def test_modified_policy_reloads(self):
"""Creates a temporary placement-policy.yaml file and tests
authorizations against a fake rule between updates to the physical
policy file.
"""
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'placement-policy.yaml')
self.conf.set_default(
'policy_file', tmpfilename, group='placement')
action = 'placement:test'
# Expect PolicyNotRegistered since defaults are not yet loaded.
self.assertRaises(oslo_policy.PolicyNotRegistered,
policy.authorize, self.ctxt, action, self.target)
# Load the default action and rule (defaults to "any").
enforcer = policy.get_enforcer()
rule = oslo_policy.RuleDefault(action, '')
enforcer.register_default(rule)
# Now auth should work because the action is registered and anyone
# can perform the action.
policy.authorize(self.ctxt, action, self.target)
# Now update the policy file and reload it to disable the action
# from all users.
with open(tmpfilename, "w") as policyfile:
policyfile.write('"%s": "!"' % action)
enforcer.load_rules(force_reload=True)
self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
self.ctxt, action, self.target)
def test_modified_policy_reloads(self):
"""Creates a temporary placement-policy.yaml file and tests
authorizations against a fake rule between updates to the physical
policy file.
"""
tempdir = self.useFixture(fixtures.TempDir())
tmpfilename = os.path.join(tempdir.path, 'placement-policy.yaml')
self.conf_fixture.config(group='placement', policy_file=tmpfilename)
action = 'placement:test'
# Load the default action and rule (defaults to "any").
enforcer = policy._get_enforcer(self.conf_fixture.conf)
rule = oslo_policy.RuleDefault(action, '')
enforcer.register_default(rule)
# Now auth should work because the action is registered and anyone
# can perform the action.
policy.authorize(self.ctxt, action, self.target)
# Now update the policy file and reload it to disable the action
# from all users.
with open(tmpfilename, "w") as policyfile:
policyfile.write('"%s": "!"' % action)
enforcer.load_rules(force_reload=True)
self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
self.ctxt, action, self.target)
def can(self, action, target=None, fatal=True):
"""Verifies that the given action is valid on the target in this
context.
:param action: string representing the action to be checked.
:param target: As much information about the object being operated on
as possible. The target argument should be a dict instance or an
instance of a class that fully supports the Mapping abstract base
class and deep copying. For object creation this should be a
dictionary representing the location of the object e.g.
``{'project_id': context.project_id}``. If None, then this default
target will be considered::
{'project_id': self.project_id, 'user_id': self.user_id}
:param fatal: if False, will return False when an
exception.PolicyNotAuthorized occurs.
:raises placement.exception.PolicyNotAuthorized:
if verification fails and fatal is True.
:return: returns a non-False value (not necessarily "True") if
authorized and False if not authorized and fatal is False.
"""
if target is None:
target = {'project_id': self.project_id, 'user_id': self.user_id}
try:
return policy.authorize(self, action, target)
except exception.PolicyNotAuthorized:
if fatal:
raise
return False
def test_authorize_do_raise_false(self):
"""Tests that authorize does not raise an exception when the check
fails.
"""
fixture = self.useFixture(policy_fixture.PlacementPolicyFixture())
fixture.set_rules({'placement': '!'})
self.assertFalse(
policy.authorize(
self.ctxt, 'placement', self.target, do_raise=False))
def test_authorize_do_raise_false(self):
"""Tests that authorize does not raise an exception when the check
fails.
"""
fixture = self.useFixture(
policy_fixture.PolicyFixture(self.conf_fixture))
# It doesn't matter which policy we use here so long as it's
# registered.
policy_name = 'placement:resource_providers:list'
fixture.set_rules({policy_name: '!'})
self.assertFalse(
policy.authorize(self.ctxt,
policy_name,
self.target,
do_raise=False))