Esempio n. 1
0
 def test_check_non_existent_action(self):
     action = "example:idonotexist"
     result_1 = policy.check(self.context, action, self.target)
     self.assertFalse(result_1)
     result_2 = policy.check(self.context, action, self.target,
                             might_not_exist=True)
     self.assertTrue(result_2)
Esempio n. 2
0
 def test_check_non_existent_action(self):
     action = "example:idonotexist"
     result_1 = policy.check(self.context, action, self.target)
     self.assertFalse(result_1)
     result_2 = policy.check(self.context, action, self.target,
                             might_not_exist=True)
     self.assertTrue(result_2)
Esempio n. 3
0
 def _items(self, request, do_authz=False, parent_id=None):
     """Retrieves and formats a list of elements of the requested entity."""
     # NOTE(salvatore-orlando): The following ensures that fields which
     # are needed for authZ policy validation are not stripped away by the
     # plugin before returning.
     original_fields, fields_to_add = self._do_field_list(
         api_common.list_args(request, 'fields'))
     filters = api_common.get_filters(request, self._attr_info, [
         'fields', 'sort_key', 'sort_dir', 'limit', 'marker', 'page_reverse'
     ])
     kwargs = {'filters': filters, 'fields': original_fields}
     sorting_helper = self._get_sorting_helper(request)
     pagination_helper = self._get_pagination_helper(request)
     sorting_helper.update_args(kwargs)
     sorting_helper.update_fields(original_fields, fields_to_add)
     pagination_helper.update_args(kwargs)
     pagination_helper.update_fields(original_fields, fields_to_add)
     if parent_id:
         kwargs[self._parent_id_name] = parent_id
     obj_getter = getattr(self._plugin, self._plugin_handlers[self.LIST])
     obj_list = obj_getter(request.context, **kwargs)
     obj_list = sorting_helper.sort(obj_list)
     obj_list = pagination_helper.paginate(obj_list)
     # Check authz
     if do_authz:
         # FIXME(salvatore-orlando): obj_getter might return references to
         # other resources. Must check authZ on them too.
         # Omit items from list that should not be visible
         obj_list = [
             obj for obj in obj_list
             if policy.check(request.context,
                             self._plugin_handlers[self.SHOW],
                             obj,
                             plugin=self._plugin)
         ]
     # Use the first element in the list for discriminating which attributes
     # should be filtered out because of authZ policies
     # fields_to_add contains a list of attributes added for request policy
     # checks but that were not required by the user. They should be
     # therefore stripped
     fields_to_strip = fields_to_add or []
     if obj_list:
         fields_to_strip += self._exclude_attributes_by_policy(
             request.context, obj_list[0])
     collection = {
         self._collection: [
             self._filter_attributes(request.context,
                                     obj,
                                     fields_to_strip=fields_to_strip)
             for obj in obj_list
         ]
     }
     pagination_links = pagination_helper.get_links(obj_list)
     if pagination_links:
         collection[self._collection + "_links"] = pagination_links
     return collection
Esempio n. 4
0
 def _items(self, request, do_authz=False, parent_id=None):
     """Retrieves and formats a list of elements of the requested entity."""
     # NOTE(salvatore-orlando): The following ensures that fields which
     # are needed for authZ policy validation are not stripped away by the
     # plugin before returning.
     original_fields, fields_to_add = self._do_field_list(
         api_common.list_args(request, 'fields'))
     filters = api_common.get_filters(request, self._attr_info,
                                      ['fields', 'sort_key', 'sort_dir',
                                       'limit', 'marker', 'page_reverse'])
     kwargs = {'filters': filters,
               'fields': original_fields}
     sorting_helper = self._get_sorting_helper(request)
     pagination_helper = self._get_pagination_helper(request)
     sorting_helper.update_args(kwargs)
     sorting_helper.update_fields(original_fields, fields_to_add)
     pagination_helper.update_args(kwargs)
     pagination_helper.update_fields(original_fields, fields_to_add)
     if parent_id:
         kwargs[self._parent_id_name] = parent_id
     obj_getter = getattr(self._plugin, self._plugin_handlers[self.LIST])
     obj_list = obj_getter(request.context, **kwargs)
     obj_list = sorting_helper.sort(obj_list)
     obj_list = pagination_helper.paginate(obj_list)
     # Check authz
     if do_authz:
         # FIXME(salvatore-orlando): obj_getter might return references to
         # other resources. Must check authZ on them too.
         # Omit items from list that should not be visible
         obj_list = [obj for obj in obj_list
                     if policy.check(request.context,
                                     self._plugin_handlers[self.SHOW],
                                     obj,
                                     plugin=self._plugin)]
     # Use the first element in the list for discriminating which attributes
     # should be filtered out because of authZ policies
     # fields_to_add contains a list of attributes added for request policy
     # checks but that were not required by the user. They should be
     # therefore stripped
     fields_to_strip = fields_to_add or []
     if obj_list:
         fields_to_strip += self._exclude_attributes_by_policy(
             request.context, obj_list[0])
     collection = {self._collection:
                   [self._filter_attributes(
                       request.context, obj,
                       fields_to_strip=fields_to_strip)
                    for obj in obj_list]}
     pagination_links = pagination_helper.get_links(obj_list)
     if pagination_links:
         collection[self._collection + "_links"] = pagination_links
     return collection
Esempio n. 5
0
    def _exclude_attributes_by_policy(self, context, data):
        """Identifies attributes to exclude according to authZ policies.

        Return a list of attribute names which should be stripped from the
        response returned to the user because the user is not authorized
        to see them.
        """
        attributes_to_exclude = []
        for attr_name in data.keys():
            attr_data = self._attr_info.get(attr_name)
            if attr_data and attr_data['is_visible']:
                if policy.check(context,
                                '%s:%s' %
                                (self._plugin_handlers[self.SHOW], attr_name),
                                data,
                                might_not_exist=True):
                    # this attribute is visible, check next one
                    continue
            # if the code reaches this point then either the policy check
            # failed or the attribute was not visible in the first place
            attributes_to_exclude.append(attr_name)
        return attributes_to_exclude
Esempio n. 6
0
    def _exclude_attributes_by_policy(self, context, data):
        """Identifies attributes to exclude according to authZ policies.

        Return a list of attribute names which should be stripped from the
        response returned to the user because the user is not authorized
        to see them.
        """
        attributes_to_exclude = []
        for attr_name in data.keys():
            attr_data = self._attr_info.get(attr_name)
            if attr_data and attr_data['is_visible']:
                if policy.check(
                    context,
                    '%s:%s' % (self._plugin_handlers[self.SHOW], attr_name),
                    data,
                        might_not_exist=True):
                        # this attribute is visible, check next one
                        continue
            # if the code reaches this point then either the policy check
            # failed or the attribute was not visible in the first place
            attributes_to_exclude.append(attr_name)
        return attributes_to_exclude
Esempio n. 7
0
 def test_check_bad_action_noraise(self):
     action = "example:denied"
     result = policy.check(self.context, action, self.target)
     self.assertEqual(False, result)
Esempio n. 8
0
 def test_check_bad_action_noraise(self):
     action = "example:denied"
     result = policy.check(self.context, action, self.target)
     self.assertEqual(False, result)