def test_log_rule_list(self):
with contextlib.nested(
mock.patch.object(policy.LOG, 'isEnabledFor', return_value=True),
mock.patch.object(policy.LOG, 'debug')
) as (is_e, dbg):
policy.log_rule_list(common_policy.RuleCheck('rule', 'create_'))
self.assertTrue(is_e.called)
self.assertTrue(dbg.called)
def _build_match_rule(action, target):
"""Create the rule to match for a given action.
The policy rule to be matched is built in the following way:
1) add entries for matching permission on objects
2) add an entry for the specific action (e.g.: create_network)
3) add an entry for attributes of a resource for which the action
is being executed (e.g.: create_network:shared)
4) add an entry for sub-attributes of a resource for which the
action is being executed
(e.g.: create_router:external_gateway_info:network_id)
"""
match_rule = policy.RuleCheck('rule', action)
resource, is_write = get_resource_and_action(action)
# Attribute-based checks shall not be enforced on GETs
if is_write:
# assigning to variable with short name for improving readability
res_map = attributes.RESOURCE_ATTRIBUTE_MAP
if resource in res_map:
for attribute_name in res_map[resource]:
if _is_attribute_explicitly_set(attribute_name,
res_map[resource], target,
action):
attribute = res_map[resource][attribute_name]
if 'enforce_policy' in attribute:
attr_rule = policy.RuleCheck(
'rule', '%s:%s' % (action, attribute_name))
# Build match entries for sub-attributes
if _should_validate_sub_attributes(
attribute, target[attribute_name]):
attr_rule = policy.AndCheck([
attr_rule,
_build_subattr_match_rule(
attribute_name, attribute, action, target)
])
match_rule = policy.AndCheck([match_rule, attr_rule])
# Check that the logger has a DEBUG log level
if (cfg.CONF.debug and LOG.logger.level == logging.NOTSET
or LOG.logger.level == logging.DEBUG):
rules = _process_rules_list([], match_rule)
LOG.debug("Enforcing rules: %s", rules)
return match_rule
def test_process_rules(self):
action = "create_something"
# Construct RuleChecks for an action, attribute and subattribute
match_rule = common_policy.RuleCheck('rule', action)
attr_rule = common_policy.RuleCheck('rule', '%s:%s' %
(action, 'somethings'))
sub_attr_rules = [common_policy.RuleCheck('rule', '%s:%s:%s' %
(action, 'attr',
'sub_attr_1'))]
# Build an AndCheck from the given RuleChecks
# Make the checks nested to better check the recursion
sub_attr_rules = common_policy.AndCheck(sub_attr_rules)
attr_rule = common_policy.AndCheck(
[attr_rule, sub_attr_rules])
match_rule = common_policy.AndCheck([match_rule, attr_rule])
# Assert that the rules are correctly extracted from the match_rule
rules = policy._process_rules_list([], match_rule)
self.assertEqual(['create_something', 'create_something:somethings',
'create_something:attr:sub_attr_1'], rules)
def _build_match_rule(action, target):
"""Create the rule to match for a given action.
The policy rule to be matched is built in the following way:
1) add entries for matching permission on objects
2) add an entry for the specific action (e.g.: create_network)
3) add an entry for attributes of a resource for which the action
is being executed (e.g.: create_network:shared)
4) add an entry for sub-attributes of a resource for which the
action is being executed
(e.g.: create_router:external_gateway_info:network_id)
"""
match_rule = policy.RuleCheck('rule', action)
resource, is_write = get_resource_and_action(action)
# Attribute-based checks shall not be enforced on GETs
if is_write:
# assigning to variable with short name for improving readability
res_map = attributes.RESOURCE_ATTRIBUTE_MAP
if resource in res_map:
for attribute_name in res_map[resource]:
if _is_attribute_explicitly_set(attribute_name,
res_map[resource], target):
attribute = res_map[resource][attribute_name]
if 'enforce_policy' in attribute:
attr_rule = policy.RuleCheck(
'rule', '%s:%s' % (action, attribute_name))
# Build match entries for sub-attributes, if present
validate = attribute.get('validate')
if (validate and any([
k.startswith('type:dict') and v
for (k, v) in validate.iteritems()
])):
attr_rule = policy.AndCheck([
attr_rule,
_build_subattr_match_rule(
attribute_name, attribute, action, target)
])
match_rule = policy.AndCheck([match_rule, attr_rule])
return match_rule
def _build_subattr_match_rule(attr_name, attr, action, target):
"""Create the rule to match for sub-attribute policy checks."""
# TODO(salv-orlando): Instead of relying on validator info, introduce
# typing for API attributes
# Expect a dict as type descriptor
validate = attr['validate']
key = filter(lambda k: k.startswith('type:dict'), validate.keys())
if not key:
LOG.warn(_("Unable to find data type descriptor for attribute %s"),
attr_name)
return
data = validate[key[0]]
if not isinstance(data, dict):
LOG.debug(
_("Attribute type descriptor is not a dict. Unable to "
"generate any sub-attr policy rule for %s."), attr_name)
return
sub_attr_rules = [
policy.RuleCheck('rule',
'%s:%s:%s' % (action, attr_name, sub_attr_name))
for sub_attr_name in data if sub_attr_name in target[attr_name]
]
return policy.AndCheck(sub_attr_rules)
def test_log_rule_list(self, mock_debug, mock_is_e):
policy.log_rule_list(common_policy.RuleCheck('rule', 'create_'))
self.assertTrue(mock_is_e.called)
self.assertTrue(mock_debug.called)
