def setUp(self):
super(NetworkPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.context = context.get_admin_context()
def test_skip_policy(self):
policy.reset()
rules = {'network:get_all': common_policy.parse_rule('!')}
policy.set_rules(common_policy.Rules(rules))
api = network.API()
self.assertRaises(exception.PolicyNotAuthorized,
api.get_all, self.context)
api = network.API(skip_policy_check=True)
api.get_all(self.context)
def test_verify_show_cannot_view_other_tenant(self):
req = fakes.HTTPRequest.blank('?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.environ['patron.context'] = self.alt_user_context
rules = {
self.policy_rule_prefix + ":show":
common_policy.parse_rule([["role:admin"],
["project_id:%(project_id)s"]])
}
policy.set_rules(rules)
try:
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show, req, 'faketenant_0')
finally:
policy.reset()
def test_verify_show_cannot_view_other_tenant(self):
req = fakes.HTTPRequest.blank('?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.environ['patron.context'] = self.alt_user_context
rules = {
self.policy_rule_prefix + ":show":
common_policy.parse_rule([
["role:admin"], ["project_id:%(project_id)s"]
])
}
policy.set_rules(rules)
try:
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show, req, 'faketenant_0')
finally:
policy.reset()
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules({k: common_policy.parse_rule(v)
for k, v in rules.items()})
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename)
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename)
# NOTE(uni): context construction invokes policy check to determin
# is_admin or not. As a side-effect, policy reset is needed here
# to flush existing policy cache.
policy.reset()
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": ""}')
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write('{"example:test": "!"}')
policy._ENFORCER.load_rules(True)
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
policy.reset()
policy.init()
policy.set_rules(
{k: common_policy.parse_rule(v)
for k, v in rules.items()})
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def _set_rules(self, default_rule):
policy.reset()
rules = {k: common_policy.parse_rule(v)
for k, v in self.rules.items()}
policy.init(rules=rules, default_rule=default_rule, use_conf=False)
def tearDown(self):
super(NetworkPolicyTestCase, self).tearDown()
policy.reset()
def _set_rules(self, default_rule):
policy.reset()
rules = {k: common_policy.parse_rule(v) for k, v in self.rules.items()}
policy.init(rules=rules, default_rule=default_rule, use_conf=False)