def test_discover_policy_files_with_many_invalid_one_valid(
self, m_glob, m_os, m_creds, *args):
service = 'test_service'
custom_policy_files = ['foo/%s', 'bar/%s', 'baz/%s']
m_glob.iglob.side_effect = [
iter([path % service]) for path in custom_policy_files
]
# Only the 3rd path is valid.
m_os.path.isfile.side_effect = [False, False, True]
# Ensure the outer for loop runs only once in `discover_policy_files`.
m_creds.Manager().identity_services_v3_client.\
list_services.return_value = {
'services': [{'name': service}]}
# The expected policy will be 'baz/test_service'.
self.useFixture(
fixtures.ConfPatcher(custom_policy_files=custom_policy_files,
group='patrole'))
policy_parser = policy_authority.PolicyAuthority(None, None, service)
# Ensure that "policy_files" is set at class and instance levels.
self.assertTrue(
hasattr(policy_authority.PolicyAuthority, 'policy_files'))
self.assertTrue(hasattr(policy_parser, 'policy_files'))
self.assertEqual(['baz/%s' % service],
policy_parser.policy_files[service])
def test_discover_policy_files_with_many_invalid_one_valid(self, m_os,
m_creds, *args):
# Only the 3rd path is valid.
m_os.path.isfile.side_effect = [False, False, True, False]
# Ensure the outer for loop runs only once in `discover_policy_files`.
m_creds.Manager().identity_services_v3_client.\
list_services.return_value = {
'services': [{'name': 'test_service'}]}
# The expected policy will be 'baz/test_service'.
self.useFixture(fixtures.ConfPatcher(
custom_policy_files=['foo/%s', 'bar/%s', 'baz/%s'],
group='patrole'))
policy_parser = policy_authority.PolicyAuthority(
None, None, 'test_service')
# Ensure that "policy_files" is set at class and instance levels.
self.assertIn('policy_files',
dir(policy_authority.PolicyAuthority))
self.assertIn('policy_files', dir(policy_parser))
self.assertIn('test_service', policy_parser.policy_files)
self.assertEqual('baz/test_service',
policy_parser.policy_files['test_service'])
def setUp(self):
super(BaseRBACRuleValidationTest, self).setUp()
self.mock_test_args = mock.Mock(spec=test.BaseTestCase)
self.mock_test_args.os_primary = mock.Mock(spec=manager.Manager)
self.mock_test_args.rbac_utils = mock.Mock(
spec_set=rbac_utils.RbacUtils)
# Setup credentials for mock client manager.
mock_creds = mock.Mock(user_id=mock.sentinel.user_id,
project_id=mock.sentinel.project_id)
setattr(self.mock_test_args.os_primary, 'credentials', mock_creds)
self.useFixture(
fixtures.ConfPatcher(rbac_test_role='Member', group='patrole'))
# Disable patrole log for unit tests.
self.useFixture(
fixtures.ConfPatcher(enable_reporting=False, group='patrole_log'))
def test_validate_service(self):
"""Positive test case to ensure ``validate_service`` works.
There are 3 possibilities:
1) Identity v3 API enabled.
2) Identity v2 API enabled.
3) Both are enabled.
"""
self.useFixture(fixtures.ConfPatcher(
api_v2=True, api_v3=False, group='identity-feature-enabled'))
self._test_validate_service(self.services, [], False)
self.useFixture(fixtures.ConfPatcher(
api_v2=False, api_v3=True, group='identity-feature-enabled'))
self._test_validate_service([], self.services, False)
self.useFixture(fixtures.ConfPatcher(
api_v2=True, api_v3=True, group='identity-feature-enabled'))
self._test_validate_service(self.services, self.services, False)
def setUp(self):
super(PolicyAuthorityTest, self).setUp()
mock_admin = self.patchobject(policy_authority.PolicyAuthority,
'os_admin')
mock_admin.identity_services_client.list_services.\
return_value = self.services
mock_admin.identity_services_v3_client.list_services.\
return_value = self.services
current_directory = os.path.dirname(os.path.realpath(__file__))
self.custom_policy_file = os.path.join(current_directory, 'resources',
'custom_rbac_policy.json')
self.admin_policy_file = os.path.join(current_directory, 'resources',
'admin_rbac_policy.json')
self.alt_admin_policy_file = os.path.join(
current_directory, 'resources', 'alt_admin_rbac_policy.json')
self.tenant_policy_file = os.path.join(current_directory, 'resources',
'tenant_rbac_policy.json')
self.conf_policy_path_json = os.path.join(current_directory,
'resources', '%s.json')
self.conf_policy_path_yaml = os.path.join(current_directory,
'resources', '%s.yaml')
self.useFixture(
fixtures.ConfPatcher(
custom_policy_files=[self.conf_policy_path_json],
group='patrole'))
self.useFixture(
fixtures.ConfPatcher(api_v3=True,
api_v2=False,
group='identity-feature-enabled'))
# Guarantee a blank slate for each test.
for attr in ('available_services', 'policy_files'):
if attr in dir(policy_authority.PolicyAuthority):
delattr(policy_authority.PolicyAuthority, attr)
self.test_obj = self.useFixture(fixtures.RbacUtilsMixinFixture()).\
test_obj
def test_rbac_report_logging_disabled(self, mock_authority, mock_rbaclog):
"""Test case to ensure that we DON'T write logs when enable_reporting
is False
"""
self.useFixture(
fixtures.ConfPatcher(enable_reporting=False, group='patrole_log'))
mock_authority.PolicyAuthority.return_value.allowed.return_value = True
@rbac_rv.action(mock.sentinel.service, rules=[mock.sentinel.action])
def test_policy(*args):
pass
test_policy(self.mock_test_args)
self.assertFalse(mock_rbaclog.info.called)
def test_skip_rbac_checks(self):
"""Validate that the child class is skipped if `[patrole] enable_rbac`
is False and that the child class's name is in the skip message.
"""
self.useFixture(
patrole_fixtures.ConfPatcher(enable_rbac=False, group='patrole'))
class ChildRbacTest(self.parent_class):
pass
child_test = ChildRbacTest()
with testtools.ExpectedException(
testtools.TestCase.skipException,
value_re=('Patrole testing not enabled so skipping %s.' %
ChildRbacTest.__name__)):
child_test.setUpClass()
def test_rbac_report_logging_enabled(self, mock_authority, mock_rbaclog):
"""Test case to ensure that we DO write logs when enable_reporting is
True
"""
self.useFixture(
fixtures.ConfPatcher(enable_reporting=True, group='patrole_log'))
mock_authority.PolicyAuthority.return_value.allowed.return_value = True
@rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
def test_policy(*args):
pass
test_policy(self.mock_test_args)
mock_rbaclog.info.assert_called_once_with(
"[Service]: %s, [Test]: %s, [Rule]: %s, "
"[Expected]: %s, [Actual]: %s", mock.sentinel.service,
'test_policy', mock.sentinel.action, "Allowed", "Allowed")
def test_rbac_report_logging_enabled(self, mock_authority, mock_rbaclog):
"""Test case to ensure that we DO write logs when enable_reporting is
True
"""
self.useFixture(
patrole_fixtures.ConfPatcher(enable_reporting=True,
group='patrole_log'))
mock_authority.PolicyAuthority.return_value.allowed.return_value = True
policy_names = ['foo:bar', 'baz:qux']
@rbac_rv.action(mock.sentinel.service, rules=policy_names)
def test_policy(*args):
pass
test_policy(self.test_obj)
mock_rbaclog.info.assert_called_once_with(
"[Service]: %s, [Test]: %s, [Rules]: %s, "
"[Expected]: %s, [Actual]: %s", mock.sentinel.service,
'test_policy', ', '.join(policy_names), "Allowed", "Allowed")
def test_invalid_policy_rule_raises_skip_exception(
self, mock_authority):
"""Test that invalid policy action causes test to be skipped with
``[patrole] strict_policy_check`` set to False.
"""
self.useFixture(
fixtures.ConfPatcher(strict_policy_check=False, group='patrole'))
mock_authority.PolicyAuthority.return_value.allowed.side_effect = (
rbac_exceptions.RbacParsingException)
@rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
def test_policy(*args):
pass
error_re = 'Attempted to test an invalid policy file or action'
self.assertRaisesRegex(testtools.TestCase.skipException, error_re,
test_policy, self.mock_test_args)
mock_authority.PolicyAuthority.assert_called_once_with(
mock.sentinel.project_id, mock.sentinel.user_id,
mock.sentinel.service, extra_target_data={})
def test_custom_multi_roles_policy_yaml(self):
self.useFixture(
fixtures.ConfPatcher(
custom_policy_files=[self.conf_policy_path_yaml],
group='patrole'))
self._test_custom_multi_roles_policy()
def setUp(self):
super(TestCase, self).setUp()
# Disable patrole log for unit tests.
self.useFixture(
patrole_fixtures.ConfPatcher(enable_reporting=False,
group='patrole_log'))
