예제 #1
0
 def test_enforce_adminonly_nonadminctx_no_ctx_is_admin_policy_403(self):
     del self.rules[policy.ADMIN_CTX_POLICY]
     self.rules["admin_only"] = common_policy.parse_rule(self.admin_only_legacy)
     self.rules["admin_or_owner"] = common_policy.parse_rule(self.admin_or_owner_legacy)
     action = "create_network"
     target = {"shared": True, "tenant_id": "somebody_else"}
     self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce, self.context, action, target, None)
예제 #2
0
 def test_enforce_adminonly_attribute_no_context_is_admin_policy(self):
     del self.rules[policy.ADMIN_CTX_POLICY]
     self.rules['admin_only'] = common_policy.parse_rule(
         self.admin_only_legacy)
     self.rules['admin_or_owner'] = common_policy.parse_rule(
         self.admin_or_owner_legacy)
     self._test_enforce_adminonly_attribute('create_network')
예제 #3
0
파일: test_policy.py 프로젝트: XULI/quantum
 def test_enforce_adminonly_attribute_no_context_is_admin_policy(self):
     del self.rules[policy.ADMIN_CTX_POLICY]
     self.rules['admin_only'] = common_policy.parse_rule(
         self.admin_only_legacy)
     self.rules['admin_or_owner'] = common_policy.parse_rule(
         self.admin_or_owner_legacy)
     self._test_enforce_adminonly_attribute('create_network')
예제 #4
0
 def test_enforce_adminonly_nonadminctx_no_ctx_is_admin_policy_403(self):
     del self.rules[policy.ADMIN_CTX_POLICY]
     self.rules['admin_only'] = common_policy.parse_rule(
         self.admin_only_legacy)
     self.rules['admin_or_owner'] = common_policy.parse_rule(
         self.admin_or_owner_legacy)
     action = "create_network"
     target = {'shared': True, 'tenant_id': 'somebody_else'}
     self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce,
                       self.context, action, target)
예제 #5
0
파일: test_policy.py 프로젝트: XULI/quantum
 def test_get_roles_context_is_admin_rule_missing(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     # 'admin' role is expected for bw compatibility
     self.assertEqual(['admin'], policy.get_admin_roles())
예제 #6
0
 def test_get_roles_with_rule_check(self):
     rules = dict(
         (k, common_policy.parse_rule(v))
         for k, v in {policy.ADMIN_CTX_POLICY: "rule:some_other_rule", "some_other_rule": "role:admin"}.items()
     )
     common_policy.set_rules(common_policy.Rules(rules))
     self.assertEqual(["admin"], policy.get_admin_roles())
예제 #7
0
 def test_get_roles_with_rule_check(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         policy.ADMIN_CTX_POLICY: "rule:some_other_rule",
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     self.assertEqual(['admin'], policy.get_admin_roles())
예제 #8
0
 def test_get_roles_context_is_admin_rule_missing(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     # 'admin' role is expected for bw compatibility
     self.assertEqual(['admin'], policy.get_admin_roles())
예제 #9
0
    def setUp(self):
        super(QuantumPolicyTestCase, self).setUp()
        policy.reset()
        policy.init()
        self.addCleanup(policy.reset)
        self.rules = dict(
            (k, common_policy.parse_rule(v))
            for k, v in {
                "admin_or_network_owner": "role:admin or " "tenant_id:%(network_tenant_id)s",
                "admin_or_owner": "role:admin or tenant_id:%(tenant_id)s",
                "admin_only": "role:admin",
                "regular_user": "******",
                "shared": "field:networks:shared=True",
                "external": "field:networks:router:external=True",
                "default": "@",
                "create_network": "rule:admin_or_owner",
                "create_network:shared": "rule:admin_only",
                "update_network": "@",
                "update_network:shared": "rule:admin_only",
                "get_network": "rule:admin_or_owner or " "rule:shared or " "rule:external",
                "create_port:mac": "rule:admin_or_network_owner",
            }.items()
        )

        def fakepolicyinit():
            common_policy.set_rules(common_policy.Rules(self.rules))

        self.patcher = mock.patch.object(quantum.policy, "init", new=fakepolicyinit)
        self.patcher.start()
        self.addCleanup(self.patcher.stop)
        self.context = context.Context("fake", "fake", roles=["user"])
        plugin_klass = importutils.import_class("quantum.db.db_base_plugin_v2.QuantumDbPluginV2")
        self.plugin = plugin_klass()
예제 #10
0
 def _test_enforce_tenant_id_raises(self, bad_rule):
     self.rules['admin_or_owner'] = common_policy.parse_rule(bad_rule)
     # Trigger a policy with rule admin_or_owner
     action = "create_network"
     target = {'tenant_id': 'fake'}
     self.assertRaises(exceptions.PolicyCheckError, policy.enforce,
                       self.context, action, target)
예제 #11
0
 def test_get_roles_with_or_check(self):
     self.rules = dict(
         (k, common_policy.parse_rule(v)) for k, v in {
             policy.ADMIN_CTX_POLICY: "rule:rule1 or rule:rule2",
             "rule1": "role:admin_1",
             "rule2": "role:admin_2"
         }.items())
     self.assertEqual(['admin_1', 'admin_2'], policy.get_admin_roles())
예제 #12
0
파일: test_policy.py 프로젝트: XULI/quantum
 def _test_enforce_tenant_id_raises(self, bad_rule):
     self.rules['admin_or_owner'] = common_policy.parse_rule(bad_rule)
     # Trigger a policy with rule admin_or_owner
     action = "create_network"
     target = {'tenant_id': 'fake'}
     self.assertRaises(exceptions.PolicyCheckError,
                       policy.enforce,
                       self.context, action, target)
예제 #13
0
파일: test_policy.py 프로젝트: XULI/quantum
 def test_get_roles_with_or_check(self):
     self.rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         policy.ADMIN_CTX_POLICY: "rule:rule1 or rule:rule2",
         "rule1": "role:admin_1",
         "rule2": "role:admin_2"
     }.items())
     self.assertEqual(['admin_1', 'admin_2'],
                      policy.get_admin_roles())
예제 #14
0
    def setUp(self):
        super(QuantumPolicyTestCase, self).setUp()
        policy.reset()
        policy.init()
        self.addCleanup(policy.reset)
        self.admin_only_legacy = "role:admin"
        self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s"
        self.rules = dict(
            (k, common_policy.parse_rule(v)) for k, v in {
                "context_is_admin":
                "role:admin",
                "admin_or_network_owner":
                "rule:context_is_admin or "
                "tenant_id:%(network:tenant_id)s",
                "admin_or_owner": ("rule:context_is_admin or "
                                   "tenant_id:%(tenant_id)s"),
                "admin_only":
                "rule:context_is_admin",
                "regular_user":
                "******",
                "shared":
                "field:networks:shared=True",
                "external":
                "field:networks:router:external=True",
                "default":
                '@',
                "create_network":
                "rule:admin_or_owner",
                "create_network:shared":
                "rule:admin_only",
                "update_network":
                '@',
                "update_network:shared":
                "rule:admin_only",
                "get_network":
                "rule:admin_or_owner or "
                "rule:shared or "
                "rule:external",
                "create_port:mac":
                "rule:admin_or_network_owner",
            }.items())

        def fakepolicyinit():
            common_policy.set_rules(common_policy.Rules(self.rules))

        self.patcher = mock.patch.object(quantum.policy,
                                         'init',
                                         new=fakepolicyinit)
        self.patcher.start()
        self.addCleanup(self.patcher.stop)
        self.context = context.Context('fake', 'fake', roles=['user'])
        plugin_klass = importutils.import_class(
            "quantum.db.db_base_plugin_v2.QuantumDbPluginV2")
        self.manager_patcher = mock.patch('quantum.manager.QuantumManager')
        fake_manager = self.manager_patcher.start()
        fake_manager_instance = fake_manager.return_value
        fake_manager_instance.plugin = plugin_klass()
        self.addCleanup(self.manager_patcher.stop)
예제 #15
0
    def test_enforce_tenant_id_check_parent_resource_bw_compatibility(self):
        def fakegetnetwork(*args, **kwargs):
            return {'tenant_id': 'fake'}

        del self.rules['admin_or_network_owner']
        self.rules['admin_or_network_owner'] = common_policy.parse_rule(
            "role:admin or tenant_id:%(network_tenant_id)s")
        action = "create_port:mac"
        with mock.patch.object(manager.QuantumManager.get_instance().plugin,
                               'get_network',
                               new=fakegetnetwork):
            target = {'network_id': 'whatever'}
            result = policy.enforce(self.context, action, target)
            self.assertTrue(result)
예제 #16
0
파일: test_policy.py 프로젝트: XULI/quantum
    def test_enforce_tenant_id_check_parent_resource_bw_compatibility(self):

        def fakegetnetwork(*args, **kwargs):
            return {'tenant_id': 'fake'}

        del self.rules['admin_or_network_owner']
        self.rules['admin_or_network_owner'] = common_policy.parse_rule(
            "role:admin or tenant_id:%(network_tenant_id)s")
        action = "create_port:mac"
        with mock.patch.object(manager.QuantumManager.get_instance().plugin,
                               'get_network', new=fakegetnetwork):
            target = {'network_id': 'whatever'}
            result = policy.enforce(self.context, action, target)
            self.assertTrue(result)
예제 #17
0
파일: test_policy.py 프로젝트: XULI/quantum
    def setUp(self):
        super(QuantumPolicyTestCase, self).setUp()
        policy.reset()
        policy.init()
        self.addCleanup(policy.reset)
        self.admin_only_legacy = "role:admin"
        self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s"
        self.rules = dict((k, common_policy.parse_rule(v)) for k, v in {
            "context_is_admin": "role:admin",
            "admin_or_network_owner": "rule:context_is_admin or "
                                      "tenant_id:%(network:tenant_id)s",
            "admin_or_owner": ("rule:context_is_admin or "
                               "tenant_id:%(tenant_id)s"),
            "admin_only": "rule:context_is_admin",
            "regular_user": "******",
            "shared": "field:networks:shared=True",
            "external": "field:networks:router:external=True",
            "default": '@',

            "create_network": "rule:admin_or_owner",
            "create_network:shared": "rule:admin_only",
            "update_network": '@',
            "update_network:shared": "rule:admin_only",

            "get_network": "rule:admin_or_owner or "
                           "rule:shared or "
                           "rule:external",
            "create_port:mac": "rule:admin_or_network_owner",
        }.items())

        def fakepolicyinit():
            common_policy.set_rules(common_policy.Rules(self.rules))

        self.patcher = mock.patch.object(quantum.policy,
                                         'init',
                                         new=fakepolicyinit)
        self.patcher.start()
        self.addCleanup(self.patcher.stop)
        self.context = context.Context('fake', 'fake', roles=['user'])
        plugin_klass = importutils.import_class(
            "quantum.db.db_base_plugin_v2.QuantumDbPluginV2")
        self.manager_patcher = mock.patch('quantum.manager.QuantumManager')
        fake_manager = self.manager_patcher.start()
        fake_manager_instance = fake_manager.return_value
        fake_manager_instance.plugin = plugin_klass()
        self.addCleanup(self.manager_patcher.stop)
예제 #18
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     self.addCleanup(policy.reset)
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": "@",
         "example:allowed": "@",
         "example:denied": "!",
         "example:get_http": "http:http://www.example.com",
         "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     # NOTE(vish): then overload underlying rules
     common_policy.set_rules(common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in rules.items())))
     self.context = context.Context("fake", "fake", roles=["member"])
     self.target = {}
예제 #19
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": '@',
         "example:allowed": '@',
         "example:denied": '!',
         "example:get_http": "http:http://www.example.com",
         "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     # NOTE(vish): then overload underlying rules
     common_policy.set_rules(common_policy.Rules(
         dict((k, common_policy.parse_rule(v))
              for k, v in rules.items())))
     self.context = context.Context('fake', 'fake', roles=['member'])
     self.target = {}
예제 #20
0
 def test_get_roles_with_other_rules(self):
     self.rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         policy.ADMIN_CTX_POLICY: "role:xxx or other:value",
     }.items())
     self.assertEqual(['xxx'], policy.get_admin_roles())
예제 #21
0
 def _set_rules(self, default_rule):
     rules = common_policy.Rules(
         dict((k, common_policy.parse_rule(v))
              for k, v in self.rules.items()), default_rule)
     common_policy.set_rules(rules)
예제 #22
0
 def test_get_roles_with_other_rules(self):
     self.rules = dict(
         (k, common_policy.parse_rule(v)) for k, v in {policy.ADMIN_CTX_POLICY: "role:xxx or other:value"}.items()
     )
     self.assertEqual(["xxx"], policy.get_admin_roles())
예제 #23
0
 def _set_rules(self, default_rule):
     rules = common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()), default_rule)
     common_policy.set_rules(rules)