def test_templatized_enforcement(self):
target_mine = {'project_id': 'fake'}
target_not_mine = {'project_id': 'another'}
action = "example:my_file"
policy.enforce(self.context, action, target_mine)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, target_not_mine)
def handle_request(self, request):
"""Handle a REST request.
Args:
request: A webob request object.
Returns:
A webob response object.
"""
# NOTE(arosen): only do policy.json if keystone is used for now.
if cfg.CONF.auth_strategy == "keystone":
context = request.environ["congress.context"]
target = {"project_id": context.project_id, "user_id": context.user_id}
# NOTE(arosen): today congress only enforces API policy on which
# API calls we allow tenants to make with their given roles.
action_type = self._get_action_type(request.method)
# FIXME(arosen): There should be a cleaner way to do this.
model_name = self.path_regex.split("/")[1]
action = "%s_%s" % (action_type, model_name)
# TODO(arosen): we should handle serializing the
# response in one place
try:
policy.enforce(context, action, target)
except exception.PolicyNotAuthorized as e:
LOG.info(e)
return webob.Response(body=unicode(e), status=e.code, content_type="application/json")
if request.method == "GET" and self.allow_list:
return self.list_members(request)
elif request.method == "POST" and self.allow_create:
return self.create_member(request)
return NOT_SUPPORTED_RESPONSE
def test_templatized_enforcement(self):
target_mine = {'project_id': 'fake'}
target_not_mine = {'project_id': 'another'}
action = "example:my_file"
policy.enforce(self.context, action, target_mine)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, target_not_mine)
def test_ignore_case_role_check(self):
lowercase_action = "example:lowercase_admin"
uppercase_action = "example:uppercase_admin"
# NOTE(dprince) we mix case in the Admin role here to ensure
# case is ignored
admin_context = context.RequestContext('admin',
'fake',
roles=['AdMiN'])
policy.enforce(admin_context, lowercase_action, self.target)
policy.enforce(admin_context, uppercase_action, self.target)
def test_ignore_case_role_check(self):
lowercase_action = "example:lowercase_admin"
uppercase_action = "example:uppercase_admin"
# NOTE(dprince) we mix case in the Admin role here to ensure
# case is ignored
admin_context = context.RequestContext('admin',
'fake',
roles=['AdMiN'])
policy.enforce(admin_context, lowercase_action, self.target)
policy.enforce(admin_context, uppercase_action, self.target)
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
CONF.set_override('policy_file', tmpfilename, 'oslo_policy')
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
CONF.set_override('policy_file', tmpfilename, 'oslo_policy')
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def handle_request(self, request):
"""Handle a REST request.
Args:
request: A webob request object.
Returns:
A webob response object.
"""
# NOTE(arosen): only do policy.json if keystone is used for now.
if cfg.CONF.auth_strategy == "keystone":
context = request.environ['congress.context']
target = {
'project_id': context.project_id,
'user_id': context.user_id
}
# NOTE(arosen): today congress only enforces API policy on which
# API calls we allow tenants to make with their given roles.
action_type = self._get_action_type(request.method)
# FIXME(arosen): There should be a cleaner way to do this.
model_name = self.path_regex.split('/')[1]
action = "%s_%s" % (action_type, model_name)
# TODO(arosen): we should handle serializing the
# response in one place
try:
policy.enforce(context, action, target)
except exception.PolicyNotAuthorized as e:
LOG.info(e)
return webob.Response(body=six.text_type(e),
status=e.code,
content_type='application/json',
charset='UTF-8')
if request.method == 'GET' and self.allow_list:
return self.list_members(request)
elif request.method == 'POST' and self.allow_create:
return self.create_member(request)
elif request.method == 'PUT' and self.allow_update:
return self.update_members(request)
return NOT_SUPPORTED_RESPONSE
def test_enforce_good_action(self):
action = "example:allowed"
result = policy.enforce(self.context, action, self.target)
self.assertTrue(result)
def test_early_OR_enforcement(self):
action = "example:early_or_success"
policy.enforce(self.context, action, self.target)
def test_enforce_good_action(self):
action = "example:allowed"
result = policy.enforce(self.context, action, self.target)
self.assertEqual(result, True)
def test_enforce_http_true(self, mock_httpcheck):
action = "example:get_http"
target = {}
result = policy.enforce(self.context, action, target)
self.assertTrue(result)
def test_enforce_http_true(self, mock_urlopen):
action = "example:get_http"
target = {}
result = policy.enforce(self.context, action, target)
self.assertEqual(result, True)
def test_enforce_http_true(self):
self.useFixture(op_fixture.HttpCheckFixture(True))
action = "example:get_http"
target = {}
result = policy.enforce(self.context, action, target)
self.assertTrue(result)
def test_enforce_http_true(self, mock_httpcheck):
action = "example:get_http"
target = {}
result = policy.enforce(self.context, action, target)
self.assertTrue(result)
def test_early_OR_enforcement(self):
action = "example:early_or_success"
policy.enforce(self.context, action, self.target)
def test_not_found_policy_calls_default(self):
policy.enforce(self.context, "example:noexist", {})
def test_not_found_policy_calls_default(self):
policy.enforce(self.context, "example:noexist", {})
def test_enforce_bad_action_noraise(self):
action = "example:denied"
result = policy.enforce(self.context, action, self.target, False)
self.assertFalse(result)
def test_enforce_bad_action_noraise(self):
action = "example:denied"
result = policy.enforce(self.context, action, self.target, False)
self.assertEqual(result, False)
def test_enforce_http_true(self, mock_urlopen):
action = "example:get_http"
target = {}
result = policy.enforce(self.context, action, target)
self.assertEqual(result, True)