def test_policy_all_disallowed(self):
request = unit_test_utils.get_fake_request(is_admin=False)
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(), policy_enforcer=self.enforcer)
types = ['OS::Glance::Image']
self.enforcer.add_rules(
policy.policy.Rules.from_dict({
'resource:OS::Glance::Image': '!',
'resource:OS::Nova::Server': '!',
}))
expected_message = (
"There are no resource types accessible to you to serve "
"your request. You do not have access to the following "
"resource types: OS::Glance::Image")
self.assertRaisesRegex(webob.exc.HTTPForbidden, expected_message,
search_deserializer._filter_types_by_policy,
request.context, types)
types = ['OS::Glance::Image', 'OS::Nova::Server']
expected_message = (
"There are no resource types accessible to you to serve "
"your request. You do not have access to the following "
"resource types: OS::Glance::Image, OS::Nova::Server")
self.assertRaisesRegex(webob.exc.HTTPForbidden, expected_message,
search_deserializer._filter_types_by_policy,
request.context, types)
def test_search_resource_policy_checks(self, mock_request_body):
request = unit_test_utils.get_fake_request()
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(), policy_enforcer=self.enforcer)
with mock.patch.object(self.enforcer, 'check') as mock_enforce:
mock_request_body.return_value = {'type': 'OS::Nova::Server'}
search_deserializer.search(request)
mock_enforce.assert_called_with(request.context,
'resource:OS::Nova::Server',
request.context.policy_target)
def test_facets_resource_policy(self):
request = unit_test_utils.get_fake_request()
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(),
policy_enforcer=self.enforcer)
with mock.patch.object(self.enforcer, 'enforce') as mock_enforce:
search_deserializer.facets(request)
mock_enforce.assert_has_calls([
mock.call(request.context,
'resource:OS::Nova::Server:allow', {}),
mock.call(request.context,
'resource:OS::Nova::Server:facets', {})
])
def test_aggregation_policy(self, mock_request_body):
request = unit_test_utils.get_fake_request(is_admin=False)
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(),
policy_enforcer=self.enforcer)
with mock.patch.object(self.enforcer, 'enforce') as mock_enforce:
mock_request_body.return_value = {
'query': {'match_all': {}},
'aggregations': {'terms': {'field': 'some_field'}}
}
search_deserializer.search(request)
mock_enforce.assert_called_with(request.context,
'search:query:aggregations',
request.context.policy_target)
def test_resource_policy_allows_admin(self):
request = unit_test_utils.get_fake_request(is_admin=True)
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(),
policy_enforcer=self.enforcer)
types = ['OS::Glance::Image', 'OS::Nova::Server']
self.enforcer.add_rules(policy.policy.Rules.from_dict({
'resource:OS::Glance::Image': 'role:admin',
'resource:OS::Nova::Server': 'role:admin'
}))
filtered_types = search_deserializer._filter_types_by_policy(
request.context, types)
self.assertEqual(types, filtered_types)
def test_search_service_policies(self):
request = unit_test_utils.get_fake_request(is_admin=False)
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(),
policy_enforcer=self.enforcer)
types = ['OS::Glance::Image', 'OS::Nova::Server']
glance_enforce = mock.Mock()
nova_enforce = mock.Mock()
glance_enforce.enforce.return_value = False
nova_enforce.enforce.return_value = True
service_enforcers = {
'image': glance_enforce,
'compute': nova_enforce
}
expect_creds = {
'tenant_id': request.context.tenant,
'project_id': request.context.tenant,
'user_id': request.context.user,
'roles': ['member'],
'is_admin_project': True,
'is_admin': False,
'user_domain_id': None,
'project_domain_id': None,
'service_user_id': None,
'service_user_domain_id': None,
'service_project_id': None,
'service_project_domain_id': None,
'service_roles': [],
'system_scope': None
}
fake_target = {
'user_id': request.context.user,
'project_id': request.context.tenant,
'tenant_id': request.context.tenant
}
with mock.patch('searchlight.service_policies._get_enforcers',
return_value=service_enforcers):
filtered_types = search_deserializer._filter_types_by_policy(
request.context, types)
self.assertEqual(['OS::Nova::Server'], filtered_types)
glance_enforce.enforce.assert_called_with(
'get_images', fake_target, expect_creds)
nova_enforce.enforce.assert_called_with(
'os_compute_api:servers:index', fake_target, expect_creds)
def test_search_resource_policy_checks(self, mock_request_body):
request = unit_test_utils.get_fake_request()
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(),
policy_enforcer=self.enforcer)
with mock.patch.object(self.enforcer, 'enforce') as mock_enforce:
mock_request_body.return_value = {'type': 'OS::Nova::Server'}
search_deserializer.search(request)
self.assertEqual(2, mock_enforce.call_count)
mock_enforce.assert_has_calls([
mock.call(request.context,
'resource:OS::Nova::Server:allow', {}),
mock.call(request.context,
'resource:OS::Nova::Server:query', {})
])
def test_facets_resource_policy(self):
request = unit_test_utils.get_fake_request()
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(), policy_enforcer=self.enforcer)
with mock.patch.object(self.enforcer, 'check') as mock_enforce:
search_deserializer.facets(request)
self.assertIn(
mock.call(request.context, 'resource:OS::Nova::Server',
request.context.policy_target),
mock_enforce.mock_calls)
self.assertIn(
mock.call(request.context, 'resource:OS::Glance::Image',
request.context.policy_target),
mock_enforce.mock_calls)
self.assertEqual(len(utils.get_search_plugins()),
len(mock_enforce.call_args_list))
def test_resource_policy_disallow(self):
request = unit_test_utils.get_fake_request(is_admin=False)
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(), policy_enforcer=self.enforcer)
types = ['OS::Glance::Image', 'OS::Nova::Server']
# And try disabling access for everyone
self.enforcer.add_rules(
policy.policy.Rules.from_dict({'resource:OS::Glance::Image': '!'}))
self.assertEqual(['OS::Nova::Server'],
search_deserializer._filter_types_by_policy(
request.context, types))
# Same for admin
request = unit_test_utils.get_fake_request(is_admin=False)
self.assertEqual(['OS::Nova::Server'],
search_deserializer._filter_types_by_policy(
request.context, types))
def test_faulty_policy_precedence(self):
"""Unfortunately the ordering that might make most sense isn't
possible. Rules can only become more restrictive
"""
request = unit_test_utils.get_fake_request(is_admin=False)
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(),
policy_enforcer=self.enforcer)
types = ['OS::Glance::Image', 'OS::Nova::Server']
self.enforcer.add_rules(policy.policy.Rules.from_dict({
'resource:OS::Glance::Image:allow': '!',
'resource:OS::Glance::Image:query': ''
}))
filtered_types = search_deserializer._filter_types_by_policy(
request.context, types, "facets")
self.assertEqual(['OS::Nova::Server'], filtered_types)
filtered_types = search_deserializer._filter_types_by_policy(
request.context, types, "query")
self.assertEqual(['OS::Nova::Server'], filtered_types)
def test_policy_precedence(self):
request = unit_test_utils.get_fake_request(is_admin=False)
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(),
policy_enforcer=self.enforcer)
types = ['OS::Nova::Server', 'OS::Glance::Image']
self.enforcer.add_rules(policy.policy.Rules.from_dict({
'resource:OS::Nova::Server:allow': '',
'resource:OS::Nova::Server:query': '!'
}))
# Query should be disallowed by the specific policy
filtered_types = search_deserializer._filter_types_by_policy(
request.context, types, "query")
self.assertEqual(['OS::Glance::Image'], filtered_types)
# Facet should be allowed since there is no specific exclusion
filtered_types = search_deserializer._filter_types_by_policy(
request.context, types, "facets")
self.assertEqual(set(['OS::Nova::Server', 'OS::Glance::Image']),
set(filtered_types))
def test_resource_policy_disallow_non_admin(self):
request = unit_test_utils.get_fake_request(is_admin=False)
search_deserializer = search.RequestDeserializer(
utils.get_search_plugins(),
policy_enforcer=self.enforcer)
types = ['OS::Glance::Image', 'OS::Nova::Server',
'OS::Glance::Metadef']
self.enforcer.add_rules(policy.policy.Rules.from_dict({
'resource:OS::Glance::Image:allow': 'role:admin'
}))
filtered_types = search_deserializer._filter_types_by_policy(
request.context, types, "query")
self.assertEqual(set(['OS::Nova::Server', 'OS::Glance::Metadef']),
set(filtered_types))
self.enforcer.add_rules(policy.policy.Rules.from_dict({
'resource:OS::Nova::Server:query': 'role:admin'
}))
filtered_types = search_deserializer._filter_types_by_policy(
request.context, types, "query")
self.assertEqual(['OS::Glance::Metadef'], filtered_types)
def setUp(self):
super(TestSearchDeserializer, self).setUp()
self.deserializer = search.RequestDeserializer(
utils.get_search_plugins())