def test_enforce_adminonly_nonadminctx_no_ctx_is_admin_policy_403(self): del self.rules[policy.ADMIN_CTX_POLICY] self.rules["admin_only"] = common_policy.parse_rule(self.admin_only_legacy) self.rules["admin_or_owner"] = common_policy.parse_rule(self.admin_or_owner_legacy) action = "create_network" target = {"shared": True, "tenant_id": "somebody_else"} self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce, self.context, action, target, None)
def test_enforce_adminonly_attribute_no_context_is_admin_policy(self): del self.rules[policy.ADMIN_CTX_POLICY] self.rules['admin_only'] = common_policy.parse_rule( self.admin_only_legacy) self.rules['admin_or_owner'] = common_policy.parse_rule( self.admin_or_owner_legacy) self._test_enforce_adminonly_attribute('create_network')
def test_enforce_adminonly_nonadminctx_no_ctx_is_admin_policy_403(self): del self.rules[policy.ADMIN_CTX_POLICY] self.rules['admin_only'] = common_policy.parse_rule( self.admin_only_legacy) self.rules['admin_or_owner'] = common_policy.parse_rule( self.admin_or_owner_legacy) action = "create_network" target = {'shared': True, 'tenant_id': 'somebody_else'} self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce, self.context, action, target)
def test_get_roles_context_is_admin_rule_missing(self): rules = dict((k, common_policy.parse_rule(v)) for k, v in { "some_other_rule": "role:admin", }.items()) common_policy.set_rules(common_policy.Rules(rules)) # 'admin' role is expected for bw compatibility self.assertEqual(['admin'], policy.get_admin_roles())
def test_get_roles_with_rule_check(self): rules = dict( (k, common_policy.parse_rule(v)) for k, v in {policy.ADMIN_CTX_POLICY: "rule:some_other_rule", "some_other_rule": "role:admin"}.items() ) common_policy.set_rules(common_policy.Rules(rules)) self.assertEqual(["admin"], policy.get_admin_roles())
def test_get_roles_with_rule_check(self): rules = dict((k, common_policy.parse_rule(v)) for k, v in { policy.ADMIN_CTX_POLICY: "rule:some_other_rule", "some_other_rule": "role:admin", }.items()) common_policy.set_rules(common_policy.Rules(rules)) self.assertEqual(['admin'], policy.get_admin_roles())
def setUp(self): super(QuantumPolicyTestCase, self).setUp() policy.reset() policy.init() self.addCleanup(policy.reset) self.rules = dict( (k, common_policy.parse_rule(v)) for k, v in { "admin_or_network_owner": "role:admin or " "tenant_id:%(network_tenant_id)s", "admin_or_owner": "role:admin or tenant_id:%(tenant_id)s", "admin_only": "role:admin", "regular_user": "******", "shared": "field:networks:shared=True", "external": "field:networks:router:external=True", "default": "@", "create_network": "rule:admin_or_owner", "create_network:shared": "rule:admin_only", "update_network": "@", "update_network:shared": "rule:admin_only", "get_network": "rule:admin_or_owner or " "rule:shared or " "rule:external", "create_port:mac": "rule:admin_or_network_owner", }.items() ) def fakepolicyinit(): common_policy.set_rules(common_policy.Rules(self.rules)) self.patcher = mock.patch.object(quantum.policy, "init", new=fakepolicyinit) self.patcher.start() self.addCleanup(self.patcher.stop) self.context = context.Context("fake", "fake", roles=["user"]) plugin_klass = importutils.import_class("quantum.db.db_base_plugin_v2.QuantumDbPluginV2") self.plugin = plugin_klass()
def _test_enforce_tenant_id_raises(self, bad_rule): self.rules['admin_or_owner'] = common_policy.parse_rule(bad_rule) # Trigger a policy with rule admin_or_owner action = "create_network" target = {'tenant_id': 'fake'} self.assertRaises(exceptions.PolicyCheckError, policy.enforce, self.context, action, target)
def test_get_roles_with_or_check(self): self.rules = dict( (k, common_policy.parse_rule(v)) for k, v in { policy.ADMIN_CTX_POLICY: "rule:rule1 or rule:rule2", "rule1": "role:admin_1", "rule2": "role:admin_2" }.items()) self.assertEqual(['admin_1', 'admin_2'], policy.get_admin_roles())
def test_get_roles_with_or_check(self): self.rules = dict((k, common_policy.parse_rule(v)) for k, v in { policy.ADMIN_CTX_POLICY: "rule:rule1 or rule:rule2", "rule1": "role:admin_1", "rule2": "role:admin_2" }.items()) self.assertEqual(['admin_1', 'admin_2'], policy.get_admin_roles())
def setUp(self): super(QuantumPolicyTestCase, self).setUp() policy.reset() policy.init() self.addCleanup(policy.reset) self.admin_only_legacy = "role:admin" self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s" self.rules = dict( (k, common_policy.parse_rule(v)) for k, v in { "context_is_admin": "role:admin", "admin_or_network_owner": "rule:context_is_admin or " "tenant_id:%(network:tenant_id)s", "admin_or_owner": ("rule:context_is_admin or " "tenant_id:%(tenant_id)s"), "admin_only": "rule:context_is_admin", "regular_user": "******", "shared": "field:networks:shared=True", "external": "field:networks:router:external=True", "default": '@', "create_network": "rule:admin_or_owner", "create_network:shared": "rule:admin_only", "update_network": '@', "update_network:shared": "rule:admin_only", "get_network": "rule:admin_or_owner or " "rule:shared or " "rule:external", "create_port:mac": "rule:admin_or_network_owner", }.items()) def fakepolicyinit(): common_policy.set_rules(common_policy.Rules(self.rules)) self.patcher = mock.patch.object(quantum.policy, 'init', new=fakepolicyinit) self.patcher.start() self.addCleanup(self.patcher.stop) self.context = context.Context('fake', 'fake', roles=['user']) plugin_klass = importutils.import_class( "quantum.db.db_base_plugin_v2.QuantumDbPluginV2") self.manager_patcher = mock.patch('quantum.manager.QuantumManager') fake_manager = self.manager_patcher.start() fake_manager_instance = fake_manager.return_value fake_manager_instance.plugin = plugin_klass() self.addCleanup(self.manager_patcher.stop)
def test_enforce_tenant_id_check_parent_resource_bw_compatibility(self): def fakegetnetwork(*args, **kwargs): return {'tenant_id': 'fake'} del self.rules['admin_or_network_owner'] self.rules['admin_or_network_owner'] = common_policy.parse_rule( "role:admin or tenant_id:%(network_tenant_id)s") action = "create_port:mac" with mock.patch.object(manager.QuantumManager.get_instance().plugin, 'get_network', new=fakegetnetwork): target = {'network_id': 'whatever'} result = policy.enforce(self.context, action, target) self.assertTrue(result)
def setUp(self): super(QuantumPolicyTestCase, self).setUp() policy.reset() policy.init() self.addCleanup(policy.reset) self.admin_only_legacy = "role:admin" self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s" self.rules = dict((k, common_policy.parse_rule(v)) for k, v in { "context_is_admin": "role:admin", "admin_or_network_owner": "rule:context_is_admin or " "tenant_id:%(network:tenant_id)s", "admin_or_owner": ("rule:context_is_admin or " "tenant_id:%(tenant_id)s"), "admin_only": "rule:context_is_admin", "regular_user": "******", "shared": "field:networks:shared=True", "external": "field:networks:router:external=True", "default": '@', "create_network": "rule:admin_or_owner", "create_network:shared": "rule:admin_only", "update_network": '@', "update_network:shared": "rule:admin_only", "get_network": "rule:admin_or_owner or " "rule:shared or " "rule:external", "create_port:mac": "rule:admin_or_network_owner", }.items()) def fakepolicyinit(): common_policy.set_rules(common_policy.Rules(self.rules)) self.patcher = mock.patch.object(quantum.policy, 'init', new=fakepolicyinit) self.patcher.start() self.addCleanup(self.patcher.stop) self.context = context.Context('fake', 'fake', roles=['user']) plugin_klass = importutils.import_class( "quantum.db.db_base_plugin_v2.QuantumDbPluginV2") self.manager_patcher = mock.patch('quantum.manager.QuantumManager') fake_manager = self.manager_patcher.start() fake_manager_instance = fake_manager.return_value fake_manager_instance.plugin = plugin_klass() self.addCleanup(self.manager_patcher.stop)
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() self.addCleanup(policy.reset) # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": "@", "example:allowed": "@", "example:denied": "!", "example:get_http": "http:http://www.example.com", "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying rules common_policy.set_rules(common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context("fake", "fake", roles=["member"]) self.target = {}
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": '@', "example:allowed": '@', "example:denied": '!', "example:get_http": "http:http://www.example.com", "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying rules common_policy.set_rules(common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context('fake', 'fake', roles=['member']) self.target = {}
def test_get_roles_with_other_rules(self): self.rules = dict((k, common_policy.parse_rule(v)) for k, v in { policy.ADMIN_CTX_POLICY: "role:xxx or other:value", }.items()) self.assertEqual(['xxx'], policy.get_admin_roles())
def _set_rules(self, default_rule): rules = common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()), default_rule) common_policy.set_rules(rules)
def test_get_roles_with_other_rules(self): self.rules = dict( (k, common_policy.parse_rule(v)) for k, v in {policy.ADMIN_CTX_POLICY: "role:xxx or other:value"}.items() ) self.assertEqual(["xxx"], policy.get_admin_roles())
def _set_rules(self, default_rule): rules = common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()), default_rule) common_policy.set_rules(rules)