def _parse_check(rule):
"""Parse a single base check rule into an appropriate Check object."""
# Handle the special checks
if rule == '!':
return _checks.FalseCheck()
elif rule == '@':
return _checks.TrueCheck()
try:
kind, match = rule.split(':', 1)
except Exception:
LOG.exception('Failed to understand rule %s', rule)
# If the rule is invalid, we'll fail closed
return _checks.FalseCheck()
# Find what implements the check
extension_checks = _checks.get_extensions()
if kind in extension_checks:
return extension_checks[kind](kind, match)
elif kind in _checks.registered_checks:
return _checks.registered_checks[kind](kind, match)
elif None in _checks.registered_checks:
return _checks.registered_checks[None](kind, match)
else:
LOG.error('No handler for matches of kind %s', kind)
return _checks.FalseCheck()
def test_check_raise_default(self):
# When do_raise=True and exc is not used then PolicyNotAuthorized is
# raised.
self.enforcer.set_rules(dict(default=_checks.FalseCheck()))
self.assertRaises(policy.PolicyNotAuthorized, self.enforcer.enforce,
'rule', 'target', 'creds', True)
def test_check_raise_custom_exception(self):
self.enforcer.set_rules(dict(default=_checks.FalseCheck()))
exc = self.assertRaises(
MyException, self.enforcer.enforce, 'rule', 'target', 'creds',
True, MyException, 'arg1', 'arg2', kw1='kwarg1', kw2='kwarg2')
self.assertEqual(('arg1', 'arg2'), exc.args)
self.assertEqual(dict(kw1='kwarg1', kw2='kwarg2'), exc.kwargs)
def test_check_raise_default(self):
# When do_raise=True and exc is not used then PolicyNotAuthorized is
# raised.
self.enforcer.set_rules(dict(default=_checks.FalseCheck()))
creds = {}
self.assertRaisesRegex(policy.PolicyNotAuthorized,
" is disallowed by policy",
self.enforcer.enforce, 'rule', 'target', creds,
True)
def test_check_raises(self):
self.enforcer.set_rules(dict(default=_checks.FalseCheck()))
try:
self.enforcer.enforce('rule',
'target',
'creds',
True,
MyException,
'arg1',
'arg2',
kw1='kwarg1',
kw2='kwarg2')
except MyException as exc:
self.assertEqual(('arg1', 'arg2'), exc.args)
self.assertEqual(dict(kw1='kwarg1', kw2='kwarg2'), exc.kwargs)
else:
self.fail('enforcer.enforce() failed to raise requested exception')
def _parse_list_rule(rule):
"""Translates the old list-of-lists syntax into a tree of Check objects.
Provided for backwards compatibility.
"""
# Empty rule defaults to True
if not rule:
return _checks.TrueCheck()
# Outer list is joined by "or"; inner list by "and"
or_list = []
for inner_rule in rule:
# Skip empty inner lists
if not inner_rule:
continue
# Handle bare strings
if isinstance(inner_rule, six.string_types):
inner_rule = [inner_rule]
# Parse the inner rules into Check objects
and_list = [_parse_check(r) for r in inner_rule]
# Append the appropriate check to the or_list
if len(and_list) == 1:
or_list.append(and_list[0])
else:
or_list.append(_checks.AndCheck(and_list))
# If we have only one check, omit the "or"
if not or_list:
return _checks.FalseCheck()
elif len(or_list) == 1:
return or_list[0]
return _checks.OrCheck(or_list)
def _parse_text_rule(rule):
"""Parses policy to the tree.
Translates a policy written in the policy language into a tree of
Check objects.
"""
# Empty rule means always accept
if not rule:
return _checks.TrueCheck()
# Parse the token stream
state = ParseState()
for tok, value in _parse_tokenize(rule):
state.shift(tok, value)
try:
return state.result
except ValueError:
# Couldn't parse the rule
LOG.exception(_LE('Failed to understand rule %s'), rule)
# Fail closed
return _checks.FalseCheck()
def test_call_false(self):
rule = _checks.FalseCheck()
check = _checks.NotCheck(rule)
self.assertTrue(check('target', 'cred', None))
def test_call(self):
check = _checks.FalseCheck()
self.assertFalse(check('target', 'creds', None))
def test_str(self):
check = _checks.FalseCheck()
self.assertEqual('!', str(check))
