credentials))
credentials['username'] = '******'
self.assertFalse(policy.authorize('admin_api',
target, credentials))
self.assertFalse(policy.authorize('managesf.node:create',
target, credentials))
self.assertFalse(policy.authorize('managesf.node:image-start-update',
target, credentials))
self.assertTrue(policy.authorize('rick_api',
target, credentials))
credentials['username'] = '******'
self.assertFalse(policy.authorize('admin_api',
target, credentials))
self.assertFalse(policy.authorize('managesf.node:create',
target, credentials))
self.assertFalse(policy.authorize('managesf.node:image-start-update',
target, credentials))
self.assertFalse(policy.authorize('rick_api',
target, credentials))
credentials['username'] = admin_account
self.assertTrue(policy.authorize('admin_api',
target, credentials))
self.assertFalse(policy.authorize('managesf.node:create',
target, credentials))
# the default rule should be used here
self.assertTrue(policy.authorize('managesf.node:image-start-update',
target, credentials))
self.assertFalse(policy.authorize('rick_api',
target, credentials))
# set back to normal
with open(pol_file, 'w') as p:
yaml.dump(
{"managesf.node:get": "rule:any",
"managesf.node:create": "rule:any",
"is_morty": "username:morty",
"morty_api": "rule:is_morty"},
p, default_flow_style=False)
def test_file_policies(self):
"""Test that the specified policies are taken into account"""
credentials = {}
target = {}
try:
admin_account = self.config.admin['name']
except AttributeError:
admin_account = 'admin'
# make sure default rules are there
self.assertFalse(policy.authorize('admin_api', target, credentials))
self.assertTrue(
policy.authorize('admin_api', target, {'username': admin_account}))
self.assertTrue(
policy.authorize('managesf.node:create', target, credentials))
self.assertTrue(
policy.authorize('managesf.node:get', target, credentials))
self.assertFalse(policy.authorize('morty_api', target, credentials))
credentials['username'] = '******'
self.assertFalse(policy.authorize('admin_api', target, credentials))
self.assertTrue(
policy.authorize('managesf.node:create', target, credentials))
self.assertTrue(
policy.authorize('managesf.node:get', target, credentials))
self.assertFalse(policy.authorize('morty_api', target, credentials))
credentials['username'] = '******'
self.assertFalse(policy.authorize('admin_api', target, credentials))
self.assertTrue(
policy.authorize('managesf.node:get', target, credentials))
self.assertTrue(
policy.authorize('managesf.node:create', target, credentials))
self.assertTrue(policy.authorize('morty_api', target, credentials))
def test_file_policies(self):
"""Test that the specified policies are taken into account"""
credentials = {}
target = {}
try:
admin_account = self.config.admin['name']
except AttributeError:
admin_account = 'admin'
# make sure default rules are there
self.assertFalse(policy.authorize('admin_api',
target, credentials))
self.assertTrue(policy.authorize('admin_api',
target,
{'username': admin_account}))
self.assertTrue(policy.authorize('managesf.node:create',
target, credentials))
self.assertTrue(policy.authorize('managesf.node:get',
target, credentials))
self.assertFalse(policy.authorize('morty_api',
target, credentials))
credentials['username'] = '******'
self.assertFalse(policy.authorize('admin_api',
target, credentials))
self.assertTrue(policy.authorize('managesf.node:create',
target, credentials))
self.assertTrue(policy.authorize('managesf.node:get',
target, credentials))
self.assertFalse(policy.authorize('morty_api',
target, credentials))
credentials['username'] = '******'
self.assertFalse(policy.authorize('admin_api',
target, credentials))
self.assertTrue(policy.authorize('managesf.node:get',
target, credentials))
self.assertTrue(policy.authorize('managesf.node:create',
target, credentials))
self.assertTrue(policy.authorize('morty_api',
target, credentials))
def test_default_policies(self):
"""Test the default policies that come with a default deployment"""
credentials = {}
target = {}
try:
admin_account = self.config.admin['name']
except AttributeError:
admin_account = 'admin'
self.assertTrue(policy.authorize('any',
target, credentials))
self.assertFalse(policy.authorize('none',
target, credentials))
self.assertFalse(policy.authorize('authenticated_api',
target, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('any',
target, credentials))
self.assertFalse(policy.authorize('none',
target, credentials))
self.assertTrue(policy.authorize('authenticated_api',
target, credentials))
self.assertFalse(policy.authorize('admin_api',
target, credentials))
credentials = {'username': admin_account}
self.assertTrue(policy.authorize('authenticated_api',
target, credentials))
self.assertTrue(policy.authorize('any',
target, credentials))
self.assertFalse(policy.authorize('none',
target, credentials))
self.assertTrue(policy.authorize('admin_api',
target, credentials))
self.assertTrue(policy.authorize('admin_or_service',
target, credentials))
self.assertFalse(policy.authorize('owner_api',
target, credentials))
self.assertTrue(policy.authorize('admin_or_owner',
target, credentials))
self.assertFalse(policy.authorize('contributor_api',
target, credentials))
credentials = {'username': base.SERVICE_USER}
self.assertTrue(policy.authorize('authenticated_api',
target, credentials))
self.assertTrue(policy.authorize('any',
target, credentials))
self.assertFalse(policy.authorize('none',
target, credentials))
self.assertFalse(policy.authorize('admin_api',
target, credentials))
self.assertTrue(policy.authorize('admin_or_service',
target, credentials))
self.assertFalse(policy.authorize('owner_api',
target, credentials))
credentials = {'username': '******'}
target = {'username': '******'}
self.assertTrue(policy.authorize('authenticated_api',
target, credentials))
self.assertTrue(policy.authorize('any',
target, credentials))
self.assertFalse(policy.authorize('none',
target, credentials))
self.assertFalse(policy.authorize('admin_api',
target, credentials))
self.assertFalse(policy.authorize('owner_api',
target, credentials))
target = {'username': '******'}
self.assertTrue(policy.authorize('owner_api',
target, credentials))
credentials['groups'] = ['p0-dev', ]
target = {'project': 'p1'}
self.assertTrue(policy.authorize('any',
target, credentials))
self.assertFalse(policy.authorize('dev_api',
target, credentials))
self.assertFalse(policy.authorize('core_api',
target, credentials))
self.assertFalse(policy.authorize('ptl_api',
target, credentials))
self.assertFalse(policy.authorize('contributor_api',
target, credentials))
target = {'project': 'p0'}
self.assertTrue(policy.authorize('dev_api',
target, credentials))
self.assertFalse(policy.authorize('core_api',
target, credentials))
self.assertFalse(policy.authorize('ptl_api',
target, credentials))
self.assertTrue(policy.authorize('contributor_api',
target, credentials))
credentials['groups'] = ['p0-core', ]
self.assertFalse(policy.authorize('dev_api',
target, credentials))
self.assertTrue(policy.authorize('core_api',
target, credentials))
self.assertFalse(policy.authorize('ptl_api',
target, credentials))
self.assertTrue(policy.authorize('contributor_api',
target, credentials))
credentials['groups'] = ['p0-ptl', ]
self.assertFalse(policy.authorize('dev_api',
target, credentials))
self.assertFalse(policy.authorize('core_api',
target, credentials))
self.assertTrue(policy.authorize('ptl_api',
target, credentials))
self.assertTrue(policy.authorize('contributor_api',
target, credentials))
def test_nodes_policies(self):
"""Test the default nodes endpoint policies"""
credentials = {}
self.assertTrue(policy.authorize('managesf.node:get',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:hold',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:delete',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:add_authorized_key',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:image-get',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:image-start-update',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:image-update-status',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.node:get',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:hold',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:delete',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:add_authorized_key',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:image-get',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:image-start-update',
{}, credentials))
self.assertFalse(policy.authorize('managesf.node:image-update-status',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.node:get',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:hold',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:delete',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:add_authorized_key',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:image-get',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:image-start-update',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:image-update-status',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.node:get',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:hold',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:delete',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:add_authorized_key',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:image-get',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:image-start-update',
{}, credentials))
self.assertTrue(policy.authorize('managesf.node:image-update-status',
{}, credentials))
def test_jobs_policies(self):
"""Test the default jobs endpoint policies"""
credentials = {}
self.assertTrue(policy.authorize('managesf.job:get',
{}, credentials))
self.assertFalse(policy.authorize('managesf.job:run',
{}, credentials))
self.assertFalse(policy.authorize('managesf.job:stop',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.job:get',
{}, credentials))
self.assertFalse(policy.authorize('managesf.job:run',
{}, credentials))
self.assertFalse(policy.authorize('managesf.job:stop',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.job:get',
{}, credentials))
self.assertTrue(policy.authorize('managesf.job:run',
{}, credentials))
self.assertTrue(policy.authorize('managesf.job:stop',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.job:get',
{}, credentials))
self.assertTrue(policy.authorize('managesf.job:run',
{}, credentials))
self.assertTrue(policy.authorize('managesf.job:stop',
{}, credentials))
def test_resources_policies(self):
"""Test the default resources endpoint policies"""
credentials = {}
self.assertTrue(policy.authorize('managesf.resources:get',
{}, credentials))
self.assertFalse(policy.authorize('managesf.resources:validate',
{}, credentials))
self.assertFalse(policy.authorize('managesf.resources:apply',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.resources:get',
{}, credentials))
self.assertFalse(policy.authorize('managesf.resources:validate',
{}, credentials))
self.assertFalse(policy.authorize('managesf.resources:apply',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.resources:get',
{}, credentials))
self.assertTrue(policy.authorize('managesf.resources:validate',
{}, credentials))
self.assertTrue(policy.authorize('managesf.resources:apply',
{}, credentials))
credentials = {'username': '******'}
self.assertTrue(policy.authorize('managesf.resources:get',
{}, credentials))
self.assertTrue(policy.authorize('managesf.resources:validate',
{}, credentials))
self.assertTrue(policy.authorize('managesf.resources:apply',
{}, credentials))
def test_resources_policies(self):
"""Test the default resources endpoint policies"""
credentials = {}
self.assertTrue(
policy.authorize('managesf.resources:get', {}, credentials))
self.assertFalse(
policy.authorize('managesf.resources:validate', {}, credentials))
self.assertFalse(
policy.authorize('managesf.resources:apply', {}, credentials))
credentials = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.resources:get', {}, credentials))
self.assertFalse(
policy.authorize('managesf.resources:validate', {}, credentials))
self.assertFalse(
policy.authorize('managesf.resources:apply', {}, credentials))
credentials = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.resources:get', {}, credentials))
self.assertTrue(
policy.authorize('managesf.resources:validate', {}, credentials))
self.assertTrue(
policy.authorize('managesf.resources:apply', {}, credentials))
credentials = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.resources:get', {}, credentials))
self.assertTrue(
policy.authorize('managesf.resources:validate', {}, credentials))
self.assertTrue(
policy.authorize('managesf.resources:apply', {}, credentials))
def test_change_in_file_policies(self):
pol_file = self.config['policy']['policy_file']
with open(pol_file, 'w') as p:
yaml.dump(
{
"managesf.node:get": "rule:any",
"managesf.node:create": "rule:none",
"is_rick": "username:Rick",
"rick_api": "rule:is_rick"
},
p,
default_flow_style=False)
credentials = {}
target = {}
try:
admin_account = self.config.admin['name']
except AttributeError:
admin_account = 'admin'
# make sure default rules are there
self.assertFalse(policy.authorize('admin_api', target, credentials))
self.assertFalse(
policy.authorize('managesf.node:create', target, credentials))
self.assertFalse(
policy.authorize('managesf.node:image-start-update', target,
credentials))
self.assertFalse(policy.authorize('rick_api', target, credentials))
credentials['username'] = '******'
self.assertFalse(policy.authorize('admin_api', target, credentials))
self.assertFalse(
policy.authorize('managesf.node:create', target, credentials))
self.assertFalse(
policy.authorize('managesf.node:image-start-update', target,
credentials))
self.assertTrue(policy.authorize('rick_api', target, credentials))
credentials['username'] = '******'
self.assertFalse(policy.authorize('admin_api', target, credentials))
self.assertFalse(
policy.authorize('managesf.node:create', target, credentials))
self.assertFalse(
policy.authorize('managesf.node:image-start-update', target,
credentials))
self.assertFalse(policy.authorize('rick_api', target, credentials))
credentials['username'] = admin_account
self.assertTrue(policy.authorize('admin_api', target, credentials))
self.assertFalse(
policy.authorize('managesf.node:create', target, credentials))
# the default rule should be used here
self.assertTrue(
policy.authorize('managesf.node:image-start-update', target,
credentials))
self.assertFalse(policy.authorize('rick_api', target, credentials))
# set back to normal
with open(pol_file, 'w') as p:
yaml.dump(
{
"managesf.node:get": "rule:any",
"managesf.node:create": "rule:any",
"is_morty": "username:morty",
"morty_api": "rule:is_morty"
},
p,
default_flow_style=False)
def test_localuser_policies(self):
"""Test the default localuser endpoint policies"""
credentials = {}
target = {}
self.assertFalse(
policy.authorize('managesf.localuser:get', target, credentials))
self.assertFalse(
policy.authorize('managesf.localuser:create_update', target,
credentials))
self.assertFalse(
policy.authorize('managesf.localuser:delete', target, credentials))
self.assertTrue(
policy.authorize('managesf.localuser:bind', target, credentials))
credentials = {'username': '******', 'groups': []}
self.assertTrue(
policy.authorize('managesf.localuser:get', target, credentials))
self.assertFalse(
policy.authorize('managesf.localuser:create_update', target,
credentials))
self.assertFalse(
policy.authorize('managesf.localuser:delete', target, credentials))
self.assertTrue(
policy.authorize('managesf.localuser:bind', target, credentials))
target = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.localuser:create_update', target,
credentials))
self.assertTrue(
policy.authorize('managesf.localuser:delete', target, credentials))
target = {'username': '******'}
self.assertTrue(
policy.authorize('managesf.localuser:get', target, credentials))
self.assertFalse(
policy.authorize('managesf.localuser:create_update', target,
credentials))
self.assertFalse(
policy.authorize('managesf.localuser:delete', target, credentials))
credentials['username'] = '******'
self.assertTrue(
policy.authorize('managesf.localuser:create_update', target,
credentials))
self.assertTrue(
policy.authorize('managesf.localuser:delete', target, credentials))