コード例 #1
0
ファイル: test_policy.py プロジェクト: yo-iura/congress
 def test_templatized_enforcement(self):
     target_mine = {'project_id': 'fake'}
     target_not_mine = {'project_id': 'another'}
     action = "example:my_file"
     policy.enforce(self.context, action, target_mine)
     self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
                       self.context, action, target_not_mine)
コード例 #2
0
ファイル: webservice.py プロジェクト: ElVinto/congress
    def handle_request(self, request):
        """Handle a REST request.

        Args:
           request: A webob request object.

        Returns:
            A webob response object.
        """
        # NOTE(arosen): only do policy.json if keystone is used for now.
        if cfg.CONF.auth_strategy == "keystone":
            context = request.environ["congress.context"]
            target = {"project_id": context.project_id, "user_id": context.user_id}
            # NOTE(arosen): today congress only enforces API policy on which
            # API calls we allow tenants to make with their given roles.
            action_type = self._get_action_type(request.method)
            # FIXME(arosen): There should be a cleaner way to do this.
            model_name = self.path_regex.split("/")[1]
            action = "%s_%s" % (action_type, model_name)
            # TODO(arosen): we should handle serializing the
            # response in one place
            try:
                policy.enforce(context, action, target)
            except exception.PolicyNotAuthorized as e:
                LOG.info(e)
                return webob.Response(body=unicode(e), status=e.code, content_type="application/json")
        if request.method == "GET" and self.allow_list:
            return self.list_members(request)
        elif request.method == "POST" and self.allow_create:
            return self.create_member(request)
        return NOT_SUPPORTED_RESPONSE
コード例 #3
0
ファイル: test_policy.py プロジェクト: stevei101/congress
 def test_templatized_enforcement(self):
     target_mine = {'project_id': 'fake'}
     target_not_mine = {'project_id': 'another'}
     action = "example:my_file"
     policy.enforce(self.context, action, target_mine)
     self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
                       self.context, action, target_not_mine)
コード例 #4
0
ファイル: test_policy.py プロジェクト: yo-iura/congress
 def test_ignore_case_role_check(self):
     lowercase_action = "example:lowercase_admin"
     uppercase_action = "example:uppercase_admin"
     # NOTE(dprince) we mix case in the Admin role here to ensure
     # case is ignored
     admin_context = context.RequestContext('admin',
                                            'fake',
                                            roles=['AdMiN'])
     policy.enforce(admin_context, lowercase_action, self.target)
     policy.enforce(admin_context, uppercase_action, self.target)
コード例 #5
0
ファイル: test_policy.py プロジェクト: stevei101/congress
 def test_ignore_case_role_check(self):
     lowercase_action = "example:lowercase_admin"
     uppercase_action = "example:uppercase_admin"
     # NOTE(dprince) we mix case in the Admin role here to ensure
     # case is ignored
     admin_context = context.RequestContext('admin',
                                            'fake',
                                            roles=['AdMiN'])
     policy.enforce(admin_context, lowercase_action, self.target)
     policy.enforce(admin_context, uppercase_action, self.target)
コード例 #6
0
ファイル: test_policy.py プロジェクト: stevei101/congress
    def test_modified_policy_reloads(self):
        with utils.tempdir() as tmpdir:
            tmpfilename = os.path.join(tmpdir, 'policy')

            CONF.set_override('policy_file', tmpfilename, 'oslo_policy')

            # NOTE(uni): context construction invokes policy check to determin
            # is_admin or not. As a side-effect, policy reset is needed here
            # to flush existing policy cache.
            policy.reset()

            action = "example:test"
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('{"example:test": ""}')
            policy.enforce(self.context, action, self.target)
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('{"example:test": "!"}')
            policy._ENFORCER.load_rules(True)
            self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
                              self.context, action, self.target)
コード例 #7
0
ファイル: test_policy.py プロジェクト: yo-iura/congress
    def test_modified_policy_reloads(self):
        with utils.tempdir() as tmpdir:
            tmpfilename = os.path.join(tmpdir, 'policy')

            CONF.set_override('policy_file', tmpfilename, 'oslo_policy')

            # NOTE(uni): context construction invokes policy check to determin
            # is_admin or not. As a side-effect, policy reset is needed here
            # to flush existing policy cache.
            policy.reset()

            action = "example:test"
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('{"example:test": ""}')
            policy.enforce(self.context, action, self.target)
            with open(tmpfilename, "w") as policyfile:
                policyfile.write('{"example:test": "!"}')
            policy._ENFORCER.load_rules(True)
            self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
                              self.context, action, self.target)
コード例 #8
0
    def handle_request(self, request):
        """Handle a REST request.

        Args:
           request: A webob request object.

        Returns:
            A webob response object.
        """
        # NOTE(arosen): only do policy.json if keystone is used for now.
        if cfg.CONF.auth_strategy == "keystone":
            context = request.environ['congress.context']
            target = {
                'project_id': context.project_id,
                'user_id': context.user_id
            }
            # NOTE(arosen): today congress only enforces API policy on which
            # API calls we allow tenants to make with their given roles.
            action_type = self._get_action_type(request.method)
            # FIXME(arosen): There should be a cleaner way to do this.
            model_name = self.path_regex.split('/')[1]
            action = "%s_%s" % (action_type, model_name)
            # TODO(arosen): we should handle serializing the
            # response in one place
            try:
                policy.enforce(context, action, target)
            except exception.PolicyNotAuthorized as e:
                LOG.info(e)
                return webob.Response(body=six.text_type(e),
                                      status=e.code,
                                      content_type='application/json',
                                      charset='UTF-8')
        if request.method == 'GET' and self.allow_list:
            return self.list_members(request)
        elif request.method == 'POST' and self.allow_create:
            return self.create_member(request)
        elif request.method == 'PUT' and self.allow_update:
            return self.update_members(request)
        return NOT_SUPPORTED_RESPONSE
コード例 #9
0
ファイル: test_policy.py プロジェクト: yo-iura/congress
 def test_enforce_good_action(self):
     action = "example:allowed"
     result = policy.enforce(self.context, action, self.target)
     self.assertTrue(result)
コード例 #10
0
ファイル: test_policy.py プロジェクト: stevei101/congress
 def test_early_OR_enforcement(self):
     action = "example:early_or_success"
     policy.enforce(self.context, action, self.target)
コード例 #11
0
ファイル: test_policy.py プロジェクト: stevei101/congress
 def test_enforce_good_action(self):
     action = "example:allowed"
     result = policy.enforce(self.context, action, self.target)
     self.assertEqual(result, True)
コード例 #12
0
ファイル: test_policy.py プロジェクト: stevei101/congress
 def test_enforce_http_true(self, mock_httpcheck):
     action = "example:get_http"
     target = {}
     result = policy.enforce(self.context, action, target)
     self.assertTrue(result)
コード例 #13
0
ファイル: test_policy.py プロジェクト: ElVinto/congress
 def test_enforce_http_true(self, mock_urlopen):
     action = "example:get_http"
     target = {}
     result = policy.enforce(self.context, action, target)
     self.assertEqual(result, True)
コード例 #14
0
ファイル: test_policy.py プロジェクト: yo-iura/congress
 def test_enforce_http_true(self):
     self.useFixture(op_fixture.HttpCheckFixture(True))
     action = "example:get_http"
     target = {}
     result = policy.enforce(self.context, action, target)
     self.assertTrue(result)
コード例 #15
0
 def test_enforce_http_true(self, mock_httpcheck):
     action = "example:get_http"
     target = {}
     result = policy.enforce(self.context, action, target)
     self.assertTrue(result)
コード例 #16
0
ファイル: test_policy.py プロジェクト: yo-iura/congress
 def test_early_OR_enforcement(self):
     action = "example:early_or_success"
     policy.enforce(self.context, action, self.target)
コード例 #17
0
ファイル: test_policy.py プロジェクト: yo-iura/congress
 def test_not_found_policy_calls_default(self):
     policy.enforce(self.context, "example:noexist", {})
コード例 #18
0
ファイル: test_policy.py プロジェクト: stevei101/congress
 def test_not_found_policy_calls_default(self):
     policy.enforce(self.context, "example:noexist", {})
コード例 #19
0
ファイル: test_policy.py プロジェクト: yo-iura/congress
 def test_enforce_bad_action_noraise(self):
     action = "example:denied"
     result = policy.enforce(self.context, action, self.target, False)
     self.assertFalse(result)
コード例 #20
0
ファイル: test_policy.py プロジェクト: stevei101/congress
 def test_enforce_bad_action_noraise(self):
     action = "example:denied"
     result = policy.enforce(self.context, action, self.target, False)
     self.assertEqual(result, False)
コード例 #21
0
ファイル: test_policy.py プロジェクト: radekpospisil/congress
 def test_enforce_http_true(self, mock_urlopen):
     action = "example:get_http"
     target = {}
     result = policy.enforce(self.context, action, target)
     self.assertEqual(result, True)