def test_str_true(self): exemplar = """{ "admin_or_owner": "" }""" rules = policy.Rules(dict(admin_or_owner=_checks.TrueCheck(), )) self.assertEqual(exemplar, str(rules))
def _parse_check(rule): """Parse a single base check rule into an appropriate Check object.""" # Handle the special checks if rule == '!': return _checks.FalseCheck() elif rule == '@': return _checks.TrueCheck() try: kind, match = rule.split(':', 1) except Exception: LOG.exception('Failed to understand rule %s', rule) # If the rule is invalid, we'll fail closed return _checks.FalseCheck() # Find what implements the check extension_checks = _checks.get_extensions() if kind in extension_checks: return extension_checks[kind](kind, match) elif kind in _checks.registered_checks: return _checks.registered_checks[kind](kind, match) elif None in _checks.registered_checks: return _checks.registered_checks[None](kind, match) else: LOG.error('No handler for matches of kind %s', kind) return _checks.FalseCheck()
def test_str_true(self): exemplar = jsonutils.dumps({ "admin_or_owner": "" }, indent=4) rules = policy.Rules(dict( admin_or_owner=_checks.TrueCheck(), )) self.assertEqual(exemplar, str(rules))
def test_enforcer_with_default_rule(self): rules_json = jsonutils.dumps({ "deny_stack_user": "******", "cloudwatch:PutMetricData": "" }) rules = policy.Rules.load(rules_json) default_rule = _checks.TrueCheck() enforcer = policy.Enforcer(self.conf, default_rule=default_rule) enforcer.set_rules(rules) action = 'cloudwatch:PutMetricData' creds = {'roles': ''} self.assertTrue(enforcer.enforce(action, {}, creds))
def _parse_list_rule(rule): """Translates the old list-of-lists syntax into a tree of Check objects. Provided for backwards compatibility. """ # Empty rule defaults to True if not rule: return _checks.TrueCheck() # Outer list is joined by "or"; inner list by "and" or_list = [] for inner_rule in rule: # Skip empty inner lists if not inner_rule: continue # Handle bare strings if isinstance(inner_rule, six.string_types): inner_rule = [inner_rule] # Parse the inner rules into Check objects and_list = [_parse_check(r) for r in inner_rule] # Append the appropriate check to the or_list if len(and_list) == 1: or_list.append(and_list[0]) else: or_list.append(_checks.AndCheck(and_list)) # If we have only one check, omit the "or" if not or_list: return _checks.FalseCheck() elif len(or_list) == 1: return or_list[0] return _checks.OrCheck(or_list)
def _parse_text_rule(rule): """Parses policy to the tree. Translates a policy written in the policy language into a tree of Check objects. """ # Empty rule means always accept if not rule: return _checks.TrueCheck() # Parse the token stream state = ParseState() for tok, value in _parse_tokenize(rule): state.shift(tok, value) try: return state.result except ValueError: # Couldn't parse the rule LOG.exception(_LE('Failed to understand rule %s'), rule) # Fail closed return _checks.FalseCheck()
def test_call_true(self): rule = _checks.TrueCheck() check = _checks.NotCheck(rule) self.assertFalse(check('target', 'cred', None))
def test_call(self): check = _checks.TrueCheck() self.assertTrue(check('target', 'creds', None))
def test_str(self): check = _checks.TrueCheck() self.assertEqual('@', str(check))