def setUp(self):
super(PolicyTestCase, self).setUp()
rules = oslo_policy.Rules.from_dict({
"true":
'@',
"example:allowed":
'@',
"example:denied":
"!",
"example:get_http":
"http://www.example.com",
"example:my_file":
"role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail":
"! and @",
"example:early_or_success":
"@ or !",
"example:lowercase_admin":
"role:admin or role:sysadmin",
"example:uppercase_admin":
"role:ADMIN or role:sysadmin",
})
policy.reset()
policy.init()
policy.set_rules(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = oslo_policy.Rules.from_dict({
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
})
policy.reset()
policy.init()
policy.set_rules(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
CONF.set_override('policy_file', tmpfilename, 'oslo_policy')
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
CONF.set_override('policy_file', tmpfilename, 'oslo_policy')
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def _set_rules(self, default_rule):
policy.reset()
policy.init(rules=self.rules, default_rule=default_rule,
use_conf=False)
def _set_rules(self, default_rule):
policy.reset()
rules = dict((k, common_policy.parse_rule(v))
for k, v in self.rules.items())
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def _set_rules(self, default_rule):
policy.reset()
policy.init(rules=self.rules, default_rule=default_rule,
use_conf=False)
def _set_rules(self, default_rule):
policy.reset()
rules = dict(
(k, common_policy.parse_rule(v)) for k, v in self.rules.items())
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
