def setUp(self): super(NetworkPolicyTestCase, self).setUp() policy.reset() policy.init() self.context = context.get_admin_context()
def test_modified_policy_reloads(self): with utils.tempdir() as tmpdir: tmpfilename = os.path.join(tmpdir, 'policy') self.flags(policy_file=tmpfilename, group='oslo_policy') # NOTE(uni): context construction invokes policy check to determine # is_admin or not. As a side-effect, policy reset is needed here # to flush existing policy cache. policy.reset() # NOTE(gmann): We do not need to log policy warnings for unit # tests. policy.init(suppress_deprecation_warnings=True) rule = oslo_policy.RuleDefault('example:test', "") policy._ENFORCER.register_defaults([rule]) action = "example:test" with open(tmpfilename, "w") as policyfile: policyfile.write('{"example:test": ""}') policy.authorize(self.context, action, self.target) with open(tmpfilename, "w") as policyfile: policyfile.write('{"example:test": "!"}') policy._ENFORCER.load_rules(True) self.assertRaises(exception.PolicyNotAuthorized, policy.authorize, self.context, action, self.target)
def setUp(self): super(PolicyTestCase, self).setUp() rules = [ oslo_policy.RuleDefault("true", '@'), oslo_policy.RuleDefault("example:allowed", '@'), oslo_policy.RuleDefault("example:denied", "!"), oslo_policy.RuleDefault("old_action_not_default", "@"), oslo_policy.RuleDefault("new_action", "@"), oslo_policy.RuleDefault("old_action_default", "rule:admin_api"), oslo_policy.RuleDefault("example:get_http", "http://www.example.com"), oslo_policy.RuleDefault( "example:my_file", "role:compute_admin or " "project_id:%(project_id)s"), oslo_policy.RuleDefault("example:early_and_fail", "! and @"), oslo_policy.RuleDefault("example:early_or_success", "@ or !"), oslo_policy.RuleDefault("example:lowercase_admin", "role:admin or role:sysadmin"), oslo_policy.RuleDefault("example:uppercase_admin", "role:ADMIN or role:sysadmin"), ] policy.reset() policy.init() # before a policy rule can be used, its default has to be registered. policy._ENFORCER.register_defaults(rules) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def setUp(self): super(PolicyTestCase, self).setUp() rules = [ oslo_policy.RuleDefault("true", '@'), oslo_policy.RuleDefault("example:allowed", '@'), oslo_policy.RuleDefault("example:denied", "!"), oslo_policy.RuleDefault("old_action_not_default", "@"), oslo_policy.RuleDefault("new_action", "@"), oslo_policy.RuleDefault("old_action_default", "rule:admin_api"), oslo_policy.RuleDefault("example:get_http", "http://www.example.com"), oslo_policy.RuleDefault("example:my_file", "role:compute_admin or " "project_id:%(project_id)s"), oslo_policy.RuleDefault("example:early_and_fail", "! and @"), oslo_policy.RuleDefault("example:early_or_success", "@ or !"), oslo_policy.RuleDefault("example:lowercase_admin", "role:admin or role:sysadmin"), oslo_policy.RuleDefault("example:uppercase_admin", "role:ADMIN or role:sysadmin"), ] policy.reset() policy.init() # before a policy rule can be used, its default has to be registered. policy._ENFORCER.register_defaults(rules) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def setUp(self): super(DefaultPolicyTestCase, self).setUp() policy.reset() policy.init() self.rules = {"default": [], "example:exist": [["false:false"]]} self._set_brain('default') self.context = context.RequestContext('fake', 'fake')
def setUp(self): super(DefaultPolicyTestCase, self).setUp() policy.reset() policy.init() self.rules = { "default": '', "example:exist": "!", } self._set_rules('default') self.context = context.RequestContext('fake', 'fake')
def setUp(self): super(DefaultPolicyTestCase, self).setUp() policy.reset() policy.init() self.rules = { "default": [], "example:exist": [["false:false"]] } self._set_brain('default') self.context = context.RequestContext('fake', 'fake')
def setUp(self): super(PolicyTestCase, self).setUp() rules = { "true": "@", "example:allowed": "@", "example:denied": "!", "example:get_http": "http://www.example.com", "example:my_file": "role:compute_admin or " "project_id:%(project_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } policy.reset() policy.init() policy.set_rules(oslo_policy.Rules.from_dict(rules)) self.context = context.RequestContext("fake", "fake", roles=["member"]) self.target = {}
def setUp(self): super(PolicyTestCase, self).setUp() rules = { "true": '@', "example:allowed": '@', "example:denied": "!", "example:get_http": "http://www.example.com", "example:my_file": "role:compute_admin or " "project_id:%(project_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } policy.reset() policy.init() policy.set_rules(oslo_policy.Rules.from_dict(rules)) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def setUp(self): super(PolicyTestCase, self).setUp() rules = { "true": '@', "example:allowed": '@', "example:denied": "!", "example:get_http": "http://www.example.com", "example:my_file": "role:compute_admin or " "project_id:%(project_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } policy.reset() policy.init() policy.set_rules(dict((k, common_policy.parse_rule(v)) for k, v in rules.items())) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": [], "example:allowed": [], "example:denied": [["false:false"]], "example:get_http": [["http:http://www.example.com"]], "example:my_file": [["role:compute_admin"], ["project_id:%(project_id)s"]], "example:early_and_fail": [["false:false", "rule:true"]], "example:early_or_success": [["rule:true"], ["false:false"]], "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]], "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]], } # NOTE(vish): then overload underlying brain common_policy.set_brain(common_policy.HttpBrain(rules)) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def test_modified_policy_reloads(self): with utils.tempdir() as tmpdir: tmpfilename = os.path.join(tmpdir, 'policy') self.flags(policy_file=tmpfilename, group='oslo_policy') # NOTE(uni): context construction invokes policy check to determine # is_admin or not. As a side-effect, policy reset is needed here # to flush existing policy cache. policy.reset() policy.init() rule = oslo_policy.RuleDefault('example:test', "") policy._ENFORCER.register_defaults([rule]) action = "example:test" with open(tmpfilename, "w") as policyfile: policyfile.write('{"example:test": ""}') policy.authorize(self.context, action, self.target) with open(tmpfilename, "w") as policyfile: policyfile.write('{"example:test": "!"}') policy._ENFORCER.load_rules(True) self.assertRaises(exception.PolicyNotAuthorized, policy.authorize, self.context, action, self.target)
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": '@', "example:allowed": '@', "example:denied": "!", "example:get_http": "http://www.example.com", "example:my_file": "role:compute_admin or " "project_id:%(project_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying brain common_policy.set_rules( common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def setUp(self): super(IsAdminCheckTestCase, self).setUp() policy.init()
def setUp(self): super(IsAdminCheckTestCase, self).setUp() # NOTE(gmann): We do not need to log policy warnings for unit # tests. policy.init(suppress_deprecation_warnings=True)
def _set_rules(self, default_rule): policy.reset() rules = oslo_policy.Rules.from_dict(self.rules) policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def _check_policy(self): """Checks to see if policy file is overwritten with the new defaults. """ msg = _("Your policy file contains rules which examine token scope, " "which may be due to generation with the new defaults. " "If that is done intentionally to migrate to the new rule " "format, then you are required to enable the flag " "'oslo_policy.enforce_scope=True' and educate end users on " "how to request scoped tokens from Keystone. Another easy " "and recommended way for you to achieve the same is via two " "flags, 'oslo_policy.enforce_scope=True' and " "'oslo_policy.enforce_new_defaults=True' and avoid " "overwriting the file. Please refer to this document to " "know the complete migration steps: " "https://docs.openstack.org/nova/latest/configuration" "/policy-concepts.html. If you did not intend to migrate " "to new defaults in this upgrade, then with your current " "policy file the scope checking rule will fail. A possible " "reason for such a policy file is that you generated it with " "'oslopolicy-sample-generator' in json format. " "Three ways to fix this until you are ready to migrate to " "scoped policies: 1. Generate the policy file with " "'oslopolicy-sample-generator' in yaml format, keep " "the generated content commented out, and update " "the generated policy.yaml location in " "``oslo_policy.policy_file``. " "2. Use a pre-existing sample config file from the Train " "release. 3. Use an empty or non-existent file to take all " "the defaults.") rule = "system_admin_api" rule_new_default = "role:admin and system_scope:all" status = upgradecheck.Result(upgradecheck.Code.SUCCESS) # NOTE(gmann): Initialise the policy if it not initialized. # We need policy enforcer with all the rules loaded to check # their value with defaults. try: if policy._ENFORCER is None: policy.init(suppress_deprecation_warnings=True) # For safer side, recheck that the enforcer is available before # upgrade checks. If something is wrong on oslo side and enforcer # is still not available the return warning to avoid any false # result. if policy._ENFORCER is not None: current_rule = str(policy._ENFORCER.rules[rule]).strip("()") if (current_rule == rule_new_default and not CONF.oslo_policy.enforce_scope): status = upgradecheck.Result(upgradecheck.Code.WARNING, msg) else: status = upgradecheck.Result( upgradecheck.Code.WARNING, _('Policy is not initialized to check the policy rules')) except Exception as ex: status = upgradecheck.Result( upgradecheck.Code.WARNING, _('Unable to perform policy checks due to error: %s') % str(ex)) # reset the policy state so that it can be initialized from fresh if # operator changes policy file after running this upgrade checks. policy.reset() return status
def _set_rules(self, default_rule): policy.reset() rules = dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()) policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def _set_rules(self, default_rule): policy.reset() rules = {k: common_policy.parse_rule(v) for k, v in self.rules.items()} policy.init(rules=rules, default_rule=default_rule, use_conf=False)