def test_update_with_non_admin(self, mock_policy_authorize, mock_get, mock_update): # allow policy authorized user to update type mock_policy_authorize.return_value = None mock_get.return_value = return_volume_types_get_volume_type_updated( DEFAULT_VOLUME_TYPE, is_public=False) name = "vol_type_%s" % DEFAULT_VOLUME_TYPE updated_name = "%s_%s" % (name, DEFAULT_VOLUME_TYPE) desc = "vol_type_desc_%s" % DEFAULT_VOLUME_TYPE updated_desc = "%s_%s" % (desc, DEFAULT_VOLUME_TYPE) body = {"volume_type": {"name": updated_name, "description": updated_desc, "is_public": False}} req = fakes.HTTPRequest.blank('/v3/%s/types/%s' % ( fake.PROJECT_ID, DEFAULT_VOLUME_TYPE), use_admin_context=False) req.method = 'PUT' self.assertEqual(0, len(self.notifier.notifications)) res_dict = self.controller._update(req, DEFAULT_VOLUME_TYPE, body=body) self.assertEqual(1, len(self.notifier.notifications)) self._check_test_results(res_dict, {'expected_desc': updated_desc, 'expected_name': updated_name, 'is_public': False}) # non policy authorized user fails to update type mock_policy_authorize.side_effect = ( exception.PolicyNotAuthorized(action='type_update')) self.assertRaises(exception.PolicyNotAuthorized, self.controller._update, req, DEFAULT_VOLUME_TYPE, body=body)
def test_delete_cgsnapshot_delete_policy_not_auth(self, mock_delete): vol_type = utils.create_volume_type(context.get_admin_context(), self, name='my_vol_type') consistencygroup = utils.create_group(self.context, group_type_id=fake.GROUP_TYPE_ID, volume_type_ids=[vol_type['id']]) volume_id = utils.create_volume(self.context, volume_type_id=vol_type['id'], group_id=consistencygroup.id)['id'] cgsnapshot = utils.create_group_snapshot( self.context, group_id=consistencygroup.id, group_type_id=fake.GROUP_TYPE_ID, status='available') mock_delete.side_effect = exception.PolicyNotAuthorized( message='PolicyNotAuthorized') req = webob.Request.blank('/v2/%s/cgsnapshots/%s' % (fake.PROJECT_ID, cgsnapshot.id)) req.method = 'DELETE' req.headers['Content-Type'] = 'application/json' res = req.get_response( fakes.wsgi_app(fake_auth_context=self.user_ctxt)) res_dict = jsonutils.loads(res.body) self.assertEqual('PolicyNotAuthorized', res_dict['forbidden']['message']) cgsnapshot.destroy() db.volume_destroy(context.get_admin_context(), volume_id) consistencygroup.destroy()
def test_create_with_none_admin(self, mock_policy_authorize, mock_get_volume_type_by_name, mock_create_type): # allow policy authorized user to create type mock_policy_authorize.return_value = None mock_get_volume_type_by_name.return_value = \ {'extra_specs': {"key1": "value1"}, 'id': DEFAULT_VOLUME_TYPE, 'name': 'vol_type_1', 'description': 'vol_type_desc_1'} body = {"volume_type": {"name": "vol_type_1", "os-volume-type-access:is_public": True, "extra_specs": {"key1": "value1"}}} req = fakes.HTTPRequest.blank('/v3/%s/types' % fake.PROJECT_ID, use_admin_context=False) self.assertEqual(0, len(self.notifier.notifications)) res_dict = self.controller._create(req, body=body) self.assertEqual(1, len(self.notifier.notifications)) self._check_test_results(res_dict, { 'expected_name': 'vol_type_1', 'expected_desc': 'vol_type_desc_1'}) # non policy authorized user fails to create type mock_policy_authorize.side_effect = ( exception.PolicyNotAuthorized(action='type_create')) self.assertRaises(exception.PolicyNotAuthorized, self.controller._create, req, body=body)
def enforce(context, action: str, target: dict): """Verifies that the action is valid on the target in this context. :param context: cinder context :param action: string representing the action to be checked this should be colon separated for clarity. i.e. ``compute:create_instance``, ``compute:attach_volume``, ``volume:attach_volume`` :param target: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :raises PolicyNotAuthorized: if verification fails. """ init() assert _ENFORCER is not None try: return _ENFORCER.enforce(action, target, context, do_raise=True, exc=exception.PolicyNotAuthorized, action=action) except policy.InvalidScope: raise exception.PolicyNotAuthorized(action=action)
def enforce(context, action, target): """Verifies that the action is valid on the target in this context. :param context: cinder context :param action: string representing the action to be checked this should be colon separated for clarity. i.e. ``compute:create_instance``, ``compute:attach_volume``, ``volume:attach_volume`` :param object: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. ``{'project_id': context.project_id}`` :raises cinder.exception.PolicyNotAllowed: if verification fails. """ init() match_list = ('rule:%s' % action, ) credentials = context.to_dict() try: policy.enforce(match_list, target, credentials) except policy.NotAuthorized: raise exception.PolicyNotAuthorized(action=action)
def test_update_with_non_admin(self, mock_policy_enforce, mock_get, mock_update): # allow policy authorized user to update type mock_policy_enforce.return_value = None mock_get.return_value = return_volume_types_get_volume_type_updated( '1', is_public=False) body = { "volume_type": { "name": "vol_type_1_1", "description": "vol_type_desc_1_1", "is_public": False } } req = fakes.HTTPRequest.blank('/v2/fake/types/1', use_admin_context=False) req.method = 'PUT' self.assertEqual(0, len(self.notifier.notifications)) res_dict = self.controller._update(req, '1', body) self.assertEqual(1, len(self.notifier.notifications)) self._check_test_results( res_dict, { 'expected_desc': 'vol_type_desc_1_1', 'expected_name': 'vol_type_1_1', 'is_public': False }) # non policy authorized user fails to update type mock_policy_enforce.side_effect = (exception.PolicyNotAuthorized( action='type_update')) self.assertRaises(exception.PolicyNotAuthorized, self.controller._update, req, '1', body)
def test_volume_types_delete_with_non_admin(self, mock_policy_enforce, mock_get, mock_destroy): # allow policy authorized user to delete type mock_policy_enforce.return_value = None mock_get.return_value = \ {'extra_specs': {"key1": "value1"}, 'id': 1, 'name': u'vol_type_1', 'description': u'vol_type_desc_1'} mock_destroy.side_effect = return_volume_types_destroy req = fakes.HTTPRequest.blank('/v2/fake/types/1', use_admin_context=False) self.assertEqual(0, len(self.notifier.notifications)) self.controller._delete(req, 1) self.assertEqual(1, len(self.notifier.notifications)) # non policy authorized user fails to delete type mock_policy_enforce.side_effect = (exception.PolicyNotAuthorized( action='type_delete')) self.assertRaises(exception.PolicyNotAuthorized, self.controller._delete, req, 1)
def test_volume_types_delete_with_non_admin(self, mock_policy_authorize, mock_get, mock_destroy): # allow policy authorized user to delete type mock_policy_authorize.return_value = None mock_get.return_value = \ {'extra_specs': {"key1": "value1"}, 'id': DEFAULT_VOLUME_TYPE, 'name': 'vol_type_1', 'description': 'vol_type_desc_%s' % DEFAULT_VOLUME_TYPE} mock_destroy.side_effect = return_volume_types_destroy req = fakes.HTTPRequest.blank('/v3/%s/types/%s' % (fake.PROJECT_ID, DEFAULT_VOLUME_TYPE), use_admin_context=False) self.assertEqual(0, len(self.notifier.notifications)) self.controller._delete(req, DEFAULT_VOLUME_TYPE) self.assertEqual(1, len(self.notifier.notifications)) # non policy authorized user fails to delete type mock_policy_authorize.side_effect = ( exception.PolicyNotAuthorized(action='type_delete')) self.assertRaises(exception.PolicyNotAuthorized, self.controller._delete, req, DEFAULT_VOLUME_TYPE)
def fake_authorize(context, target=None, action=None): raise exception.PolicyNotAuthorized(action='index')