def setUp(self):
super(NetworkPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.context = context.get_admin_context()
def setUp(self):
super(NetworkPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.context = context.get_admin_context()
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename, group='oslo_policy')
# NOTE(uni): context construction invokes policy check to determine
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
# NOTE(gmann): We do not need to log policy warnings for unit
# tests.
policy.init(suppress_deprecation_warnings=True)
rule = oslo_policy.RuleDefault('example:test', "")
policy._ENFORCER.register_defaults([rule])
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.authorize(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
self.context, action, self.target)
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = [
oslo_policy.RuleDefault("true", '@'),
oslo_policy.RuleDefault("example:allowed", '@'),
oslo_policy.RuleDefault("example:denied", "!"),
oslo_policy.RuleDefault("old_action_not_default", "@"),
oslo_policy.RuleDefault("new_action", "@"),
oslo_policy.RuleDefault("old_action_default", "rule:admin_api"),
oslo_policy.RuleDefault("example:get_http",
"http://www.example.com"),
oslo_policy.RuleDefault(
"example:my_file", "role:compute_admin or "
"project_id:%(project_id)s"),
oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
oslo_policy.RuleDefault("example:lowercase_admin",
"role:admin or role:sysadmin"),
oslo_policy.RuleDefault("example:uppercase_admin",
"role:ADMIN or role:sysadmin"),
]
policy.reset()
policy.init()
# before a policy rule can be used, its default has to be registered.
policy._ENFORCER.register_defaults(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = [
oslo_policy.RuleDefault("true", '@'),
oslo_policy.RuleDefault("example:allowed", '@'),
oslo_policy.RuleDefault("example:denied", "!"),
oslo_policy.RuleDefault("old_action_not_default", "@"),
oslo_policy.RuleDefault("new_action", "@"),
oslo_policy.RuleDefault("old_action_default", "rule:admin_api"),
oslo_policy.RuleDefault("example:get_http",
"http://www.example.com"),
oslo_policy.RuleDefault("example:my_file",
"role:compute_admin or "
"project_id:%(project_id)s"),
oslo_policy.RuleDefault("example:early_and_fail", "! and @"),
oslo_policy.RuleDefault("example:early_or_success", "@ or !"),
oslo_policy.RuleDefault("example:lowercase_admin",
"role:admin or role:sysadmin"),
oslo_policy.RuleDefault("example:uppercase_admin",
"role:ADMIN or role:sysadmin"),
]
policy.reset()
policy.init()
# before a policy rule can be used, its default has to be registered.
policy._ENFORCER.register_defaults(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {"default": [], "example:exist": [["false:false"]]}
self._set_brain('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"default": '',
"example:exist": "!",
}
self._set_rules('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"default": '',
"example:exist": "!",
}
self._set_rules('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"default": [],
"example:exist": [["false:false"]]
}
self._set_brain('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": "@",
"example:allowed": "@",
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or " "project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.context = context.RequestContext("fake", "fake", roles=["member"])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules(dict((k, common_policy.parse_rule(v))
for k, v in rules.items()))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
# NOTE(vish): then overload underlying brain
common_policy.set_brain(common_policy.HttpBrain(rules))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
# NOTE(vish): then overload underlying brain
common_policy.set_brain(common_policy.HttpBrain(rules))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename, group='oslo_policy')
# NOTE(uni): context construction invokes policy check to determine
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
policy.init()
rule = oslo_policy.RuleDefault('example:test', "")
policy._ENFORCER.register_defaults([rule])
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.authorize(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.authorize,
self.context, action, self.target)
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
# NOTE(vish): then overload underlying brain
common_policy.set_rules(
common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(IsAdminCheckTestCase, self).setUp()
policy.init()
def setUp(self):
super(IsAdminCheckTestCase, self).setUp()
# NOTE(gmann): We do not need to log policy warnings for unit
# tests.
policy.init(suppress_deprecation_warnings=True)
def _set_rules(self, default_rule):
policy.reset()
rules = oslo_policy.Rules.from_dict(self.rules)
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def _set_rules(self, default_rule):
policy.reset()
rules = oslo_policy.Rules.from_dict(self.rules)
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def _check_policy(self):
"""Checks to see if policy file is overwritten with the new
defaults.
"""
msg = _("Your policy file contains rules which examine token scope, "
"which may be due to generation with the new defaults. "
"If that is done intentionally to migrate to the new rule "
"format, then you are required to enable the flag "
"'oslo_policy.enforce_scope=True' and educate end users on "
"how to request scoped tokens from Keystone. Another easy "
"and recommended way for you to achieve the same is via two "
"flags, 'oslo_policy.enforce_scope=True' and "
"'oslo_policy.enforce_new_defaults=True' and avoid "
"overwriting the file. Please refer to this document to "
"know the complete migration steps: "
"https://docs.openstack.org/nova/latest/configuration"
"/policy-concepts.html. If you did not intend to migrate "
"to new defaults in this upgrade, then with your current "
"policy file the scope checking rule will fail. A possible "
"reason for such a policy file is that you generated it with "
"'oslopolicy-sample-generator' in json format. "
"Three ways to fix this until you are ready to migrate to "
"scoped policies: 1. Generate the policy file with "
"'oslopolicy-sample-generator' in yaml format, keep "
"the generated content commented out, and update "
"the generated policy.yaml location in "
"``oslo_policy.policy_file``. "
"2. Use a pre-existing sample config file from the Train "
"release. 3. Use an empty or non-existent file to take all "
"the defaults.")
rule = "system_admin_api"
rule_new_default = "role:admin and system_scope:all"
status = upgradecheck.Result(upgradecheck.Code.SUCCESS)
# NOTE(gmann): Initialise the policy if it not initialized.
# We need policy enforcer with all the rules loaded to check
# their value with defaults.
try:
if policy._ENFORCER is None:
policy.init(suppress_deprecation_warnings=True)
# For safer side, recheck that the enforcer is available before
# upgrade checks. If something is wrong on oslo side and enforcer
# is still not available the return warning to avoid any false
# result.
if policy._ENFORCER is not None:
current_rule = str(policy._ENFORCER.rules[rule]).strip("()")
if (current_rule == rule_new_default and
not CONF.oslo_policy.enforce_scope):
status = upgradecheck.Result(upgradecheck.Code.WARNING,
msg)
else:
status = upgradecheck.Result(
upgradecheck.Code.WARNING,
_('Policy is not initialized to check the policy rules'))
except Exception as ex:
status = upgradecheck.Result(
upgradecheck.Code.WARNING,
_('Unable to perform policy checks due to error: %s') %
str(ex))
# reset the policy state so that it can be initialized from fresh if
# operator changes policy file after running this upgrade checks.
policy.reset()
return status
def _set_rules(self, default_rule):
policy.reset()
rules = dict((k, common_policy.parse_rule(v))
for k, v in self.rules.items())
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def setUp(self):
super(IsAdminCheckTestCase, self).setUp()
policy.init()
def _set_rules(self, default_rule):
policy.reset()
rules = {k: common_policy.parse_rule(v) for k, v in self.rules.items()}
policy.init(rules=rules, default_rule=default_rule, use_conf=False)