def test_default_rule(self): self.stub_policyfile('deny_stack_user.json') ctx = utils.dummy_context(roles=['not_a_stack_user']) default_rule = base_policy.FalseCheck() enforcer = policy.Enforcer(scope='cloudformation', exc=None, default_rule=default_rule) action = 'no_such_action' self.assertFalse(enforcer.enforce(ctx, action))
def test_default_rule(self): pf = policy_path + 'deny_stack_user.json' self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path') base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf) self.m.ReplayAll() ctx = utils.dummy_context(roles=['not_a_stack_user']) default_rule = base_policy.FalseCheck() enforcer = policy.Enforcer(scope='cloudformation', exc=None, default_rule=default_rule) action = 'no_such_action' self.assertEqual(enforcer.enforce(ctx, action, {}), False) self.m.VerifyAll()
# Based on glance/api/policy.py """Policy Engine For Heat""" from oslo.config import cfg from heat.common import exception import heat.openstack.common.log as logging from heat.openstack.common import policy logger = logging.getLogger(__name__) CONF = cfg.CONF DEFAULT_RULES = { 'default': policy.FalseCheck(), } class Enforcer(object): """Responsible for loading and enforcing rules.""" def __init__(self, scope='heat', exc=exception.Forbidden, default_rule=DEFAULT_RULES['default']): self.scope = scope self.exc = exc self.default_rule = default_rule self.enforcer = policy.Enforcer(default_rule=default_rule) def set_rules(self, rules, overwrite=True):