Exemple #1
0
def _set_rules(data):
    default_rule = 'default'
    LOG.debug(_("Loading policies from file: %s"), _POLICY_PATH)
    # Ensure backward compatibility with folsom/grizzly convention
    # for extension rules
    policies = policy.Rules.load_json(data, default_rule)
    for pol in policies.keys():
        if any([pol.startswith(depr_pol) for depr_pol in
                DEPRECATED_POLICY_MAP.keys()]):
            LOG.warning(_("Found deprecated policy rule:%s. Please consider "
                          "upgrading your policy configuration file"), pol)
            pol_name, action = pol.rsplit(':', 1)
            try:
                new_actions = DEPRECATED_ACTION_MAP[action]
                new_policies = DEPRECATED_POLICY_MAP[pol_name]
                # bind new actions and policies together
                for actual_policy in ['_'.join(item) for item in
                                      itertools.product(new_actions,
                                                        new_policies)]:
                    if actual_policy not in policies:
                        # New policy, same rule
                        LOG.info(_("Inserting policy:%(new_policy)s in place "
                                   "of deprecated policy:%(old_policy)s"),
                                 {'new_policy': actual_policy,
                                  'old_policy': pol})
                        policies[actual_policy] = policies[pol]
                # Remove old-style policy
                del policies[pol]
            except KeyError:
                LOG.error(_("Backward compatibility unavailable for "
                            "deprecated policy %s. The policy will "
                            "not be enforced"), pol)
    policy.set_rules(policies)
Exemple #2
0
 def test_get_roles_context_is_admin_rule_missing(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     # 'admin' role is expected for bw compatibility
     self.assertEqual(['admin'], policy.get_admin_roles())
Exemple #3
0
 def test_get_roles_with_rule_check(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         policy.ADMIN_CTX_POLICY: "rule:some_other_rule",
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     self.assertEqual(['admin'], policy.get_admin_roles())
Exemple #4
0
 def test_get_roles_context_is_admin_rule_missing(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     # 'admin' role is expected for bw compatibility
     self.assertEqual(['admin'], policy.get_admin_roles())
Exemple #5
0
def _set_rules(data):
    default_rule = 'default'
    LOG.debug(_("Loading policies from file: %s"), _POLICY_PATH)
    # Ensure backward compatibility with folsom/grizzly convention
    # for extension rules
    policies = policy.Rules.load_json(data, default_rule)
    for pol in policies.keys():
        if any([pol.startswith(depr_pol) for depr_pol in
                DEPRECATED_POLICY_MAP.keys()]):
            LOG.warn(_("Found deprecated policy rule:%s. Please consider "
                       "upgrading your policy configuration file"), pol)
            pol_name, action = pol.rsplit(':', 1)
            try:
                new_actions = DEPRECATED_ACTION_MAP[action]
                new_policies = DEPRECATED_POLICY_MAP[pol_name]
                # bind new actions and policies together
                for actual_policy in ['_'.join(item) for item in
                                      itertools.product(new_actions,
                                                        new_policies)]:
                    if actual_policy not in policies:
                        # New policy, same rule
                        LOG.info(_("Inserting policy:%(new_policy)s in place "
                                   "of deprecated policy:%(old_policy)s"),
                                 {'new_policy': actual_policy,
                                  'old_policy': pol})
                        policies[actual_policy] = policies[pol]
                # Remove old-style policy
                del policies[pol]
            except KeyError:
                LOG.error(_("Backward compatibility unavailable for "
                            "deprecated policy %s. The policy will "
                            "not be enforced"), pol)
    policy.set_rules(policies)
Exemple #6
0
 def test_get_roles_with_rule_check(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         policy.ADMIN_CTX_POLICY: "rule:some_other_rule",
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     self.assertEqual(['admin'], policy.get_admin_roles())
Exemple #7
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     self.addCleanup(policy.reset)
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": "@",
         "example:allowed": "@",
         "example:denied": "!",
         "example:get_http": "http:http://www.example.com",
         "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     # NOTE(vish): then overload underlying rules
     common_policy.set_rules(common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in rules.items())))
     self.context = context.Context("fake", "fake", roles=["member"])
     self.target = {}
Exemple #8
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     self.addCleanup(policy.reset)
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": '@',
         "example:allowed": '@',
         "example:denied": '!',
         "example:get_http": "http:http://www.example.com",
         "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     # NOTE(vish): then overload underlying rules
     common_policy.set_rules(common_policy.Rules(
         dict((k, common_policy.parse_rule(v))
              for k, v in rules.items())))
     self.context = context.Context('fake', 'fake', roles=['member'])
     self.target = {}
Exemple #9
0
 def fakepolicyinit():
     common_policy.set_rules(common_policy.Rules(self.rules))
Exemple #10
0
 def _set_rules(self, default_rule):
     rules = common_policy.Rules(
         dict((k, common_policy.parse_rule(v))
              for k, v in self.rules.items()), default_rule)
     common_policy.set_rules(rules)
Exemple #11
0
 def fakepolicyinit():
     common_policy.set_rules(common_policy.Rules(self.rules))
Exemple #12
0
 def _set_rules(self, default_rule):
     rules = common_policy.Rules(
         dict((k, common_policy.parse_rule(v))
              for k, v in self.rules.items()), default_rule)
     common_policy.set_rules(rules)