def test_templatized_enforcement(self): target_mine = {'project_id': 'fake'} target_not_mine = {'project_id': 'another'} action = "example:my_file" policy.enforce(self.context, action, target_mine) self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, self.context, action, target_not_mine)
def authorize(context, target=None, action=None): target = target or policy.default_target(context) if action is None: act = '%s_extension:%s' % (api_name, extension_name) else: act = '%s_extension:%s:%s' % (api_name, extension_name, action) policy.enforce(context, act, target)
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_admin" uppercase_action = "example:uppercase_admin" # NOTE(dprince) we mix case in the Admin role here to ensure # case is ignored admin_context = context.RequestContext('admin', 'fake', roles=['AdMiN']) policy.enforce(admin_context, lowercase_action, self.target) policy.enforce(admin_context, uppercase_action, self.target)
def test_modified_policy_reloads(self): with utils.tempdir() as tmpdir: tmpfilename = os.path.join(tmpdir, 'policy') self.flags(policy_file=tmpfilename) action = "example:test" with open(tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": []}""") policy.enforce(self.context, action, self.target) with open(tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": ["false:false"]}""") # NOTE(vish): reset stored policy cache so we don't have to # sleep(1) policy._POLICY_CACHE = {} self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, self.context, action, self.target)
def test_enforce_http_true(self): def fakeurlopen(url, post_data): return six.StringIO("True") action = "example:get_http" target = {} with mock.patch.object(urlrequest, 'urlopen', fakeurlopen): result = policy.enforce(self.context, action, target) self.assertTrue(result)
def test_modified_policy_reloads(self): with utils.tempdir() as tmpdir: tmpfilename = os.path.join(tmpdir, 'policy') CONF.set_override('policy_file', tmpfilename, group='oslo_policy') action = "example:test" with open(tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": []}""") policy.init(tmpfilename) policy.enforce(self.context, action, self.target) with open(tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": ["false:false"]}""") # NOTE(vish): reset stored policy cache so we don't have to # sleep(1) policy._ENFORCER.load_rules(True) self.assertRaises( exception.PolicyNotAuthorized, policy.enforce, self.context, action, self.target, )
def test_not_found_policy_calls_default(self): policy.enforce(self.context, "example:noexist", {})
def test_enforce_good_action(self): action = "example:allowed" policy.enforce(self.context, action, self.target)
def test_early_OR_enforcement(self): action = "example:early_or_success" policy.enforce(self.context, action, self.target)