Exemple #1
0
    def setUp(self):
        super(NetworkPolicyTestCase, self).setUp()

        policy.reset()
        policy.init()

        self.context = context.get_admin_context()
Exemple #2
0
    def setUp(self):
        super(NetworkPolicyTestCase, self).setUp()

        policy.reset()
        policy.init()

        self.context = context.get_admin_context()
Exemple #3
0
    def test_modified_policy_reloads(self):
        with utils.tempdir() as tmpdir:
            tmpfilename = os.path.join(tmpdir, 'policy')

            self.flags(policy_file=tmpfilename, group='oslo_policy')

            # NOTE(uni): context construction invokes policy check to determine
            # is_admin or not. As a side-effect, policy reset is needed here
            # to flush existing policy cache.
            policy.reset()
            # NOTE(gmann): We do not need to log policy warnings for unit
            # tests.
            policy.init(suppress_deprecation_warnings=True)
            rule = oslo_policy.RuleDefault('example:test', "")
            policy._ENFORCER.register_defaults([rule])

            action = "example:test"
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('{"example:test": ""}')
            policy.authorize(self.context, action, self.target)
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('{"example:test": "!"}')
            policy._ENFORCER.load_rules(True)
            self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
                              self.context, action, self.target)
Exemple #4
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     rules = [
         oslo_policy.RuleDefault("true", '@'),
         oslo_policy.RuleDefault("example:allowed", '@'),
         oslo_policy.RuleDefault("example:denied", "!"),
         oslo_policy.RuleDefault("old_action_not_default", "@"),
         oslo_policy.RuleDefault("new_action", "@"),
         oslo_policy.RuleDefault("old_action_default", "rule:admin_api"),
         oslo_policy.RuleDefault("example:get_http",
                                 "http://www.example.com"),
         oslo_policy.RuleDefault(
             "example:my_file", "role:compute_admin or "
             "project_id:%(project_id)s"),
         oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
         oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
         oslo_policy.RuleDefault("example:lowercase_admin",
                                 "role:admin or role:sysadmin"),
         oslo_policy.RuleDefault("example:uppercase_admin",
                                 "role:ADMIN or role:sysadmin"),
     ]
     policy.reset()
     policy.init()
     # before a policy rule can be used, its default has to be registered.
     policy._ENFORCER.register_defaults(rules)
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     rules = [
         oslo_policy.RuleDefault("true", '@'),
         oslo_policy.RuleDefault("example:allowed", '@'),
         oslo_policy.RuleDefault("example:denied", "!"),
         oslo_policy.RuleDefault("old_action_not_default", "@"),
         oslo_policy.RuleDefault("new_action", "@"),
         oslo_policy.RuleDefault("old_action_default", "rule:admin_api"),
         oslo_policy.RuleDefault("example:get_http",
                                 "http://www.example.com"),
         oslo_policy.RuleDefault("example:my_file",
                                 "role:compute_admin or "
                                 "project_id:%(project_id)s"),
         oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
         oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
         oslo_policy.RuleDefault("example:lowercase_admin",
                                 "role:admin or role:sysadmin"),
         oslo_policy.RuleDefault("example:uppercase_admin",
                                 "role:ADMIN or role:sysadmin"),
     ]
     policy.reset()
     policy.init()
     # before a policy rule can be used, its default has to be registered.
     policy._ENFORCER.register_defaults(rules)
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
Exemple #6
0
    def setUp(self):
        super(DefaultPolicyTestCase, self).setUp()
        policy.reset()
        policy.init()

        self.rules = {"default": [], "example:exist": [["false:false"]]}

        self._set_brain('default')

        self.context = context.RequestContext('fake', 'fake')
Exemple #7
0
    def setUp(self):
        super(DefaultPolicyTestCase, self).setUp()
        policy.reset()
        policy.init()

        self.rules = {
            "default": '',
            "example:exist": "!",
        }

        self._set_rules('default')

        self.context = context.RequestContext('fake', 'fake')
Exemple #8
0
    def setUp(self):
        super(DefaultPolicyTestCase, self).setUp()
        policy.reset()
        policy.init()

        self.rules = {
            "default": '',
            "example:exist": "!",
        }

        self._set_rules('default')

        self.context = context.RequestContext('fake', 'fake')
Exemple #9
0
    def setUp(self):
        super(DefaultPolicyTestCase, self).setUp()
        policy.reset()
        policy.init()

        self.rules = {
            "default": [],
            "example:exist": [["false:false"]]
        }

        self._set_brain('default')

        self.context = context.RequestContext('fake', 'fake')
Exemple #10
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     rules = {
         "true": "@",
         "example:allowed": "@",
         "example:denied": "!",
         "example:get_http": "http://www.example.com",
         "example:my_file": "role:compute_admin or " "project_id:%(project_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     policy.reset()
     policy.init()
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     self.context = context.RequestContext("fake", "fake", roles=["member"])
     self.target = {}
Exemple #11
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     rules = {
         "true": '@',
         "example:allowed": '@',
         "example:denied": "!",
         "example:get_http": "http://www.example.com",
         "example:my_file": "role:compute_admin or "
         "project_id:%(project_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     policy.reset()
     policy.init()
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
Exemple #12
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     rules = {
         "true": '@',
         "example:allowed": '@',
         "example:denied": "!",
         "example:get_http": "http://www.example.com",
         "example:my_file": "role:compute_admin or "
                            "project_id:%(project_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     policy.reset()
     policy.init()
     policy.set_rules(dict((k, common_policy.parse_rule(v))
                            for k, v in rules.items()))
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
Exemple #13
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": [],
         "example:allowed": [],
         "example:denied": [["false:false"]],
         "example:get_http": [["http:http://www.example.com"]],
         "example:my_file": [["role:compute_admin"],
                             ["project_id:%(project_id)s"]],
         "example:early_and_fail": [["false:false", "rule:true"]],
         "example:early_or_success": [["rule:true"], ["false:false"]],
         "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
         "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
     }
     # NOTE(vish): then overload underlying brain
     common_policy.set_brain(common_policy.HttpBrain(rules))
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
Exemple #14
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": [],
         "example:allowed": [],
         "example:denied": [["false:false"]],
         "example:get_http": [["http:http://www.example.com"]],
         "example:my_file": [["role:compute_admin"],
                             ["project_id:%(project_id)s"]],
         "example:early_and_fail": [["false:false", "rule:true"]],
         "example:early_or_success": [["rule:true"], ["false:false"]],
         "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
         "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
     }
     # NOTE(vish): then overload underlying brain
     common_policy.set_brain(common_policy.HttpBrain(rules))
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
Exemple #15
0
    def test_modified_policy_reloads(self):
        with utils.tempdir() as tmpdir:
            tmpfilename = os.path.join(tmpdir, 'policy')

            self.flags(policy_file=tmpfilename, group='oslo_policy')

            # NOTE(uni): context construction invokes policy check to determine
            # is_admin or not. As a side-effect, policy reset is needed here
            # to flush existing policy cache.
            policy.reset()
            policy.init()
            rule = oslo_policy.RuleDefault('example:test', "")
            policy._ENFORCER.register_defaults([rule])

            action = "example:test"
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('{"example:test": ""}')
            policy.authorize(self.context, action, self.target)
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('{"example:test": "!"}')
            policy._ENFORCER.load_rules(True)
            self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
                              self.context, action, self.target)
Exemple #16
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": '@',
         "example:allowed": '@',
         "example:denied": "!",
         "example:get_http": "http://www.example.com",
         "example:my_file": "role:compute_admin or "
         "project_id:%(project_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     # NOTE(vish): then overload underlying brain
     common_policy.set_rules(
         common_policy.Rules(
             dict((k, common_policy.parse_rule(v))
                  for k, v in rules.items())))
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
Exemple #17
0
 def setUp(self):
     super(IsAdminCheckTestCase, self).setUp()
     policy.init()
Exemple #18
0
 def setUp(self):
     super(IsAdminCheckTestCase, self).setUp()
     # NOTE(gmann): We do not need to log policy warnings for unit
     # tests.
     policy.init(suppress_deprecation_warnings=True)
Exemple #19
0
 def _set_rules(self, default_rule):
     policy.reset()
     rules = oslo_policy.Rules.from_dict(self.rules)
     policy.init(rules=rules, default_rule=default_rule, use_conf=False)
Exemple #20
0
 def _set_rules(self, default_rule):
     policy.reset()
     rules = oslo_policy.Rules.from_dict(self.rules)
     policy.init(rules=rules, default_rule=default_rule, use_conf=False)
Exemple #21
0
    def _check_policy(self):
        """Checks to see if policy file is overwritten with the new
        defaults.
        """
        msg = _("Your policy file contains rules which examine token scope, "
                "which may be due to generation with the new defaults. "
                "If that is done intentionally to migrate to the new rule "
                "format, then you are required to enable the flag "
                "'oslo_policy.enforce_scope=True' and educate end users on "
                "how to request scoped tokens from Keystone. Another easy "
                "and recommended way for you to achieve the same is via two "
                "flags, 'oslo_policy.enforce_scope=True' and "
                "'oslo_policy.enforce_new_defaults=True' and avoid "
                "overwriting the file. Please refer to this document to "
                "know the complete migration steps: "
                "https://docs.openstack.org/nova/latest/configuration"
                "/policy-concepts.html. If you did not intend to migrate "
                "to new defaults in this upgrade, then with your current "
                "policy file the scope checking rule will fail. A possible "
                "reason for such a policy file is that you generated it with "
                "'oslopolicy-sample-generator' in json format. "
                "Three ways to fix this until you are ready to migrate to "
                "scoped policies: 1. Generate the policy file with "
                "'oslopolicy-sample-generator' in yaml format, keep "
                "the generated content commented out, and update "
                "the generated policy.yaml location in "
                "``oslo_policy.policy_file``. "
                "2. Use a pre-existing sample config file from the Train "
                "release. 3. Use an empty or non-existent file to take all "
                "the defaults.")
        rule = "system_admin_api"
        rule_new_default = "role:admin and system_scope:all"
        status = upgradecheck.Result(upgradecheck.Code.SUCCESS)
        # NOTE(gmann): Initialise the policy if it not initialized.
        # We need policy enforcer with all the rules loaded to check
        # their value with defaults.
        try:
            if policy._ENFORCER is None:
                policy.init(suppress_deprecation_warnings=True)

            # For safer side, recheck that the enforcer is available before
            # upgrade checks. If something is wrong on oslo side and enforcer
            # is still not available the return warning to avoid any false
            # result.
            if policy._ENFORCER is not None:
                current_rule = str(policy._ENFORCER.rules[rule]).strip("()")
                if (current_rule == rule_new_default and
                    not CONF.oslo_policy.enforce_scope):
                    status = upgradecheck.Result(upgradecheck.Code.WARNING,
                                                 msg)
            else:
                status = upgradecheck.Result(
                    upgradecheck.Code.WARNING,
                    _('Policy is not initialized to check the policy rules'))
        except Exception as ex:
            status = upgradecheck.Result(
                upgradecheck.Code.WARNING,
                _('Unable to perform policy checks due to error: %s') %
                str(ex))
        # reset the policy state so that it can be initialized from fresh if
        # operator changes policy file after running this upgrade checks.
        policy.reset()
        return status
Exemple #22
0
 def _set_rules(self, default_rule):
     policy.reset()
     rules = dict((k, common_policy.parse_rule(v))
                  for k, v in self.rules.items())
     policy.init(rules=rules, default_rule=default_rule, use_conf=False)
Exemple #23
0
 def setUp(self):
     super(IsAdminCheckTestCase, self).setUp()
     policy.init()
Exemple #24
0
 def _set_rules(self, default_rule):
     policy.reset()
     rules = {k: common_policy.parse_rule(v) for k, v in self.rules.items()}
     policy.init(rules=rules, default_rule=default_rule, use_conf=False)