def test_rule_true(self): enforcer = ENFORCER check = policy.RuleCheck('rule', 'spam') self.assertEqual(check('target', 'creds', enforcer), True) enforcer.rules['spam'].assert_called_once_with('target', 'creds', enforcer)
def _build_match_rule(action, target): """Create the rule to match for a given action. The policy rule to be matched is built in the following way: 1) add entries for matching permission on objects 2) add an entry for the specific action (e.g.: create_network) 3) add an entry for attributes of a resource for which the action is being executed (e.g.: create_network:shared) 4) add an entry for sub-attributes of a resource for which the action is being executed (e.g.: create_router:external_gateway_info:network_id) """ match_rule = policy.RuleCheck('rule', action) ''' resource, is_write = get_resource_and_action(action) # Attribute-based checks shall not be enforced on GETs if is_write: # assigning to variable with short name for improving readability res_map = attributes.RESOURCE_ATTRIBUTE_MAP if resource in res_map: for attribute_name in res_map[resource]: if _is_attribute_explicitly_set(attribute_name, res_map[resource], target): attribute = res_map[resource][attribute_name] if 'enforce_policy' in attribute: attr_rule = policy.RuleCheck('rule', '%s:%s' % (action, attribute_name)) # Build match entries for sub-attributes, if present validate = attribute.get('validate') if (validate and any([k.startswith('type:dict') and v for (k, v) in validate.iteritems()])): attr_rule = policy.AndCheck( [attr_rule, _build_subattr_match_rule( attribute_name, attribute, action, target)]) match_rule = policy.AndCheck([match_rule, attr_rule]) ''' return match_rule
def test_rule_missing(self): check = policy.RuleCheck('rule', 'spam') self.assertEqual(check('target', 'creds', ENFORCER), False)
def test_rule_true(self): check = policy.RuleCheck('rule', 'spam') self.assertEqual(check('target', 'creds'), True) policy._rules['spam'].assert_called_once_with('target', 'creds')