def test_default_rule(self):
self.stub_policyfile('deny_stack_user.json')
ctx = utils.dummy_context(roles=['not_a_stack_user'])
default_rule = base_policy.FalseCheck()
enforcer = policy.Enforcer(scope='cloudformation',
exc=None, default_rule=default_rule)
action = 'no_such_action'
self.assertFalse(enforcer.enforce(ctx, action))
def test_default_rule(self):
pf = policy_path + 'deny_stack_user.json'
self.m.StubOutWithMock(base_policy.Enforcer, '_get_policy_path')
base_policy.Enforcer._get_policy_path().MultipleTimes().AndReturn(pf)
self.m.ReplayAll()
ctx = utils.dummy_context(roles=['not_a_stack_user'])
default_rule = base_policy.FalseCheck()
enforcer = policy.Enforcer(scope='cloudformation',
exc=None,
default_rule=default_rule)
action = 'no_such_action'
self.assertEqual(enforcer.enforce(ctx, action, {}), False)
self.m.VerifyAll()
# Based on glance/api/policy.py
"""Policy Engine For Heat"""
from oslo.config import cfg
from heat.common import exception
import heat.openstack.common.log as logging
from heat.openstack.common import policy
logger = logging.getLogger(__name__)
CONF = cfg.CONF
DEFAULT_RULES = {
'default': policy.FalseCheck(),
}
class Enforcer(object):
"""Responsible for loading and enforcing rules."""
def __init__(self,
scope='heat',
exc=exception.Forbidden,
default_rule=DEFAULT_RULES['default']):
self.scope = scope
self.exc = exc
self.default_rule = default_rule
self.enforcer = policy.Enforcer(default_rule=default_rule)
def set_rules(self, rules, overwrite=True):