def test_discover_policy_files_with_many_invalid_one_valid( self, m_glob, m_os, m_creds, *args): service = 'test_service' custom_policy_files = ['foo/%s', 'bar/%s', 'baz/%s'] m_glob.iglob.side_effect = [ iter([path % service]) for path in custom_policy_files ] # Only the 3rd path is valid. m_os.path.isfile.side_effect = [False, False, True] # Ensure the outer for loop runs only once in `discover_policy_files`. m_creds.Manager().identity_services_v3_client.\ list_services.return_value = { 'services': [{'name': service}]} # The expected policy will be 'baz/test_service'. self.useFixture( fixtures.ConfPatcher(custom_policy_files=custom_policy_files, group='patrole')) policy_parser = policy_authority.PolicyAuthority(None, None, service) # Ensure that "policy_files" is set at class and instance levels. self.assertTrue( hasattr(policy_authority.PolicyAuthority, 'policy_files')) self.assertTrue(hasattr(policy_parser, 'policy_files')) self.assertEqual(['baz/%s' % service], policy_parser.policy_files[service])
def test_discover_policy_files_with_many_invalid_one_valid(self, m_os, m_creds, *args): # Only the 3rd path is valid. m_os.path.isfile.side_effect = [False, False, True, False] # Ensure the outer for loop runs only once in `discover_policy_files`. m_creds.Manager().identity_services_v3_client.\ list_services.return_value = { 'services': [{'name': 'test_service'}]} # The expected policy will be 'baz/test_service'. self.useFixture(fixtures.ConfPatcher( custom_policy_files=['foo/%s', 'bar/%s', 'baz/%s'], group='patrole')) policy_parser = policy_authority.PolicyAuthority( None, None, 'test_service') # Ensure that "policy_files" is set at class and instance levels. self.assertIn('policy_files', dir(policy_authority.PolicyAuthority)) self.assertIn('policy_files', dir(policy_parser)) self.assertIn('test_service', policy_parser.policy_files) self.assertEqual('baz/test_service', policy_parser.policy_files['test_service'])
def setUp(self): super(BaseRBACRuleValidationTest, self).setUp() self.mock_test_args = mock.Mock(spec=test.BaseTestCase) self.mock_test_args.os_primary = mock.Mock(spec=manager.Manager) self.mock_test_args.rbac_utils = mock.Mock( spec_set=rbac_utils.RbacUtils) # Setup credentials for mock client manager. mock_creds = mock.Mock(user_id=mock.sentinel.user_id, project_id=mock.sentinel.project_id) setattr(self.mock_test_args.os_primary, 'credentials', mock_creds) self.useFixture( fixtures.ConfPatcher(rbac_test_role='Member', group='patrole')) # Disable patrole log for unit tests. self.useFixture( fixtures.ConfPatcher(enable_reporting=False, group='patrole_log'))
def test_validate_service(self): """Positive test case to ensure ``validate_service`` works. There are 3 possibilities: 1) Identity v3 API enabled. 2) Identity v2 API enabled. 3) Both are enabled. """ self.useFixture(fixtures.ConfPatcher( api_v2=True, api_v3=False, group='identity-feature-enabled')) self._test_validate_service(self.services, [], False) self.useFixture(fixtures.ConfPatcher( api_v2=False, api_v3=True, group='identity-feature-enabled')) self._test_validate_service([], self.services, False) self.useFixture(fixtures.ConfPatcher( api_v2=True, api_v3=True, group='identity-feature-enabled')) self._test_validate_service(self.services, self.services, False)
def setUp(self): super(PolicyAuthorityTest, self).setUp() mock_admin = self.patchobject(policy_authority.PolicyAuthority, 'os_admin') mock_admin.identity_services_client.list_services.\ return_value = self.services mock_admin.identity_services_v3_client.list_services.\ return_value = self.services current_directory = os.path.dirname(os.path.realpath(__file__)) self.custom_policy_file = os.path.join(current_directory, 'resources', 'custom_rbac_policy.json') self.admin_policy_file = os.path.join(current_directory, 'resources', 'admin_rbac_policy.json') self.alt_admin_policy_file = os.path.join( current_directory, 'resources', 'alt_admin_rbac_policy.json') self.tenant_policy_file = os.path.join(current_directory, 'resources', 'tenant_rbac_policy.json') self.conf_policy_path_json = os.path.join(current_directory, 'resources', '%s.json') self.conf_policy_path_yaml = os.path.join(current_directory, 'resources', '%s.yaml') self.useFixture( fixtures.ConfPatcher( custom_policy_files=[self.conf_policy_path_json], group='patrole')) self.useFixture( fixtures.ConfPatcher(api_v3=True, api_v2=False, group='identity-feature-enabled')) # Guarantee a blank slate for each test. for attr in ('available_services', 'policy_files'): if attr in dir(policy_authority.PolicyAuthority): delattr(policy_authority.PolicyAuthority, attr) self.test_obj = self.useFixture(fixtures.RbacUtilsMixinFixture()).\ test_obj
def test_rbac_report_logging_disabled(self, mock_authority, mock_rbaclog): """Test case to ensure that we DON'T write logs when enable_reporting is False """ self.useFixture( fixtures.ConfPatcher(enable_reporting=False, group='patrole_log')) mock_authority.PolicyAuthority.return_value.allowed.return_value = True @rbac_rv.action(mock.sentinel.service, rules=[mock.sentinel.action]) def test_policy(*args): pass test_policy(self.mock_test_args) self.assertFalse(mock_rbaclog.info.called)
def test_skip_rbac_checks(self): """Validate that the child class is skipped if `[patrole] enable_rbac` is False and that the child class's name is in the skip message. """ self.useFixture( patrole_fixtures.ConfPatcher(enable_rbac=False, group='patrole')) class ChildRbacTest(self.parent_class): pass child_test = ChildRbacTest() with testtools.ExpectedException( testtools.TestCase.skipException, value_re=('Patrole testing not enabled so skipping %s.' % ChildRbacTest.__name__)): child_test.setUpClass()
def test_rbac_report_logging_enabled(self, mock_authority, mock_rbaclog): """Test case to ensure that we DO write logs when enable_reporting is True """ self.useFixture( fixtures.ConfPatcher(enable_reporting=True, group='patrole_log')) mock_authority.PolicyAuthority.return_value.allowed.return_value = True @rbac_rv.action(mock.sentinel.service, mock.sentinel.action) def test_policy(*args): pass test_policy(self.mock_test_args) mock_rbaclog.info.assert_called_once_with( "[Service]: %s, [Test]: %s, [Rule]: %s, " "[Expected]: %s, [Actual]: %s", mock.sentinel.service, 'test_policy', mock.sentinel.action, "Allowed", "Allowed")
def test_rbac_report_logging_enabled(self, mock_authority, mock_rbaclog): """Test case to ensure that we DO write logs when enable_reporting is True """ self.useFixture( patrole_fixtures.ConfPatcher(enable_reporting=True, group='patrole_log')) mock_authority.PolicyAuthority.return_value.allowed.return_value = True policy_names = ['foo:bar', 'baz:qux'] @rbac_rv.action(mock.sentinel.service, rules=policy_names) def test_policy(*args): pass test_policy(self.test_obj) mock_rbaclog.info.assert_called_once_with( "[Service]: %s, [Test]: %s, [Rules]: %s, " "[Expected]: %s, [Actual]: %s", mock.sentinel.service, 'test_policy', ', '.join(policy_names), "Allowed", "Allowed")
def test_invalid_policy_rule_raises_skip_exception( self, mock_authority): """Test that invalid policy action causes test to be skipped with ``[patrole] strict_policy_check`` set to False. """ self.useFixture( fixtures.ConfPatcher(strict_policy_check=False, group='patrole')) mock_authority.PolicyAuthority.return_value.allowed.side_effect = ( rbac_exceptions.RbacParsingException) @rbac_rv.action(mock.sentinel.service, mock.sentinel.action) def test_policy(*args): pass error_re = 'Attempted to test an invalid policy file or action' self.assertRaisesRegex(testtools.TestCase.skipException, error_re, test_policy, self.mock_test_args) mock_authority.PolicyAuthority.assert_called_once_with( mock.sentinel.project_id, mock.sentinel.user_id, mock.sentinel.service, extra_target_data={})
def test_custom_multi_roles_policy_yaml(self): self.useFixture( fixtures.ConfPatcher( custom_policy_files=[self.conf_policy_path_yaml], group='patrole')) self._test_custom_multi_roles_policy()
def setUp(self): super(TestCase, self).setUp() # Disable patrole log for unit tests. self.useFixture( patrole_fixtures.ConfPatcher(enable_reporting=False, group='patrole_log'))