def setUp(self): super(PolicyTestCase, self).setUp() self.conf = self.useFixture(oslo_fixture.Config()) # diltram: this one must be removed after fixing issue in oslo.config # https://bugs.launchpad.net/oslo.config/+bug/1645868 self.conf.conf.__call__(args=[]) policy.reset() self.context = context.Context('fake', 'fake', roles=['member']) self.rules = [ oslo_policy.RuleDefault("true", "@"), oslo_policy.RuleDefault("example:allowed", "@"), oslo_policy.RuleDefault("example:denied", "!"), oslo_policy.RuleDefault("example:get_http", "http://www.example.com"), oslo_policy.RuleDefault("example:my_file", "role:compute_admin or " "project_id:%(project_id)s"), oslo_policy.RuleDefault("example:early_and_fail", "! and @"), oslo_policy.RuleDefault("example:early_or_success", "@ or !"), oslo_policy.RuleDefault("example:lowercase_admin", "role:admin or role:sysadmin"), oslo_policy.RuleDefault("example:uppercase_admin", "role:ADMIN or role:sysadmin"), ] policy.get_enforcer().register_defaults(self.rules) self.target = {}
def test_call_false(self): check = policy.IsAdminCheck('is_admin', 'False') self.assertFalse( check('target', dict(is_admin=True), policy.get_enforcer())) self.assertTrue( check('target', dict(is_admin=False), policy.get_enforcer()))
def test_templatized_authorization(self): target_mine = {'project_id': 'fake'} target_not_mine = {'project_id': 'another'} action = "example:my_file" policy.get_enforcer().authorize(action, target_mine, self.context) self.assertRaises(exceptions.PolicyForbidden, policy.get_enforcer().authorize, action, target_not_mine, self.context)
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_admin" uppercase_action = "example:uppercase_admin" # NOTE(dprince) we mix case in the Admin role here to ensure # case is ignored self.context = context.Context('admin', 'fake', roles=['AdMiN']) policy.get_enforcer().authorize(lowercase_action, self.target, self.context) policy.get_enforcer().authorize(uppercase_action, self.target, self.context)
def test_check_is_admin_new_defaults(self): conf = oslo_fixture.Config(config.cfg.CONF) conf.config(group="oslo_policy", enforce_new_defaults=True) self.context = context.Context('admin', 'fake', roles=['AdMiN'], system_scope='all') self.assertTrue(policy.get_enforcer().check_is_admin(self.context))
def test_authorize_admin_actions_with_nonadmin_context_throws(self): """Check if non-admin context passed to admin actions throws Policy not authorized exception """ for action in self.actions: self.assertRaises( exceptions.PolicyForbidden, policy.get_enforcer().authorize, action, self.target, self.context)
def __init__(self, user_id=None, project_id=None, **kwargs): if project_id: kwargs['tenant'] = project_id super().__init__(**kwargs) self.is_admin = (policy.get_enforcer().check_is_admin(self) or CONF.api_settings.auth_strategy == constants.NOAUTH)
def __init__(self, user_id=None, project_id=None, **kwargs): if project_id: kwargs['tenant'] = project_id super(Context, self).__init__(**kwargs) self.is_admin = (policy.get_enforcer().check_is_admin(self) or CONF.api_settings.auth_strategy == constants.NOAUTH)
def setUp(self): super(AdminRolePolicyTestCase, self).setUp() self.conf = self.useFixture(oslo_fixture.Config()) # diltram: this one must be removed after fixing issue in oslo.config # https://bugs.launchpad.net/oslo.config/+bug/1645868 self.conf.conf.__call__(args=[]) self.context = context.Context('fake', 'fake', roles=['member']) self.actions = policy.get_enforcer().get_rules().keys() self.target = {}
def _auth_get_all(self, context, project_id): # Check authorization to list objects under all projects action = '{rbac_obj}{action}'.format( rbac_obj=self.RBAC_TYPE, action=constants.RBAC_GET_ALL_GLOBAL) target = {'project_id': project_id} if not policy.get_enforcer().authorize(action, target, context, do_raise=False): # Not a global observer or admin if project_id is None: project_id = context.project_id # Check authorization to list objects under this project self._auth_validate_action(context, project_id, constants.RBAC_GET_ALL) if project_id is None: query_filter = {} else: query_filter = {'project_id': project_id} return query_filter
def _auth_get_all(self, context, project_id): # Check authorization to list objects under all projects action = '{rbac_obj}{action}'.format( rbac_obj=self.RBAC_TYPE, action=constants.RBAC_GET_ALL_GLOBAL) target = {'project_id': project_id} if not policy.get_enforcer().authorize( action, target, context, do_raise=False): # Not a global observer or admin if project_id is None: project_id = context.project_id # Check authorization to list objects under this project self._auth_validate_action(context, project_id, constants.RBAC_GET_ALL) if project_id is None: query_filter = {} else: query_filter = {'project_id': project_id} return query_filter
def test_modified_policy_reloads(self): with tempfile.NamedTemporaryFile(mode='w', delete=True) as tmp: self.conf.load_raw_values( group='oslo_policy', policy_file=tmp.name) tmp.write('{"example:test": ""}') tmp.flush() self.context = context.Context('fake', 'fake') rule = oslo_policy.RuleDefault('example:test', "") policy.get_enforcer().register_defaults([rule]) action = "example:test" policy.get_enforcer().authorize(action, self.target, self.context) tmp.seek(0) tmp.write('{"example:test": "!"}') tmp.flush() policy.get_enforcer().load_rules(True) self.assertRaises(exceptions.PolicyForbidden, policy.get_enforcer().authorize, action, self.target, self.context)
def _auth_validate_action(self, context, project_id, action): # Check that the user is authorized to do an action in this object action = '{rbac_obj}{action}'.format(rbac_obj=self.RBAC_TYPE, action=action) target = {'project_id': project_id} policy.get_enforcer().authorize(action, target, context)
def test_authorize_bad_action_throws(self): action = "example:denied" self.assertRaises( exceptions.PolicyForbidden, policy.get_enforcer().authorize, action, self.target, self.context)
def test_authorize_nonexistent_action_throws(self): action = "example:noexist" self.assertRaises( oslo_policy.PolicyNotRegistered, policy.get_enforcer().authorize, action, self.target, self.context)
def test_authorize_bad_action_noraise(self): action = "example:denied" result = policy.get_enforcer().authorize(action, self.target, self.context, False) self.assertFalse(result)
def test_authorize_http(self, req_mock): req_mock.post('http://www.example.com/', text='False') action = "example:get_http" self.assertRaises(exceptions.PolicyForbidden, policy.get_enforcer().authorize, action, self.target, self.context)
def test_authorize_good_action(self): action = "example:allowed" result = policy.get_enforcer().authorize(action, self.target, self.context) self.assertTrue(result)
def test_early_AND_authorization(self): action = "example:early_and_fail" self.assertRaises(exceptions.PolicyForbidden, policy.get_enforcer().authorize, action, self.target, self.context)
def test_check_is_admin(self): self.context = context.Context('admin', 'fake', roles=['AdMiN']) self.assertTrue(policy.get_enforcer().check_is_admin(self.context))
def test_check_is_admin_fail(self): self.assertFalse(policy.get_enforcer().check_is_admin(self.context))
def _auth_validate_action(self, context, project_id, action): # Check that the user is authorized to do an action in this object action = '{rbac_obj}{action}'.format( rbac_obj=self.RBAC_TYPE, action=action) target = {'project_id': project_id} policy.get_enforcer().authorize(action, target, context)
def test_early_OR_authorization(self): action = "example:early_or_success" policy.get_enforcer().authorize(action, self.target, self.context)