def test_enforcer_default_rule_name(self):
enforcer = policy.Enforcer(default_rule='foo_rule')
self.assertEqual('foo_rule', enforcer.rules.default_rule)
self.CONF.set_override('policy_default_rule', 'bar_rule')
enforcer = policy.Enforcer(default_rule='foo_rule')
self.assertEqual('foo_rule', enforcer.rules.default_rule)
enforcer = policy.Enforcer()
self.assertEqual('bar_rule', enforcer.rules.default_rule)
def test_enforcer_keep_use_conf_flag_after_reload(self):
# We initialized enforcer with
# policy configure files.
enforcer = policy.Enforcer()
self.assertTrue(enforcer.use_conf)
self.assertTrue(enforcer.enforce("default", {},
{"roles": ["fakeB"]}))
self.assertFalse(enforcer.enforce("test", {},
{"roles": ["test"]}))
# After enforcement the flag should
# be remained there.
self.assertTrue(enforcer.use_conf)
self.assertFalse(enforcer.enforce("_dynamic_test_rule", {},
{"roles": ["test"]}))
# Then if configure file got changed,
# reloading will be triggered when calling
# enforcer(), this case could happen only
# when use_conf flag equals True.
rules = jsonutils.loads(str(enforcer.rules))
with open(enforcer.policy_path, 'r') as f:
ori_rules = f.read()
def _remove_dynamic_test_rule():
with open(enforcer.policy_path, 'w') as f:
f.write(ori_rules)
self.addCleanup(_remove_dynamic_test_rule)
rules['_dynamic_test_rule'] = 'role:test'
with open(enforcer.policy_path, 'w') as f:
f.write(jsonutils.dumps(rules))
self.assertTrue(enforcer.enforce("_dynamic_test_rule", {},
{"roles": ["test"]}))
def test_enforcer_with_default_rule(self):
rules_json = """{
"deny_stack_user": "******",
"cloudwatch:PutMetricData": ""
}"""
rules = policy.Rules.load_json(rules_json)
default_rule = policy.TrueCheck()
enforcer = policy.Enforcer(default_rule=default_rule)
enforcer.set_rules(rules)
action = "cloudwatch:PutMetricData"
creds = {'roles': ''}
self.assertEqual(enforcer.enforce(action, {}, creds), True)
def test_get_policy_path_raises_exc(self):
enforcer = policy.Enforcer(policy_file='raise_error.json')
self.assertRaises(cfg.ConfigFilesNotFoundError,
enforcer._get_policy_path)
import urllib2
import mock
from oslo.config import cfg
import six
from openstack.common.fixture import config
from openstack.common import jsonutils
from openstack.common import policy
from openstack.common import test
TEST_VAR_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__),
'..', 'var'))
ENFORCER = policy.Enforcer()
class TestException(Exception):
def __init__(self, *args, **kwargs):
self.args = args
self.kwargs = kwargs
class RulesTestCase(test.BaseTestCase):
def test_init_basic(self):
rules = policy.Rules()
self.assertEqual(rules, {})
self.assertEqual(rules.default_rule, None)
def test_get_policy_path_raises_exc(self):
enforcer = policy.Enforcer(policy_file='raise_error.json')
e = self.assertRaises(cfg.ConfigFilesNotFoundError,
enforcer._get_policy_path, enforcer.policy_file)
self.assertEqual(('raise_error.json', ), e.config_files)
def test_enforcer_with_policy_file(self):
enforcer = policy.Enforcer(policy_file='non-default.json')
self.assertEqual('non-default.json', enforcer.policy_file)
def test_enforcer_with_default_policy_file(self):
enforcer = policy.Enforcer()
self.assertEqual(cfg.CONF.policy_file, enforcer.policy_file)