def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init(suppress_deprecation_warnings=True)
self.rules = {"default": [], "example:exist": "false:false"}
self._set_rules('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {"default": [], "example:exist": [["false:false"]]}
self._set_rules('default')
self.context = context.RequestContext('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"default": [],
"example:exist": [["false:false"]]
}
self._set_rules('default')
self.context = context.RequestContext('fake', 'fake')
def test_authorize_does_not_raise_forbidden(self, method):
self.fixture.config(enforce_scope=False, group='oslo_policy')
project_context = context.RequestContext(project_id='fake-project-id',
roles=['bar'])
policy.reset()
policy.init()
rule = common_policy.RuleDefault('foo', 'role:bar',
scope_types=['system'])
policy._ENFORCER.register_defaults([rule])
self.assertTrue(getattr(policy, method)(project_context, 'foo', {}))
def test_authorize_properly_handles_invalid_scope_exception(self, method):
self.fixture.config(enforce_scope=True, group='oslo_policy')
project_context = context.RequestContext(project_id='fake-project-id',
roles=['bar'])
policy.reset()
policy.init()
rule = common_policy.RuleDefault('foo', 'role:bar',
scope_types=['system'])
policy._ENFORCER.register_defaults([rule])
self.assertRaises(exception.PolicyNotAuthorized,
getattr(policy, method),
project_context, 'foo', {})
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
self._set_rules()
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.rules = {
"true": [],
"example:allowed": [],
"example:denied": [["false:false"]],
"example:get_http": [["http:http://www.example.com"]],
"example:my_file": [["role:compute_admin"],
["project_id:%(project_id)s"]],
"example:early_and_fail": [["false:false", "rule:true"]],
"example:early_or_success": [["rule:true"], ["false:false"]],
"example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
"example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
}
self._set_rules()
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
CONF.set_override('policy_file', tmpfilename, group='oslo_policy')
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": []}""")
policy.init(tmpfilename)
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ["false:false"]}""")
# NOTE(vish): reset stored policy cache so we don't have to
# sleep(1)
policy._ENFORCER.load_rules(True)
self.assertRaises(
exception.PolicyNotAuthorized,
policy.enforce,
self.context,
action,
self.target,
)
def test_modified_policy_reloads(self):
with utils.tempdir() as tmpdir:
tmpfilename = os.path.join(tmpdir, 'policy')
self.flags(policy_file=tmpfilename)
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": []}""")
policy.init(tmpfilename)
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ["false:false"]}""")
# NOTE(vish): reset stored policy cache so we don't have to
# sleep(1)
policy._ENFORCER.load_rules(True)
self.assertRaises(
exception.PolicyNotAuthorized,
policy.enforce,
self.context,
action,
self.target,
)
def setUp(self):
super(PolicyTestCase, self).setUp()
rules = [
common_policy.RuleDefault("true", '@'),
common_policy.RuleDefault("test:allowed", '@'),
common_policy.RuleDefault("test:denied", "!"),
common_policy.RuleDefault(
"test:my_file", "role:compute_admin or "
"project_id:%(project_id)s"),
common_policy.RuleDefault("test:early_and_fail", "! and @"),
common_policy.RuleDefault("test:early_or_success", "@ or !"),
common_policy.RuleDefault("test:lowercase_admin", "role:admin"),
common_policy.RuleDefault("test:uppercase_admin", "role:ADMIN"),
]
policy.reset()
policy.init(suppress_deprecation_warnings=True)
# before a policy rule can be used, its default has to be registered.
policy._ENFORCER.register_defaults(rules)
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
self.addCleanup(policy.reset)
def setUp(self):
super(ContextIsAdminPolicyTestCase, self).setUp()
policy.reset()
policy.init()
def setUp(self):
super(ContextIsAdminPolicyTestCase, self).setUp()
policy.reset()
policy.init()
def setUp(self):
super(ContextIsAdminPolicyTestCase, self).setUp()
policy.reset()
policy.init(suppress_deprecation_warnings=True)
