def test_rule_true(self):
enforcer = ENFORCER
check = policy.RuleCheck('rule', 'spam')
self.assertEqual(check('target', 'creds', enforcer), True)
enforcer.rules['spam'].assert_called_once_with('target', 'creds',
enforcer)
def _build_match_rule(action, target):
"""Create the rule to match for a given action.
The policy rule to be matched is built in the following way:
1) add entries for matching permission on objects
2) add an entry for the specific action (e.g.: create_network)
3) add an entry for attributes of a resource for which the action
is being executed (e.g.: create_network:shared)
4) add an entry for sub-attributes of a resource for which the
action is being executed
(e.g.: create_router:external_gateway_info:network_id)
"""
match_rule = policy.RuleCheck('rule', action)
'''
resource, is_write = get_resource_and_action(action)
# Attribute-based checks shall not be enforced on GETs
if is_write:
# assigning to variable with short name for improving readability
res_map = attributes.RESOURCE_ATTRIBUTE_MAP
if resource in res_map:
for attribute_name in res_map[resource]:
if _is_attribute_explicitly_set(attribute_name,
res_map[resource],
target):
attribute = res_map[resource][attribute_name]
if 'enforce_policy' in attribute:
attr_rule = policy.RuleCheck('rule', '%s:%s' %
(action, attribute_name))
# Build match entries for sub-attributes, if present
validate = attribute.get('validate')
if (validate and any([k.startswith('type:dict') and v
for (k, v) in
validate.iteritems()])):
attr_rule = policy.AndCheck(
[attr_rule, _build_subattr_match_rule(
attribute_name, attribute,
action, target)])
match_rule = policy.AndCheck([match_rule, attr_rule])
'''
return match_rule
def test_rule_missing(self):
check = policy.RuleCheck('rule', 'spam')
self.assertEqual(check('target', 'creds', ENFORCER), False)
def test_rule_true(self):
check = policy.RuleCheck('rule', 'spam')
self.assertEqual(check('target', 'creds'), True)
policy._rules['spam'].assert_called_once_with('target', 'creds')
