def test_verify_show_cant_view_other_tenant(self):
req = webob.Request.blank(
"/v2/faketenant_1/os-simple-tenant-usage/"
"faketenant_0?start=%s&end=%s" % (START.isoformat(), STOP.isoformat())
)
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {"compute_extension:simple_tenant_usage:show": [["role:admin"], ["project_id:%(project_id)s"]]}
common_policy.set_brain(common_policy.HttpBrain(rules))
try:
res = req.get_response(fakes.wsgi_app(fake_auth_context=self.alt_user_context))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def test_verify_show_cant_view_other_tenant(self):
req = webob.Request.blank('/v2/faketenant_1/os-simple-tenant-usage/'
'faketenant_0?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {
"compute_extension:simple_tenant_usage:show":
[["role:admin"], ["project_id:%(project_id)s"]]
}
common_policy.set_brain(common_policy.HttpBrain(rules))
try:
res = req.get_response(
fakes.wsgi_app(fake_auth_context=self.alt_user_context))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
# NOTE(vish): then overload underlying brain
common_policy.set_brain(common_policy.HttpBrain(rules))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
# NOTE(vish): then overload underlying brain
common_policy.set_brain(common_policy.HttpBrain(rules))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def _set_brain(self, default_rule):
brain = common_policy.HttpBrain(self.rules, default_rule)
common_policy.set_brain(brain)
def _set_brain(data):
default_rule = FLAGS.policy_default_rule
policy.set_brain(policy.Brain.load_json(data, default_rule))
def _set_brain(self, default_rule):
brain = common_policy.HttpBrain(self.rules, default_rule)
common_policy.set_brain(brain)