def setUp(self):
super(TestProtectedImageRepoProxy, self).setUp()
self.set_property_protections()
self.policy = policy.Enforcer()
self.property_rules = property_utils.PropertyRules(self.policy)
self.image_factory = xmonitor.domain.ImageFactory()
extra_props = {
'spl_create_prop': 'c',
'spl_read_prop': 'r',
'spl_update_prop': 'u',
'spl_delete_prop': 'd',
'forbidden': 'prop'
}
extra_props_2 = {'spl_read_prop': 'r', 'forbidden': 'prop'}
self.fixtures = [
self.image_factory.new_image(image_id='1',
owner=TENANT1,
extra_properties=extra_props),
self.image_factory.new_image(owner=TENANT2, visibility='public'),
self.image_factory.new_image(image_id='3',
owner=TENANT1,
extra_properties=extra_props_2),
]
self.context = xmonitor.context.RequestContext(roles=['spl_role'])
image_repo = self.ImageRepoStub(self.fixtures)
self.image_repo = property_protections.ProtectedImageRepoProxy(
image_repo, self.context, self.property_rules)
def test_property_config_loaded_in_order(self):
"""
Verify the order of loaded config sections matches that from the
configuration file
"""
self.rules_checker = property_utils.PropertyRules(self.policy)
self.assertEqual(CONFIG_SECTIONS, property_utils.CONFIG.sections())
def test_property_rules_loaded_in_order(self):
"""
Verify rules are iterable in the same order as read from the config
file
"""
self.rules_checker = property_utils.PropertyRules(self.policy)
for i in range(len(property_utils.CONFIG.sections())):
self.assertEqual(property_utils.CONFIG.sections()[i],
self.rules_checker.rules[i][0].pattern)
def test_check_return_first_match(self):
self.rules_checker = property_utils.PropertyRules()
self.assertFalse(
self.rules_checker.check_property_rules(
'x_foo_matcher', 'create', create_context(self.policy, [''])))
self.assertFalse(
self.rules_checker.check_property_rules(
'x_foo_matcher', 'read', create_context(self.policy, [''])))
self.assertFalse(
self.rules_checker.check_property_rules(
'x_foo_matcher', 'update', create_context(self.policy, [''])))
self.assertFalse(
self.rules_checker.check_property_rules(
'x_foo_matcher', 'delete', create_context(self.policy, [''])))
def test_check_property_rules_read_none(self):
self.rules_checker = property_utils.PropertyRules()
self.assertTrue(
self.rules_checker.check_property_rules(
'x_none_read', 'create',
create_context(self.policy, ['admin', 'member'])))
self.assertFalse(
self.rules_checker.check_property_rules(
'x_none_read', 'read', create_context(self.policy, [''])))
self.assertFalse(
self.rules_checker.check_property_rules(
'x_none_read', 'update', create_context(self.policy, [''])))
self.assertFalse(
self.rules_checker.check_property_rules(
'x_none_read', 'delete', create_context(self.policy, [''])))
def test_check_case_insensitive_property_rules(self):
self.rules_checker = property_utils.PropertyRules()
self.assertTrue(
self.rules_checker.check_property_rules(
'x_case_insensitive', 'create',
create_context(self.policy, ['member'])))
self.assertTrue(
self.rules_checker.check_property_rules(
'x_case_insensitive', 'read',
create_context(self.policy, ['member'])))
self.assertTrue(
self.rules_checker.check_property_rules(
'x_case_insensitive', 'update',
create_context(self.policy, ['member'])))
self.assertTrue(
self.rules_checker.check_property_rules(
'x_case_insensitive', 'delete',
create_context(self.policy, ['member'])))
def test_property_protection_with_whitespace(self):
rules_whitespace = {
'^test_prop.*': {
'create': ['member ,fake-role'],
'read': ['fake-role, member'],
'update': ['fake-role, member'],
'delete': ['fake-role, member']
}
}
self.set_property_protection_rules(rules_whitespace)
self.rules_checker = property_utils.PropertyRules()
self.assertTrue(
self.rules_checker.check_property_rules(
'test_prop_1', 'read', create_context(self.policy,
['member'])))
self.assertTrue(
self.rules_checker.check_property_rules(
'test_prop_1', 'read',
create_context(self.policy, ['fake-role'])))
def test_check_property_rules_delete_none_permitted(self):
self.rules_checker = property_utils.PropertyRules()
self.assertFalse(
self.rules_checker.check_property_rules(
'x_none_permitted', 'delete',
create_context(self.policy, [''])))
def test_check_property_rules_update_all_permitted(self):
self.rules_checker = property_utils.PropertyRules()
self.assertTrue(
self.rules_checker.check_property_rules(
'x_all_permitted', 'update', create_context(self.policy,
[''])))
def setUp(self):
super(TestPropertyRulesWithPolicies, self).setUp()
self.set_property_protections(use_policies=True)
self.policy = policy.Enforcer()
self.rules_checker = property_utils.PropertyRules(self.policy)
def test_check_property_rules_delete_unpermitted_role(self):
self.rules_checker = property_utils.PropertyRules(self.policy)
self.assertFalse(
self.rules_checker.check_property_rules(
'test_prop', 'delete', create_context(self.policy,
['member'])))
def test_check_property_rules_delete_permitted_specific_role(self):
self.rules_checker = property_utils.PropertyRules(self.policy)
self.assertTrue(
self.rules_checker.check_property_rules(
'x_owner_prop', 'delete',
create_context(self.policy, ['member'])))
def test_check_property_rules_delete_permitted_admin_role(self):
self.rules_checker = property_utils.PropertyRules(self.policy)
self.assertTrue(
self.rules_checker.check_property_rules(
'test_prop', 'delete', create_context(self.policy, ['admin'])))
def test_check_property_rules_invalid_action(self):
self.rules_checker = property_utils.PropertyRules(self.policy)
self.assertFalse(
self.rules_checker.check_property_rules(
'test_prop', 'hall', create_context(self.policy, ['admin'])))
def setUp(self):
super(TestProtectedImageFactoryProxy, self).setUp()
self.set_property_protections()
self.policy = policy.Enforcer()
self.property_rules = property_utils.PropertyRules(self.policy)
self.factory = xmonitor.domain.ImageFactory()
def setUp(self):
super(TestExtraPropertiesProxy, self).setUp()
self.set_property_protections()
self.policy = policy.Enforcer()
self.property_rules = property_utils.PropertyRules(self.policy)
