def test_verify_show_cant_view_other_tenant(self):
        req = webob.Request.blank('/v2/faketenant_1/os-simple-tenant-usage/'
                                  'faketenant_0?start=%s&end=%s' %
                                  (START.isoformat(), STOP.isoformat()))
        req.method = "GET"
        req.headers["content-type"] = "application/json"

        rules = {
            "compute_extension:simple_tenant_usage:show":
            [["role:admin"], ["project_id:%(project_id)s"]]
        }
        common_policy.set_brain(common_policy.HttpBrain(rules))

        try:
            res = req.get_response(
                fakes.wsgi_app(fake_auth_context=self.alt_user_context))
            self.assertEqual(res.status_int, 403)
        finally:
            policy.reset()
Esempio n. 2
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": [],
         "example:allowed": [],
         "example:denied": [["false:false"]],
         "example:get_http": [["http:http://www.example.com"]],
         "example:my_file": [["role:compute_admin"],
                             ["project_id:%(project_id)s"]],
         "example:early_and_fail": [["false:false", "rule:true"]],
         "example:early_or_success": [["rule:true"], ["false:false"]],
         "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
         "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
     }
     # NOTE(vish): then overload underlying brain
     common_policy.set_brain(common_policy.HttpBrain(rules))
     self.context = context.RequestContext('fake', 'fake', roles=['member'])
     self.target = {}
Esempio n. 3
0
 def _set_brain(self, default_rule):
     brain = common_policy.HttpBrain(self.rules, default_rule)
     common_policy.set_brain(brain)