def test_keypair_delete_pass_policy(self):
rules = policy.Rules(
{'compute_extension:v3:keypairs:delete': policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
req.method = 'DELETE'
self.assertIsNone(self.KeyPairController.delete(req, 'FAKE'))
def test_keypair_list_pass_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:index':
policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs')
res = self.KeyPairController.index(req)
self.assertTrue('keypairs' in res)
def test_keypair_show_pass_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:show':
policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs/FAKE')
res = self.KeyPairController.show(req, 'FAKE')
self.assertTrue('keypair' in res)
def test_keypair_delete_pass_policy(self):
rules = policy.Rules({'compute_extension:v3:keypairs:delete':
policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/keypairs/FAKE')
req.method = 'DELETE'
self.assertIsNone(self.KeyPairController.delete(req, 'FAKE'))
def test_keypair_show_pass_policy(self):
rules = policy.Rules(
{'compute_extension:keypairs:show': policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
res = self.KeyPairController.show(req, 'FAKE')
self.assertTrue('keypair' in res)
def test_keypair_delete_pass_policy(self):
rules = policy.Rules({"compute_extension:v3:keypairs:delete": policy.parse_rule("")})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank("/v3/keypairs/FAKE")
req.method = "DELETE"
res = self.KeyPairController.delete(req, "FAKE")
self.assertEqual(res.status_int, 202)
def test_keypair_list_pass_policy(self):
rules = policy.Rules(
{'compute_extension:keypairs:index': policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
res = self.KeyPairController.index(req)
self.assertTrue('keypairs' in res)
def test_unshelve_restricted_by_role(self):
rules = policy.Rules({'compute_extension:unshelve':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.Forbidden, self.controller._unshelve,
req, str(uuid.uuid4()), {})
def test_keypair_delete_pass_policy(self):
rules = policy.Rules(
{'compute_extension:keypairs:delete': policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
req.method = 'DELETE'
res = self.KeyPairController.delete(req, 'FAKE')
self.assertEqual(res.status_int, 202)
def test_keypair_delete_pass_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:delete':
policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs/FAKE')
req.method = 'DELETE'
res = self.KeyPairController.delete(req, 'FAKE')
self.assertEqual(res.status_int, 202)
def test_shelve_offload_restricted_by_role(self):
rules = policy.Rules({'compute_extension:v3:os-shelve:shelve_offload':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_keypair_create_pass_policy(self):
body = {"keypair": {"name": "create_test"}}
rules = policy.Rules({"compute_extension:v3:keypairs:create": policy.parse_rule("")})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank("/v3/keypairs")
req.method = "POST"
res = self.KeyPairController.create(req, body)
self.assertIn("keypair", res)
def test_keypair_list_fail_policy(self):
rules = policy.Rules({'compute_extension:v3:keypairs:index':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs')
self.assertRaises(exception.Forbidden,
self.KeyPairController.index,
req)
def test_shelve_offload_restricted_by_role(self):
rules = policy.Rules({'compute_extension:shelveOffload':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_unshelve_restricted_by_role(self):
rules = policy.Rules(
{'compute_extension:unshelve': policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.Forbidden, self.controller._unshelve, req,
str(uuid.uuid4()), {})
def test_keypair_show_fail_policy(self):
rules = policy.Rules({'compute_extension:v3:keypairs:show':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/keypairs/FAKE')
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.show,
req, 'FAKE')
def test_keypair_list_fail_policy(self):
rules = policy.Rules({'compute_extension:keypairs:index':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.index,
req)
def test_keypair_show_fail_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:show':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs/FAKE')
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.show,
req, 'FAKE')
def test_keypair_list_fail_policy(self):
rules = policy.Rules({'compute_extension:keypairs:index':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
self.assertRaises(exception.Forbidden,
self.KeyPairController.index,
req)
def test_keypair_list_fail_policy(self):
rules = policy.Rules({
'compute_extension:v3:keypairs:index':
policy.parse_rule('role:admin')
})
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs')
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.index, req)
def test_keypair_create_fail_policy(self):
rules = policy.Rules({'compute_extension:v3:keypairs:create':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/keypairs')
req.method = 'POST'
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.create,
req, {})
def test_keypair_create_fail_policy(self):
rules = policy.Rules({'compute_extension:v3:os-keypairs:create':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs')
req.method = 'POST'
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.create,
req, {})
def test_keypair_delete_fail_policy(self):
rules = policy.Rules({'compute_extension:keypairs:delete':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
req.method = 'DELETE'
self.assertRaises(exception.Forbidden,
self.KeyPairController.delete,
req, 'FAKE')
def test_keypair_create_pass_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = policy.Rules({'compute_extension:v3:os-keypairs:create':
policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v3/fake/os-keypairs')
req.method = 'POST'
res = self.KeyPairController.create(req, body)
self.assertTrue('keypair' in res)
def test_keypair_create_fail_policy(self):
rules = policy.Rules({'compute_extension:v3:keypairs:create':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs')
req.method = 'POST'
self.assertRaises(exception.Forbidden,
self.KeyPairController.create,
req, body={'keypair': {'name': 'create_test'}})
def test_keypair_delete_fail_policy(self):
rules = policy.Rules({'compute_extension:keypairs:delete':
policy.parse_rule('role:admin')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
req.method = 'DELETE'
self.assertRaises(exception.NotAuthorized,
self.KeyPairController.delete,
req, 'FAKE')
def test_keypair_create_pass_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = policy.Rules(
{'compute_extension:keypairs:create': policy.parse_rule('')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
req.method = 'POST'
res = self.KeyPairController.create(req, body)
self.assertTrue('keypair' in res)
def test_unshelve_allowed(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:unshelve':
policy.parse_rule('')})
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
req, str(uuid.uuid4()), {})
def test_shelve_offload_allowed(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:v3:shelve_offload':
policy.parse_rule('')})
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
self.assertRaises(exception.Forbidden,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_unshelve_allowed(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:v3:os-shelve:unshelve':
policy.parse_rule('')})
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
req, str(uuid.uuid4()), {})
def test_certificates_create_policy_failed(self):
rules = {
"compute_extension:v3:os-certificates:create":
common_policy.parse_rule("!")
}
common_policy.set_rules(common_policy.Rules(rules))
req = fakes.HTTPRequestV3.blank('/os-certificates/')
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.create, req)
self.assertIn("compute_extension:v3:os-certificates:create",
exc.format_message())
def test_certificates_create_policy_failed(self):
rules = {
"compute_extension:v3:os-certificates:create":
common_policy.parse_rule("!")
}
common_policy.set_rules(common_policy.Rules(rules))
req = fakes.HTTPRequestV3.blank('/os-certificates/')
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.create, req)
self.assertIn("compute_extension:v3:os-certificates:create",
exc.format_message())
def test_start_policy_failed(self):
rules = {
"compute:start": common_policy.parse_rule("project_id:non_fake")
}
common_policy.set_rules(common_policy.Rules(rules))
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get)
req = fakes.HTTPRequest.blank('/v2/fake/servers/test_inst/action')
body = dict(start="")
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._start_server, req,
'test_inst', body)
self.assertIn('compute:start', exc.format_message())
def test_shelve_offload_allowed(self):
rules = policy.Rules({
'compute:get':
policy.parse_rule(''),
'compute_extension:shelveOffload':
policy.parse_rule('')
})
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.Forbidden, self.controller._shelve_offload,
req, str(uuid.uuid4()), {})
def test_start_policy_failed(self):
rules = {
"compute:start":
common_policy.parse_rule("project_id:non_fake")
}
common_policy.set_rules(common_policy.Rules(rules))
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get)
req = fakes.HTTPRequest.blank('/v2/fake/servers/test_inst/action')
body = dict(start="")
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._start_server,
req, 'test_inst', body)
self.assertIn('compute:start', exc.format_message())
def test_list_actions_restricted_by_project(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:instance_actions':
policy.parse_rule('project_id:%(project_id)s')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id):
return {'name': 'fake', 'project_id': '%s_unequal' %
context.project_id}
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-instance-actions')
self.assertRaises(exception.NotAuthorized, self.controller.index, req,
str(uuid.uuid4()))
def test_keypair_create_fail_policy(self):
rules = policy.Rules({
'compute_extension:v3:keypairs:create':
policy.parse_rule('role:admin')
})
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs')
req.method = 'POST'
self.assertRaises(exception.Forbidden,
self.KeyPairController.create,
req,
body={'keypair': {
'name': 'create_test'
}})
def test_get_action_restricted_by_project(self):
rules = policy.Rules(
{
"compute:get": policy.parse_rule(""),
"compute_extension:instance_actions": policy.parse_rule("project_id:%(project_id)s"),
}
)
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id, columns_to_join=None):
return fake_instance.fake_db_instance(**{"name": "fake", "project_id": "%s_unequal" % context.project_id})
self.stubs.Set(db, "instance_get_by_uuid", fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank("/v2/123/servers/12/os-instance-actions/1")
self.assertRaises(exception.NotAuthorized, self.controller.show, req, str(uuid.uuid4()), "1")
def test_list_actions_restricted_by_project(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:v3:os-instance-actions':
policy.parse_rule('project_id:%(project_id)s')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id,
columns_to_join=None):
return fake_instance.fake_db_instance(
**{'name': 'fake', 'project_id': '%s_unequal' %
context.project_id})
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequestV3.blank('/servers/12/os-instance-actions')
self.assertRaises(exception.NotAuthorized, self.controller.index, req,
str(uuid.uuid4()))
def test_list_actions_restricted_by_project(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:v3:os-server-actions':
policy.parse_rule('project_id:%(project_id)s')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id,
columns_to_join=None, use_slave=False):
return fake_instance.fake_db_instance(
**{'name': 'fake', 'project_id': '%s_unequal' %
context.project_id})
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequestV3.blank('/servers/12/os-server-actions')
self.assertRaises(exception.Forbidden, self.controller.index, req,
str(uuid.uuid4()))
def test_shelve_offload_allowed(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:shelveOffload':
policy.parse_rule('')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id,
columns_to_join=None):
return fake_instance.fake_db_instance(
**{'name': 'fake', 'project_id': '%s_unequal' %
context.project_id})
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_shelve_offload_allowed(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:v3:shelve_offload':
policy.parse_rule('')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id,
columns_to_join=None):
return fake_instance.fake_db_instance(
**{'name': 'fake', 'project_id': '%s_unequal' %
context.project_id})
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v3/servers/12/os-shelve')
self.assertRaises(exception.NotAuthorized,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_get_action_restricted_by_project(self):
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:instance_actions':
policy.parse_rule('project_id:%(project_id)s')})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id,
columns_to_join=None,
use_slave=False):
return fake_instance.fake_db_instance(
**{'name': 'fake', 'project_id': '%s_unequal' %
context.project_id})
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank(
'/v2/123/servers/12/os-instance-actions/1')
self.assertRaises(exception.Forbidden, self.controller.show, req,
str(uuid.uuid4()), '1')
def test_get_action_restricted_by_project(self):
rules = policy.Rules({
'compute:get':
policy.parse_rule(''),
'compute_extension:instance_actions':
policy.parse_rule('project_id:%(project_id)s')
})
policy.set_rules(rules)
def fake_instance_get_by_uuid(context, instance_id):
return {
'name': 'fake',
'project_id': '%s_unequal' % context.project_id
}
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank(
'/v2/123/servers/12/os-instance-actions/1')
self.assertRaises(exception.NotAuthorized, self.controller.show, req,
str(uuid.uuid4()), '1')
def test_verify_show_cant_view_other_tenant(self):
req = webob.Request.blank('/v2/faketenant_1/os-simple-tenant-usage/'
'faketenant_0?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {
"compute_extension:simple_tenant_usage:show":
common_policy.parse_rule([["role:admin"],
["project_id:%(project_id)s"]])
}
common_policy.set_rules(common_policy.Rules(rules))
try:
res = req.get_response(
fakes.wsgi_app(fake_auth_context=self.alt_user_context,
init_only=('os-simple-tenant-usage', )))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def test_get_action_with_events_not_allowed(self):
def fake_get_action(context, uuid, request_id):
return self.fake_actions[uuid][request_id]
def fake_get_events(context, action_id):
return self.fake_events[action_id]
self.stubs.Set(db, "action_get_by_request_id", fake_get_action)
self.stubs.Set(db, "action_events_get", fake_get_events)
rules = policy.Rules(
{
"compute:get": policy.parse_rule(""),
"compute_extension:instance_actions": policy.parse_rule(""),
"compute_extension:instance_actions:events": policy.parse_rule("is_admin:True"),
}
)
policy.set_rules(rules)
req = fakes.HTTPRequest.blank("/v2/123/servers/12/os-instance-actions/1")
res_dict = self.controller.show(req, FAKE_UUID, FAKE_REQUEST_ID)
fake_action = self.fake_actions[FAKE_UUID][FAKE_REQUEST_ID]
self.assertEqual(format_action(fake_action), format_action(res_dict["instanceAction"]))
def test_get_action_with_events_not_allowed(self):
def fake_get_action(context, uuid, request_id):
return self.fake_actions[uuid][request_id]
def fake_get_events(context, action_id):
return self.fake_events[action_id]
self.stubs.Set(db, 'action_get_by_request_id', fake_get_action)
self.stubs.Set(db, 'action_events_get', fake_get_events)
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:instance_actions':
policy.parse_rule(''),
'compute_extension:instance_actions:events':
policy.parse_rule('is_admin:True')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(
'/v2/123/servers/12/os-instance-actions/1')
res_dict = self.controller.show(req, FAKE_UUID, FAKE_REQUEST_ID)
fake_action = self.fake_actions[FAKE_UUID][FAKE_REQUEST_ID]
self.assertEqual(format_action(fake_action),
format_action(res_dict['instanceAction']))
def test_get_action_with_events_not_allowed(self):
def fake_get_action(context, uuid, request_id):
return self.fake_actions[uuid][request_id]
def fake_get_events(context, action_id):
return self.fake_events[action_id]
self.stubs.Set(db, 'action_get_by_request_id', fake_get_action)
self.stubs.Set(db, 'action_events_get', fake_get_events)
rules = policy.Rules({'compute:get': policy.parse_rule(''),
'compute_extension:instance_actions':
policy.parse_rule(''),
'compute_extension:instance_actions:events':
policy.parse_rule('is_admin:True')})
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(
'/v2/123/servers/12/os-instance-actions/1')
res_dict = self.controller.show(req, FAKE_UUID, FAKE_REQUEST_ID)
fake_action = self.fake_actions[FAKE_UUID][FAKE_REQUEST_ID]
fake_action = format_action(fake_action)
self.assertEqual(fake_action, res_dict['instanceAction'])
def test_verify_show_cant_view_other_tenant(self):
req = webob.Request.blank(
'/v2/faketenant_1/os-simple-tenant-usage/'
'faketenant_0?start=%s&end=%s' %
(START.isoformat(), STOP.isoformat()))
req.method = "GET"
req.headers["content-type"] = "application/json"
rules = {
"compute_extension:simple_tenant_usage:show":
common_policy.parse_rule([
["role:admin"], ["project_id:%(project_id)s"]
])
}
common_policy.set_rules(common_policy.Rules(rules))
try:
res = req.get_response(fakes.wsgi_app(
fake_auth_context=self.alt_user_context))
self.assertEqual(res.status_int, 403)
finally:
policy.reset()
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
# NOTE(vish): then overload underlying brain
common_policy.set_rules(common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": "!",
"example:get_http": "http://www.example.com",
"example:my_file": "role:compute_admin or "
"project_id:%(project_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
# NOTE(vish): then overload underlying brain
common_policy.set_rules(
common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.target = {}
def set_rules(self, rules):
common_policy.set_rules(common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
def _set_rules(data):
default_rule = CONF.policy_default_rule
policy.set_rules(policy.Rules.load_json(data, default_rule))
def set_rules(self, rules):
common_policy.set_rules(common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
def _set_rules(self, default_rule):
rules = common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in self.rules.items()), default_rule)
common_policy.set_rules(rules)
def _set_rules(self, default_rule):
rules = common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in self.rules.items()), default_rule)
common_policy.set_rules(rules)
def _set_rules(data):
default_rule = CONF.policy_default_rule
policy.set_rules(policy.Rules.load_json(data, default_rule))