def test_get_roles_context_is_admin_rule_missing(self): rules = dict((k, common_policy.parse_rule(v)) for k, v in { "some_other_rule": "role:admin", }.items()) common_policy.set_rules(common_policy.Rules(rules)) # 'admin' role is expected for bw compatibility self.assertEqual(['admin'], policy.get_admin_roles())
def test_get_roles_with_rule_check(self): rules = dict((k, common_policy.parse_rule(v)) for k, v in { policy.ADMIN_CTX_POLICY: "rule:some_other_rule", "some_other_rule": "role:admin", }.items()) common_policy.set_rules(common_policy.Rules(rules)) self.assertEqual(['admin'], policy.get_admin_roles())
def _set_rules(data): default_rule = 'default' LOG.debug(_("Loading policies from file: %s"), _POLICY_PATH) # Ensure backward compatibility with folsom/grizzly convention # for extension rules policies = policy.Rules.load_json(data, default_rule) for pol in policies.keys(): if any([pol.startswith(depr_pol) for depr_pol in DEPRECATED_POLICY_MAP.keys()]): LOG.warn(_("Found deprecated policy rule:%s. Please consider " "upgrading your policy configuration file"), pol) pol_name, action = pol.rsplit(':', 1) try: new_actions = DEPRECATED_ACTION_MAP[action] new_policies = DEPRECATED_POLICY_MAP[pol_name] # bind new actions and policies together for actual_policy in ['_'.join(item) for item in itertools.product(new_actions, new_policies)]: if actual_policy not in policies: # New policy, same rule LOG.info(_("Inserting policy:%(new_policy)s in place " "of deprecated policy:%(old_policy)s"), {'new_policy': actual_policy, 'old_policy': pol}) policies[actual_policy] = policies[pol] # Remove old-style policy del policies[pol] except KeyError: LOG.error(_("Backward compatibility unavailable for " "deprecated policy %s. The policy will " "not be enforced"), pol) policy.set_rules(policies)
def setUp(self): super(UOSExtensionPolicyTestCase, self).setUp() policy.reset() policy.init() rules = { "associate_floatingip_router": "not role:project_observer", "get_router_details": "role:admin", "remove_router_portforwarding": "role:member" } common_policy.set_rules(common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context('fake', 'fake', roles=['member']) self.request = FakeRequest(self.context) self.target = {} self.controller = uos.UosController()
def setUp(self): super(UOSExtensionPolicyTestCase, self).setUp() policy.reset() policy.init() rules = { "associate_floatingip_router": "not role:project_observer", "get_router_details": "role:admin", "remove_router_portforwarding": "role:member" } common_policy.set_rules( common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context('fake', 'fake', roles=['member']) self.request = FakeRequest(self.context) self.target = {} self.controller = uos.UosController()
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() self.addCleanup(policy.reset) # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": "@", "example:allowed": "@", "example:denied": "!", "example:get_http": "http:http://www.example.com", "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying rules common_policy.set_rules(common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context("fake", "fake", roles=["member"]) self.target = {}
def test_policy_404(self): with self.subnet(cidr='12.0.0.0/24') as public_sub: self._set_net_external(public_sub['subnet']['network_id']) fip = self._make_floatingip(self.fmt, public_sub['subnet']['network_id']) policy.reset() policy.init() rules = {"delete_floatingip": "role:admin_only"} common_policy.set_rules( common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) fip_id = fip['floatingip']['id'] self.context = context.Context('fake', 'fake', roles=['member']) req = self.new_delete_request('floatingips', fip_id) req.environ['neutron.context'] = self.context res = req.get_response(self._api_for_resource('floatingips')) self.assertEqual(404, res.status_int) policy.reset() policy.init() self._delete('floatingips', fip_id)
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() self.addCleanup(policy.reset) # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": '@', "example:allowed": '@', "example:denied": '!', "example:get_http": "http:http://www.example.com", "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying rules common_policy.set_rules(common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context('fake', 'fake', roles=['member']) self.target = {}
def test_policy_404(self): with self.subnet(cidr='12.0.0.0/24') as public_sub: self._set_net_external(public_sub['subnet']['network_id']) fip = self._make_floatingip( self.fmt, public_sub['subnet']['network_id']) policy.reset() policy.init() rules = { "delete_floatingip": "role:admin_only" } common_policy.set_rules(common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) fip_id = fip['floatingip']['id'] self.context = context.Context('fake', 'fake', roles=['member']) req = self.new_delete_request('floatingips', fip_id) req.environ['neutron.context'] = self.context res = req.get_response(self._api_for_resource('floatingips')) self.assertEqual(404, res.status_int) policy.reset() policy.init() self._delete('floatingips', fip_id)
def fakepolicyinit(): common_policy.set_rules(common_policy.Rules(self.rules))
def _set_rules(self, default_rule): rules = common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()), default_rule) common_policy.set_rules(rules)