Пример #1
0
 def test_keypair_create_fail_policy(self):
     body = {'keypair': {'name': 'create_test'}}
     rules = {self.policy_path + ':create': 'role:admin'}
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     self.assertRaises(exception.Forbidden,
                       self.KeyPairController.create,
                       self.req, body=body)
Пример #2
0
 def _set_policy_rules(self):
     rules = {'compute:get': common_policy.parse_rule(''),
              'os_compute_api:os-instance-actions':
                  common_policy.parse_rule(''),
              'os_compute_api:os-instance-actions:events':
                  common_policy.parse_rule('is_admin:True')}
     policy.set_rules(rules)
Пример #3
0
 def _set_policy_rules(self):
     rules = {'compute:get': common_policy.parse_rule(''),
              'compute_extension:instance_actions':
                  common_policy.parse_rule(''),
              'compute_extension:instance_actions:events':
                  common_policy.parse_rule('is_admin:True')}
     policy.set_rules(rules)
Пример #4
0
 def _set_policy_rules(self):
     rules = {
         "compute:get": common_policy.parse_rule(""),
         "compute_extension:instance_actions": common_policy.parse_rule(""),
         "compute_extension:instance_actions:events": common_policy.parse_rule("is_admin:True"),
     }
     policy.set_rules(rules)
Пример #5
0
 def test_keypair_list_pass_policy(self):
     rules = {self.policy_path + ':index':
                  common_policy.parse_rule('')}
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs')
     res = self.KeyPairController.index(req)
     self.assertIn('keypairs', res)
Пример #6
0
 def test_keypair_show_pass_policy(self):
     rules = {self.policy_path + ':show':
                  common_policy.parse_rule('')}
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs/FAKE')
     res = self.KeyPairController.show(req, 'FAKE')
     self.assertIn('keypair', res)
Пример #7
0
 def test_unshelve_allowed(self, mock_instance_get):
     mock_instance_get.return_value = self._get_instance_other_project()
     rules = {'compute:get': '',
              'compute_extension:%sunshelve' % self.prefix: ''}
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     self.assertRaises(exception.Forbidden, self.controller._unshelve,
             self.req, str(uuid.uuid4()), {})
Пример #8
0
 def test_keypair_delete_pass_policy(self):
     rules = {"compute_extension:keypairs:delete": common_policy.parse_rule("")}
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank("/v2/fake/os-keypairs/FAKE")
     req.method = "DELETE"
     res = self.KeyPairController.delete(req, "FAKE")
     self.assertEqual(res.status_int, 202)
Пример #9
0
 def test_keypair_list_fail_policy(self):
     rules = {self.policy_path + ':index':
                  common_policy.parse_rule('role:admin')}
     policy.set_rules(rules)
     self.assertRaises(exception.Forbidden,
                       self.KeyPairController.index,
                       self.req)
Пример #10
0
 def test_keypair_create_pass_policy(self):
     body = {'keypair': {'name': 'create_test'}}
     rules = {self.policy_path + ':create':
                  common_policy.parse_rule('')}
     policy.set_rules(rules)
     res = self.KeyPairController.create(self.req, body=body)
     self.assertIn('keypair', res)
Пример #11
0
 def test_keypair_create_fail_policy(self):
     body = {"keypair": {"name": "create_test"}}
     rules = {"compute_extension:keypairs:create": common_policy.parse_rule("role:admin")}
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank("/v2/fake/os-keypairs")
     req.method = "POST"
     self.assertRaises(exception.Forbidden, self.KeyPairController.create, req, body)
Пример #12
0
 def test_keypair_delete_fail_policy(self):
     rules = {self.policy_path + ':delete':
                  common_policy.parse_rule('role:admin')}
     policy.set_rules(rules)
     self.assertRaises(exception.Forbidden,
                       self.KeyPairController.delete,
                       self.req, 'FAKE')
Пример #13
0
 def test_keypair_show_pass_policy(self):
     rules = {'compute_extension:v3:keypairs:show':
                 common_policy.parse_rule('')}
     policy.set_rules(rules)
     req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
     res = self.KeyPairController.show(req, 'FAKE')
     self.assertIn('keypair', res)
Пример #14
0
    def test_unshelve_restricted_by_role(self):
        rules = {'compute_extension:%sunshelve' % self.prefix:
                     common_policy.parse_rule('role:admin')}
        policy.set_rules(rules)

        self.assertRaises(exception.Forbidden, self.controller._unshelve,
                self.req, str(uuid.uuid4()), {})
Пример #15
0
    def test_shelve_offload_restricted_by_role(self):
        rules = {'os_compute_api:os-shelve:shelve_offload': 'role:admin'}
        policy.set_rules(oslo_policy.Rules.from_dict(rules))

        self.assertRaises(exception.Forbidden,
                self.controller._shelve_offload, self.req,
                str(uuid.uuid4()), {})
Пример #16
0
 def test_keypair_delete_pass_policy(self):
     rules = {'compute_extension:v3:keypairs:delete':
                  common_policy.parse_rule('')}
     policy.set_rules(rules)
     req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
     req.method = 'DELETE'
     self.assertIsNone(self.KeyPairController.delete(req, 'FAKE'))
 def test_shelve_allowed(self):
     rules = {'compute:get': '',
              'compute_extension:%sshelve' % self.prefix: ''}
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
     self.assertRaises(exception.Forbidden, self.controller._shelve,
             self.req, str(uuid.uuid4()), {})
Пример #18
0
 def _set_policy_rules(self):
     rules = {
         "compute:get": common_policy.parse_rule(""),
         "os_compute_api:os-instance-actions": common_policy.parse_rule(""),
         "os_compute_api:os-instance-actions:events": common_policy.parse_rule("is_admin:True"),
     }
     policy.set_rules(rules)
Пример #19
0
 def test_keypair_list_pass_policy(self):
     rules = {'compute_extension:v3:keypairs:index':
                  common_policy.parse_rule('')}
     policy.set_rules(rules)
     req = fakes.HTTPRequestV3.blank('/keypairs')
     res = self.KeyPairController.index(req)
     self.assertIn('keypairs', res)
Пример #20
0
 def test_keypair_show_fail_policy(self):
     rules = {'compute_extension:v3:keypairs:show':
               common_policy.parse_rule('role:admin')}
     policy.set_rules(rules)
     req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
     self.assertRaises(exception.Forbidden,
                       self.KeyPairController.show,
                       req, 'FAKE')
Пример #21
0
    def test_shelve_offload_restricted_by_role(self):
        rules = {'compute_extension:%s%s' % (self.prefix, self.offload):
                     'role:admin'}
        policy.set_rules(oslo_policy.Rules.from_dict(rules))

        self.assertRaises(exception.Forbidden,
                self.controller._shelve_offload, self.req,
                str(uuid.uuid4()), {})
Пример #22
0
 def test_keypair_show_fail_policy(self):
     rules = {self.policy_path + ':show':
                  common_policy.parse_rule('role:admin')}
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs/FAKE')
     self.assertRaises(exception.Forbidden,
                       self.KeyPairController.show,
                       req, 'FAKE')
Пример #23
0
 def test_shelve_allowed(self):
     rules = {'compute:get': common_policy.parse_rule(''),
              'compute_extension:%sshelve' % self.prefix:
                  common_policy.parse_rule('')}
     policy.set_rules(rules)
     self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
     self.assertRaises(exception.Forbidden, self.controller._shelve,
             self.req, str(uuid.uuid4()), {})
Пример #24
0
 def test_keypair_list_fail_policy(self):
     rules = {'compute_extension:keypairs:index':
                  common_policy.parse_rule('role:admin')}
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
     self.assertRaises(exception.Forbidden,
                       self.KeyPairController.index,
                       req)
Пример #25
0
    def test_shelve_offload_restricted_by_role(self):
        rules = {'compute_extension:%s%s' % (self.prefix, self.offload):
                  common_policy.parse_rule('role:admin')}
        policy.set_rules(rules)

        req = self._fake_request()
        self.assertRaises(exception.Forbidden,
                self.controller._shelve_offload, req, str(uuid.uuid4()), {})
Пример #26
0
 def test_keypair_create_fail_policy(self):
     body = {'keypair': {'name': 'create_test'}}
     rules = {self.policy_path + ':create':
                  common_policy.parse_rule('role:admin')}
     policy.set_rules(rules)
     self.assertRaises(exception.Forbidden,
                       self.KeyPairController.create,
                       self.req, body=body)
Пример #27
0
 def test_stop_overridden_policy_pass_with_same_user(self, stop_mock):
     rules = {
         self.stop_policy: "user_id:%(user_id)s"
     }
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     body = dict(stop="")
     self.controller._stop_server(self.req, uuids.instance, body)
     stop_mock.assert_called_once_with(mock.ANY, mock.ANY)
Пример #28
0
 def test_stop_policy_failed(self):
     rules = {self.stop_policy: "project_id:non_fake"}
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     body = dict(stop="")
     exc = self.assertRaises(
         exception.PolicyNotAuthorized, self.controller._stop_server, self.req, uuids.instance, body
     )
     self.assertIn(self.stop_policy, exc.format_message())
Пример #29
0
    def test_unshelve_restricted_by_role(self):
        rules = {'compute_extension:unshelve':
                     common_policy.parse_rule('role:admin')}
        policy.set_rules(rules)

        req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
        self.assertRaises(exception.Forbidden, self.controller._unshelve,
                req, str(uuid.uuid4()), {})
Пример #30
0
 def test_keypair_delete_pass_policy(self):
     rules = {'compute_extension:keypairs:delete':
                  common_policy.parse_rule('')}
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
     req.method = 'DELETE'
     res = self.KeyPairController.delete(req, 'FAKE')
     self.assertEqual(res.status_int, 202)
Пример #31
0
 def test_keypair_list_fail_policy(self):
     rules = {
         'compute_extension:keypairs:index':
         common_policy.parse_rule('role:admin')
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
     self.assertRaises(exception.Forbidden, self.KeyPairController.index,
                       req)
Пример #32
0
 def test_keypair_delete_pass_policy(self):
     rules = {
         'compute_extension:keypairs:delete': common_policy.parse_rule('')
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
     req.method = 'DELETE'
     res = self.KeyPairController.delete(req, 'FAKE')
     self.assertEqual(res.status_int, 202)
    def test_shelve_offload_restricted_by_role(self):
        rules = {
            'compute_extension:%s%s' % (self.prefix, self.offload):
            common_policy.parse_rule('role:admin')
        }
        policy.set_rules(rules)

        self.assertRaises(exception.Forbidden, self.controller._shelve_offload,
                          self.req, str(uuid.uuid4()), {})
Пример #34
0
 def test_keypair_delete_pass_policy(self):
     rules = {
         'compute_extension:v3:keypairs:delete':
         common_policy.parse_rule('')
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
     req.method = 'DELETE'
     self.assertIsNone(self.KeyPairController.delete(req, 'FAKE'))
Пример #35
0
 def test_certificates_create_policy_failed(self):
     rules = {
         self.certificate_create_extension: common_policy.parse_rule("!")
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank(self.url)
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller.create, req)
     self.assertIn(self.certificate_create_extension, exc.format_message())
Пример #36
0
 def test_skip_policy(self):
     policy.reset()
     rules = {'network:get_all': '!'}
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     api = network.API()
     self.assertRaises(exception.PolicyNotAuthorized, api.get_all,
                       self.context)
     api = network.API(skip_policy_check=True)
     api.get_all(self.context)
Пример #37
0
 def _set_policy_rules(self, overwrite=True):
     rules = {
         'os_compute_api:os-instance-actions:show':
         '',
         'os_compute_api:os-instance-actions:events:details':
         'project_id:%(project_id)s'
     }
     policy.set_rules(oslo_policy.Rules.from_dict(rules),
                      overwrite=overwrite)
Пример #38
0
 def test_keypair_show_fail_policy(self):
     rules = {
         'compute_extension:v3:keypairs:show':
         common_policy.parse_rule('role:admin')
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
     self.assertRaises(exception.Forbidden, self.KeyPairController.show,
                       req, 'FAKE')
Пример #39
0
 def test_skip_policy(self):
     policy.reset()
     rules = {'network:get_all': common_policy.parse_rule('!')}
     policy.set_rules(common_policy.Rules(rules))
     api = network.API()
     self.assertRaises(exception.PolicyNotAuthorized,
                       api.get_all, self.context)
     api = network.API(skip_policy_check=True)
     api.get_all(self.context)
Пример #40
0
    def test_unshelve_allowed(self):
        rules = {'compute:get': common_policy.parse_rule(''),
                 'compute_extension:unshelve': common_policy.parse_rule('')}
        policy.set_rules(rules)

        self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
        req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
        self.assertRaises(exception.Forbidden, self.controller._unshelve,
                req, str(uuid.uuid4()), {})
Пример #41
0
    def test_unshelve_restricted_by_role(self):
        rules = {'os_compute_api:os-shelve:unshelve': 'role:admin'}
        policy.set_rules(oslo_policy.Rules.from_dict(rules))

        self.assertRaises(exception.Forbidden,
                          self.controller._unshelve,
                          self.req,
                          uuidsentinel.fake,
                          body={'unshelve': {}})
Пример #42
0
    def test_shelve_offload_allowed(self):
        rules = {
            'compute:get': '',
            'compute_extension:%s%s' % (self.prefix, self.offload): ''
        }
        policy.set_rules(oslo_policy.Rules.from_dict(rules))

        self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
        self.assertRaises(exception.Forbidden, self.controller._shelve_offload,
                          self.req, str(uuid.uuid4()), {})
Пример #43
0
 def test_keypair_delete_fail_policy(self):
     rules = {
         'compute_extension:keypairs:delete':
         common_policy.parse_rule('role:admin')
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
     req.method = 'DELETE'
     self.assertRaises(exception.Forbidden, self.KeyPairController.delete,
                       req, 'FAKE')
Пример #44
0
 def test_certificates_show_policy_failed(self):
     rules = {
         self.certificate_show_extension:
         common_policy.parse_rule("!")
     }
     policy.set_rules(rules)
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller.show, self.req, 'root')
     self.assertIn(self.certificate_show_extension,
                   exc.format_message())
Пример #45
0
 def test_keypair_delete_fail_policy(self):
     rules = {
         self.policy_path + ':delete':
         common_policy.parse_rule('role:admin')
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs/FAKE')
     req.method = 'DELETE'
     self.assertRaises(exception.Forbidden, self.KeyPairController.delete,
                       req, 'FAKE')
Пример #46
0
 def test_keypair_create_pass_policy(self):
     body = {'keypair': {'name': 'create_test'}}
     rules = {
         'compute_extension:keypairs:create': common_policy.parse_rule('')
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
     req.method = 'POST'
     res = self.KeyPairController.create(req, body)
     self.assertIn('keypair', res)
Пример #47
0
 def test_stop_policy_failed_with_other_project(self):
     rules = {self.stop_policy: "project_id:%(project_id)s"}
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     body = dict(stop="")
     # Change the project_id in request context.
     self.req.environ['nova.context'].project_id = 'other-project'
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller._stop_server, self.req,
                             uuids.instance, body)
     self.assertIn(self.stop_policy, exc.format_message())
Пример #48
0
    def test_unshelve_allowed(self):
        rules = {'compute:get': common_policy.parse_rule(''),
                 'compute_extension:%sunshelve' % self.prefix:
                 common_policy.parse_rule('')}
        policy.set_rules(rules)

        self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
        req = self._fake_request()
        self.assertRaises(exception.Forbidden, self.controller._unshelve,
                req, str(uuid.uuid4()), {})
Пример #49
0
 def test_start_policy_failed(self):
     rules = {
         self.start_policy: "project_id:non_fake"
     }
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     body = dict(start="")
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller._start_server,
                             self.req, uuids.instance, body)
     self.assertIn(self.start_policy, exc.format_message())
Пример #50
0
    def test_unshelve_restricted_by_role(self):
        rules = {
            'compute_extension:%sunshelve' % self.prefix:
            common_policy.parse_rule('role:admin')
        }
        policy.set_rules(rules)

        req = self._fake_request()
        self.assertRaises(exception.Forbidden, self.controller._unshelve, req,
                          str(uuid.uuid4()), {})
Пример #51
0
    def test_unshelve_restricted_by_role(self):
        rules = {
            'compute_extension:v3:os-shelve:unshelve':
            common_policy.parse_rule('role:admin')
        }
        policy.set_rules(rules)

        req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
        self.assertRaises(exception.Forbidden, self.controller._unshelve, req,
                          str(uuid.uuid4()), {})
 def _set_policy_rules(self):
     rules = {
         'compute:get':
         common_policy.parse_rule(''),
         'compute_extension:instance_actions':
         common_policy.parse_rule(''),
         'compute_extension:instance_actions:events':
         common_policy.parse_rule('is_admin:True')
     }
     policy.set_rules(rules)
 def _set_policy_rules(self):
     rules = {
         'compute:get':
         common_policy.parse_rule(''),
         'os_compute_api:os-instance-actions':
         common_policy.parse_rule(''),
         'os_compute_api:os-instance-actions:events':
         common_policy.parse_rule('is_admin:True')
     }
     policy.set_rules(rules)
Пример #54
0
 def test_start_policy_failed(self):
     rules = {
         self.start_policy: common_policy.parse_rule("project_id:non_fake")
     }
     policy.set_rules(rules)
     self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get)
     body = dict(start="")
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller._start_server, self.req,
                             'test_inst', body)
     self.assertIn(self.start_policy, exc.format_message())
Пример #55
0
 def test_start_overridden_policy_failed_with_other_user_in_same_project(
         self):
     rules = {self.start_policy: "user_id:%(user_id)s"}
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     # Change the user_id in request context.
     self.req.environ['nova.context'].user_id = 'other-user'
     body = dict(start="")
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller._start_server, self.req,
                             uuids.instance, body)
     self.assertIn(self.start_policy, exc.format_message())
Пример #56
0
 def test_certificates_create_policy_failed(self):
     rules = {
         "compute_extension:v3:os-certificates:create":
         common_policy.parse_rule("!")
     }
     policy.set_rules(rules)
     req = fakes.HTTPRequestV3.blank('/os-certificates/')
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller.create, req)
     self.assertIn("compute_extension:v3:os-certificates:create",
                   exc.format_message())
Пример #57
0
 def test_keypair_create_fail_policy(self):
     body = {'keypair': {'name': 'create_test'}}
     rules = {
         self.policy_path + ':create':
         common_policy.parse_rule('role:admin')
     }
     policy.set_rules(rules)
     self.assertRaises(exception.Forbidden,
                       self.KeyPairController.create,
                       self.req,
                       body=body)
 def test_stop_policy_failed(self):
     rules = {
         self.stop_policy: "project_id:non_fake"
     }
     policy.set_rules(oslo_policy.Rules.from_dict(rules))
     self.stub_out('nova.db.instance_get_by_uuid', fake_instance_get)
     body = dict(stop="")
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller._stop_server,
                             self.req, 'test_inst', body)
     self.assertIn(self.stop_policy, exc.format_message())
Пример #59
0
    def test_shelve_offload_allowed(self):
        rules = {
            'compute:get':
            common_policy.parse_rule(''),
            'compute_extension:%s%s' % (self.prefix, self.offload):
            common_policy.parse_rule('')
        }
        policy.set_rules(rules)

        self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
        self.assertRaises(exception.Forbidden, self.controller._shelve_offload,
                          self.req, str(uuid.uuid4()), {})
 def test_start_policy_failed(self):
     rules = {
         "compute:start": common_policy.parse_rule("project_id:non_fake")
     }
     policy.set_rules(rules)
     self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get)
     req = fakes.HTTPRequest.blank('/v2/fake/servers/test_inst/action')
     body = dict(start="")
     exc = self.assertRaises(exception.PolicyNotAuthorized,
                             self.controller._start_server, req,
                             'test_inst', body)
     self.assertIn('compute:start', exc.format_message())