def test_keypair_show_pass_policy(self): rules = policy.Rules( {'compute_extension:keypairs:show': policy.parse_rule('')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE') res = self.KeyPairController.show(req, 'FAKE') self.assertTrue('keypair' in res)
def test_keypair_delete_pass_policy(self): rules = policy.Rules( {'compute_extension:v3:keypairs:delete': policy.parse_rule('')}) policy.set_rules(rules) req = fakes.HTTPRequestV3.blank('/keypairs/FAKE') req.method = 'DELETE' self.assertIsNone(self.KeyPairController.delete(req, 'FAKE'))
def test_keypair_list_pass_policy(self): rules = policy.Rules( {'compute_extension:keypairs:index': policy.parse_rule('')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs') res = self.KeyPairController.index(req) self.assertTrue('keypairs' in res)
def test_shelve_offload_restricted_by_role(self): rules = policy.Rules({'compute_extension:shelveOffload': policy.parse_rule('role:admin')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve') self.assertRaises(exception.NotAuthorized, self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_unshelve_restricted_by_role(self): rules = policy.Rules( {'compute_extension:unshelve': policy.parse_rule('role:admin')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve') self.assertRaises(exception.Forbidden, self.controller._unshelve, req, str(uuid.uuid4()), {})
def test_keypair_show_fail_policy(self): rules = policy.Rules({'compute_extension:v3:keypairs:show': policy.parse_rule('role:admin')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v3/keypairs/FAKE') self.assertRaises(exception.NotAuthorized, self.KeyPairController.show, req, 'FAKE')
def test_keypair_list_fail_policy(self): rules = policy.Rules({'compute_extension:keypairs:index': policy.parse_rule('role:admin')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs') self.assertRaises(exception.Forbidden, self.KeyPairController.index, req)
def test_keypair_delete_pass_policy(self): rules = policy.Rules( {'compute_extension:keypairs:delete': policy.parse_rule('')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE') req.method = 'DELETE' res = self.KeyPairController.delete(req, 'FAKE') self.assertEqual(res.status_int, 202)
def test_keypair_create_fail_policy(self): rules = policy.Rules({'compute_extension:v3:keypairs:create': policy.parse_rule('role:admin')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v3/keypairs') req.method = 'POST' self.assertRaises(exception.NotAuthorized, self.KeyPairController.create, req, {})
def test_keypair_delete_fail_policy(self): rules = policy.Rules({'compute_extension:keypairs:delete': policy.parse_rule('role:admin')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE') req.method = 'DELETE' self.assertRaises(exception.Forbidden, self.KeyPairController.delete, req, 'FAKE')
def test_skip_policy(self): policy.reset() rules = {'network:get_all': common_policy.parse_rule('!')} policy.set_rules(common_policy.Rules(rules)) api = network.API() self.assertRaises(exception.PolicyNotAuthorized, api.get_all, self.context) api = network.API(skip_policy_check=True) api.get_all(self.context)
def test_keypair_list_fail_policy(self): rules = policy.Rules({ 'compute_extension:v3:keypairs:index': policy.parse_rule('role:admin') }) policy.set_rules(rules) req = fakes.HTTPRequestV3.blank('/keypairs') self.assertRaises(exception.NotAuthorized, self.KeyPairController.index, req)
def test_keypair_create_pass_policy(self): body = {'keypair': {'name': 'create_test'}} rules = policy.Rules( {'compute_extension:keypairs:create': policy.parse_rule('')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs') req.method = 'POST' res = self.KeyPairController.create(req, body) self.assertTrue('keypair' in res)
def test_unshelve_allowed(self): rules = policy.Rules({'compute:get': policy.parse_rule(''), 'compute_extension:v3:os-shelve:unshelve': policy.parse_rule('')}) policy.set_rules(rules) self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid) req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve') self.assertRaises(exception.NotAuthorized, self.controller._unshelve, req, str(uuid.uuid4()), {})
def test_certificates_create_policy_failed(self): rules = { "compute_extension:v3:os-certificates:create": common_policy.parse_rule("!") } common_policy.set_rules(common_policy.Rules(rules)) req = fakes.HTTPRequestV3.blank('/os-certificates/') exc = self.assertRaises(exception.PolicyNotAuthorized, self.controller.create, req) self.assertIn("compute_extension:v3:os-certificates:create", exc.format_message())
def test_start_policy_failed(self): rules = { "compute:start": common_policy.parse_rule("project_id:non_fake") } common_policy.set_rules(common_policy.Rules(rules)) self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get) req = fakes.HTTPRequest.blank('/v2/fake/servers/test_inst/action') body = dict(start="") exc = self.assertRaises(exception.PolicyNotAuthorized, self.controller._start_server, req, 'test_inst', body) self.assertIn('compute:start', exc.format_message())
def test_shelve_offload_allowed(self): rules = policy.Rules({ 'compute:get': policy.parse_rule(''), 'compute_extension:shelveOffload': policy.parse_rule('') }) policy.set_rules(rules) self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid) req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve') self.assertRaises(exception.Forbidden, self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_keypair_create_fail_policy(self): rules = policy.Rules({ 'compute_extension:v3:keypairs:create': policy.parse_rule('role:admin') }) policy.set_rules(rules) req = fakes.HTTPRequestV3.blank('/keypairs') req.method = 'POST' self.assertRaises(exception.Forbidden, self.KeyPairController.create, req, body={'keypair': { 'name': 'create_test' }})
def test_list_actions_restricted_by_project(self): rules = policy.Rules({'compute:get': policy.parse_rule(''), 'compute_extension:v3:os-instance-actions': policy.parse_rule('project_id:%(project_id)s')}) policy.set_rules(rules) def fake_instance_get_by_uuid(context, instance_id, columns_to_join=None): return fake_instance.fake_db_instance( **{'name': 'fake', 'project_id': '%s_unequal' % context.project_id}) self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid) req = fakes.HTTPRequestV3.blank('/servers/12/os-instance-actions') self.assertRaises(exception.NotAuthorized, self.controller.index, req, str(uuid.uuid4()))
def test_shelve_offload_allowed(self): rules = policy.Rules({'compute:get': policy.parse_rule(''), 'compute_extension:shelveOffload': policy.parse_rule('')}) policy.set_rules(rules) def fake_instance_get_by_uuid(context, instance_id, columns_to_join=None): return fake_instance.fake_db_instance( **{'name': 'fake', 'project_id': '%s_unequal' % context.project_id}) self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid) req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve') self.assertRaises(exception.NotAuthorized, self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_get_action_restricted_by_project(self): rules = policy.Rules({'compute:get': policy.parse_rule(''), 'compute_extension:instance_actions': policy.parse_rule('project_id:%(project_id)s')}) policy.set_rules(rules) def fake_instance_get_by_uuid(context, instance_id, columns_to_join=None, use_slave=False): return fake_instance.fake_db_instance( **{'name': 'fake', 'project_id': '%s_unequal' % context.project_id}) self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid) req = fakes.HTTPRequest.blank( '/v2/123/servers/12/os-instance-actions/1') self.assertRaises(exception.Forbidden, self.controller.show, req, str(uuid.uuid4()), '1')
def test_get_action_restricted_by_project(self): rules = policy.Rules({ 'compute:get': policy.parse_rule(''), 'compute_extension:instance_actions': policy.parse_rule('project_id:%(project_id)s') }) policy.set_rules(rules) def fake_instance_get_by_uuid(context, instance_id): return { 'name': 'fake', 'project_id': '%s_unequal' % context.project_id } self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid) req = fakes.HTTPRequest.blank( '/v2/123/servers/12/os-instance-actions/1') self.assertRaises(exception.NotAuthorized, self.controller.show, req, str(uuid.uuid4()), '1')
def test_get_action_with_events_not_allowed(self): def fake_get_action(context, uuid, request_id): return self.fake_actions[uuid][request_id] def fake_get_events(context, action_id): return self.fake_events[action_id] self.stubs.Set(db, 'action_get_by_request_id', fake_get_action) self.stubs.Set(db, 'action_events_get', fake_get_events) rules = policy.Rules({'compute:get': policy.parse_rule(''), 'compute_extension:instance_actions': policy.parse_rule(''), 'compute_extension:instance_actions:events': policy.parse_rule('is_admin:True')}) policy.set_rules(rules) req = fakes.HTTPRequest.blank( '/v2/123/servers/12/os-instance-actions/1') res_dict = self.controller.show(req, FAKE_UUID, FAKE_REQUEST_ID) fake_action = self.fake_actions[FAKE_UUID][FAKE_REQUEST_ID] self.assertEqual(format_action(fake_action), format_action(res_dict['instanceAction']))
def test_verify_show_cant_view_other_tenant(self): req = webob.Request.blank('/v2/faketenant_1/os-simple-tenant-usage/' 'faketenant_0?start=%s&end=%s' % (START.isoformat(), STOP.isoformat())) req.method = "GET" req.headers["content-type"] = "application/json" rules = { "compute_extension:simple_tenant_usage:show": common_policy.parse_rule([["role:admin"], ["project_id:%(project_id)s"]]) } common_policy.set_rules(common_policy.Rules(rules)) try: res = req.get_response( fakes.wsgi_app(fake_auth_context=self.alt_user_context, init_only=('os-simple-tenant-usage', ))) self.assertEqual(res.status_int, 403) finally: policy.reset()
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": '@', "example:allowed": '@', "example:denied": "!", "example:get_http": "http://www.example.com", "example:my_file": "role:compute_admin or " "project_id:%(project_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying brain common_policy.set_rules( common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def set_rules(self, rules): common_policy.set_rules(common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items())))
def _set_rules(self, default_rule): rules = common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()), default_rule) common_policy.set_rules(rules)