def test_templatized_authorization(self): target_mine = {'project_id': 'fake'} target_not_mine = {'project_id': 'another'} action = "example:my_file" policy_engine.authorize(self.context, action, target_mine) self.assertRaises(os_policy.PolicyNotAuthorized, policy_engine.authorize, self.context, action, target_not_mine)
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_admin" uppercase_action = "example:uppercase_admin" # NOTE(dprince) we mix case in the Admin role here to ensure # case is ignored admin_context = context.RequestContext('admin', 'fake', roles=['AdMiN']) policy_engine.authorize(admin_context, lowercase_action, self.target) policy_engine.authorize(admin_context, uppercase_action, self.target)
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_admin" uppercase_action = "example:uppercase_admin" admin_context = request.Request( testing.create_environ(path="/", headers={ "X_USER_ID": "admin", "X_PROJECT_ID": "fake", "X_ROLES": "AdMiN" })) self.assertTrue( policy.authorize(admin_context.context, lowercase_action, {})) self.assertTrue( policy.authorize(admin_context.context, uppercase_action, {}))
def test_authorize_http_true(self, req_mock): req_mock.post('http://www.example.com/', text='True') action = "example:get_http" target = {} result = policy_engine.authorize(self.context, action, target) self.assertTrue(result)
def can(self, action, target=None): if target is None: target = {'project_id': self.project_id, 'user_id': self.user_id} return policy.authorize(self, action=action, target=target)
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_monasca_user" uppercase_action = "example:uppercase_monasca_user" monasca_user_context = request.Request( testing.create_environ(path="/", headers={ "X_USER_ID": "monasca_user", "X_PROJECT_ID": "fake", "X_ROLES": "MONASCA_user" })) self.assertTrue( policy.authorize(monasca_user_context.context, lowercase_action, {})) self.assertTrue( policy.authorize(monasca_user_context.context, uppercase_action, {}))
def _assert_rules(self, policies_list): for policy_name in policies_list: registered_rule = policy.get_rules()[policy_name] if hasattr(registered_rule, 'rules'): self.assertEqual(len(registered_rule.rules), len(policies_list[policy_name])) for role in policies_list[policy_name]: ctx = self._get_request_context(role) self.assertTrue(policy.authorize(ctx.context, policy_name, {}))
def test_authorize_bad_action_no_exception(self): action = "example:denied" ctx = request.Request( testing.create_environ(path="/", headers={ "X_USER_ID": "fake", "X_PROJECT_ID": "fake", "X_ROLES": "member" })) result = policy.authorize(ctx.context, action, {}, False) self.assertFalse(result)
def test_modified_policy_reloads(self): tmp_file = \ self.create_tempfiles(files=[('policies', '{}')], ext='.yaml')[0] base.BaseTestCase.conf_override(policy_file=tmp_file, group='oslo_policy') policy.reset() policy.init() action = 'example:test' rule = os_policy.RuleDefault(action, '') policy._ENFORCER.register_defaults([rule]) with open(tmp_file, 'w') as policy_file: policy_file.write('{"example:test": ""}') policy.authorize(self.context, action, self.target) with open(tmp_file, 'w') as policy_file: policy_file.write('{"example:test": "!"}') policy._ENFORCER.load_rules(True) self.assertRaises(os_policy.PolicyNotAuthorized, policy.authorize, self.context, action, self.target)
def test_modified_policy_reloads(self): tmp_file = \ self.create_tempfiles(files=[('policies', '{}')], ext='.yaml')[0] base.BaseTestCase.conf_override(policy_file=tmp_file, group='oslo_policy') policy_engine.reset() policy_engine.init() action = 'example:test' rule = os_policy.RuleDefault(action, '') policy_engine._ENFORCER.register_defaults([rule]) with open(tmp_file, 'w') as policy_file: policy_file.write('{"example:test": ""}') policy_engine.authorize(self.context, action, self.target) with open(tmp_file, 'w') as policy_file: policy_file.write('{"example:test": "!"}') policy_engine._ENFORCER.load_rules(True) self.assertRaises(os_policy.PolicyNotAuthorized, policy_engine.authorize, self.context, action, self.target)
def test_early_OR_authorization(self): action = "example:early_or_success" policy_engine.authorize(self.context, action, self.target)
def test_authorize_admin_actions_with_admin_context(self): for action in policy_engine.get_rules().keys(): policy_engine.authorize(self.admin_context, action, self.target)
def test_authorize_bad_action_noraise(self): action = "example:denied" result = policy_engine.authorize(self.context, action, self.target, False) self.assertFalse(result)
def test_authorize_good_action(self): action = "example:allowed" result = policy_engine.authorize(self.context, action, self.target) self.assertTrue(result)