def test_keypair_create_fail_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {self.policy_path + ':create': 'role:admin'}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.assertRaises(exception.Forbidden,
self.KeyPairController.create,
self.req, body=body)
def _set_policy_rules(self):
rules = {'compute:get': common_policy.parse_rule(''),
'os_compute_api:os-instance-actions':
common_policy.parse_rule(''),
'os_compute_api:os-instance-actions:events':
common_policy.parse_rule('is_admin:True')}
policy.set_rules(rules)
def _set_policy_rules(self):
rules = {'compute:get': common_policy.parse_rule(''),
'compute_extension:instance_actions':
common_policy.parse_rule(''),
'compute_extension:instance_actions:events':
common_policy.parse_rule('is_admin:True')}
policy.set_rules(rules)
def _set_policy_rules(self):
rules = {
"compute:get": common_policy.parse_rule(""),
"compute_extension:instance_actions": common_policy.parse_rule(""),
"compute_extension:instance_actions:events": common_policy.parse_rule("is_admin:True"),
}
policy.set_rules(rules)
def test_keypair_list_pass_policy(self):
rules = {self.policy_path + ':index':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs')
res = self.KeyPairController.index(req)
self.assertIn('keypairs', res)
def test_keypair_show_pass_policy(self):
rules = {self.policy_path + ':show':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs/FAKE')
res = self.KeyPairController.show(req, 'FAKE')
self.assertIn('keypair', res)
def test_unshelve_allowed(self, mock_instance_get):
mock_instance_get.return_value = self._get_instance_other_project()
rules = {'compute:get': '',
'compute_extension:%sunshelve' % self.prefix: ''}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.assertRaises(exception.Forbidden, self.controller._unshelve,
self.req, str(uuid.uuid4()), {})
def test_keypair_delete_pass_policy(self):
rules = {"compute_extension:keypairs:delete": common_policy.parse_rule("")}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank("/v2/fake/os-keypairs/FAKE")
req.method = "DELETE"
res = self.KeyPairController.delete(req, "FAKE")
self.assertEqual(res.status_int, 202)
def test_keypair_list_fail_policy(self):
rules = {self.policy_path + ':index':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.index,
self.req)
def test_keypair_create_pass_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {self.policy_path + ':create':
common_policy.parse_rule('')}
policy.set_rules(rules)
res = self.KeyPairController.create(self.req, body=body)
self.assertIn('keypair', res)
def test_keypair_create_fail_policy(self):
body = {"keypair": {"name": "create_test"}}
rules = {"compute_extension:keypairs:create": common_policy.parse_rule("role:admin")}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank("/v2/fake/os-keypairs")
req.method = "POST"
self.assertRaises(exception.Forbidden, self.KeyPairController.create, req, body)
def test_keypair_delete_fail_policy(self):
rules = {self.policy_path + ':delete':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.delete,
self.req, 'FAKE')
def test_keypair_show_pass_policy(self):
rules = {'compute_extension:v3:keypairs:show':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
res = self.KeyPairController.show(req, 'FAKE')
self.assertIn('keypair', res)
def test_unshelve_restricted_by_role(self):
rules = {'compute_extension:%sunshelve' % self.prefix:
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden, self.controller._unshelve,
self.req, str(uuid.uuid4()), {})
def test_shelve_offload_restricted_by_role(self):
rules = {'os_compute_api:os-shelve:shelve_offload': 'role:admin'}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.assertRaises(exception.Forbidden,
self.controller._shelve_offload, self.req,
str(uuid.uuid4()), {})
def test_keypair_delete_pass_policy(self):
rules = {'compute_extension:v3:keypairs:delete':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
req.method = 'DELETE'
self.assertIsNone(self.KeyPairController.delete(req, 'FAKE'))
def test_shelve_allowed(self):
rules = {'compute:get': '',
'compute_extension:%sshelve' % self.prefix: ''}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
self.assertRaises(exception.Forbidden, self.controller._shelve,
self.req, str(uuid.uuid4()), {})
def _set_policy_rules(self):
rules = {
"compute:get": common_policy.parse_rule(""),
"os_compute_api:os-instance-actions": common_policy.parse_rule(""),
"os_compute_api:os-instance-actions:events": common_policy.parse_rule("is_admin:True"),
}
policy.set_rules(rules)
def test_keypair_list_pass_policy(self):
rules = {'compute_extension:v3:keypairs:index':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs')
res = self.KeyPairController.index(req)
self.assertIn('keypairs', res)
def test_keypair_show_fail_policy(self):
rules = {'compute_extension:v3:keypairs:show':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
self.assertRaises(exception.Forbidden,
self.KeyPairController.show,
req, 'FAKE')
def test_shelve_offload_restricted_by_role(self):
rules = {'compute_extension:%s%s' % (self.prefix, self.offload):
'role:admin'}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.assertRaises(exception.Forbidden,
self.controller._shelve_offload, self.req,
str(uuid.uuid4()), {})
def test_keypair_show_fail_policy(self):
rules = {self.policy_path + ':show':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs/FAKE')
self.assertRaises(exception.Forbidden,
self.KeyPairController.show,
req, 'FAKE')
def test_shelve_allowed(self):
rules = {'compute:get': common_policy.parse_rule(''),
'compute_extension:%sshelve' % self.prefix:
common_policy.parse_rule('')}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
self.assertRaises(exception.Forbidden, self.controller._shelve,
self.req, str(uuid.uuid4()), {})
def test_keypair_list_fail_policy(self):
rules = {'compute_extension:keypairs:index':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
self.assertRaises(exception.Forbidden,
self.KeyPairController.index,
req)
def test_shelve_offload_restricted_by_role(self):
rules = {'compute_extension:%s%s' % (self.prefix, self.offload):
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
req = self._fake_request()
self.assertRaises(exception.Forbidden,
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
def test_keypair_create_fail_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {self.policy_path + ':create':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.create,
self.req, body=body)
def test_stop_overridden_policy_pass_with_same_user(self, stop_mock):
rules = {
self.stop_policy: "user_id:%(user_id)s"
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
body = dict(stop="")
self.controller._stop_server(self.req, uuids.instance, body)
stop_mock.assert_called_once_with(mock.ANY, mock.ANY)
def test_stop_policy_failed(self):
rules = {self.stop_policy: "project_id:non_fake"}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
body = dict(stop="")
exc = self.assertRaises(
exception.PolicyNotAuthorized, self.controller._stop_server, self.req, uuids.instance, body
)
self.assertIn(self.stop_policy, exc.format_message())
def test_unshelve_restricted_by_role(self):
rules = {'compute_extension:unshelve':
common_policy.parse_rule('role:admin')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.Forbidden, self.controller._unshelve,
req, str(uuid.uuid4()), {})
def test_keypair_delete_pass_policy(self):
rules = {'compute_extension:keypairs:delete':
common_policy.parse_rule('')}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
req.method = 'DELETE'
res = self.KeyPairController.delete(req, 'FAKE')
self.assertEqual(res.status_int, 202)
def test_keypair_list_fail_policy(self):
rules = {
'compute_extension:keypairs:index':
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
self.assertRaises(exception.Forbidden, self.KeyPairController.index,
req)
def test_keypair_delete_pass_policy(self):
rules = {
'compute_extension:keypairs:delete': common_policy.parse_rule('')
}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
req.method = 'DELETE'
res = self.KeyPairController.delete(req, 'FAKE')
self.assertEqual(res.status_int, 202)
def test_shelve_offload_restricted_by_role(self):
rules = {
'compute_extension:%s%s' % (self.prefix, self.offload):
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden, self.controller._shelve_offload,
self.req, str(uuid.uuid4()), {})
def test_keypair_delete_pass_policy(self):
rules = {
'compute_extension:v3:keypairs:delete':
common_policy.parse_rule('')
}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
req.method = 'DELETE'
self.assertIsNone(self.KeyPairController.delete(req, 'FAKE'))
def test_certificates_create_policy_failed(self):
rules = {
self.certificate_create_extension: common_policy.parse_rule("!")
}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.url)
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.create, req)
self.assertIn(self.certificate_create_extension, exc.format_message())
def test_skip_policy(self):
policy.reset()
rules = {'network:get_all': '!'}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
api = network.API()
self.assertRaises(exception.PolicyNotAuthorized, api.get_all,
self.context)
api = network.API(skip_policy_check=True)
api.get_all(self.context)
def _set_policy_rules(self, overwrite=True):
rules = {
'os_compute_api:os-instance-actions:show':
'',
'os_compute_api:os-instance-actions:events:details':
'project_id:%(project_id)s'
}
policy.set_rules(oslo_policy.Rules.from_dict(rules),
overwrite=overwrite)
def test_keypair_show_fail_policy(self):
rules = {
'compute_extension:v3:keypairs:show':
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
self.assertRaises(exception.Forbidden, self.KeyPairController.show,
req, 'FAKE')
def test_skip_policy(self):
policy.reset()
rules = {'network:get_all': common_policy.parse_rule('!')}
policy.set_rules(common_policy.Rules(rules))
api = network.API()
self.assertRaises(exception.PolicyNotAuthorized,
api.get_all, self.context)
api = network.API(skip_policy_check=True)
api.get_all(self.context)
def test_unshelve_allowed(self):
rules = {'compute:get': common_policy.parse_rule(''),
'compute_extension:unshelve': common_policy.parse_rule('')}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
self.assertRaises(exception.Forbidden, self.controller._unshelve,
req, str(uuid.uuid4()), {})
def test_unshelve_restricted_by_role(self):
rules = {'os_compute_api:os-shelve:unshelve': 'role:admin'}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.assertRaises(exception.Forbidden,
self.controller._unshelve,
self.req,
uuidsentinel.fake,
body={'unshelve': {}})
def test_shelve_offload_allowed(self):
rules = {
'compute:get': '',
'compute_extension:%s%s' % (self.prefix, self.offload): ''
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
self.assertRaises(exception.Forbidden, self.controller._shelve_offload,
self.req, str(uuid.uuid4()), {})
def test_keypair_delete_fail_policy(self):
rules = {
'compute_extension:keypairs:delete':
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
req.method = 'DELETE'
self.assertRaises(exception.Forbidden, self.KeyPairController.delete,
req, 'FAKE')
def test_certificates_show_policy_failed(self):
rules = {
self.certificate_show_extension:
common_policy.parse_rule("!")
}
policy.set_rules(rules)
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show, self.req, 'root')
self.assertIn(self.certificate_show_extension,
exc.format_message())
def test_keypair_delete_fail_policy(self):
rules = {
self.policy_path + ':delete':
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank(self.base_url + '/os-keypairs/FAKE')
req.method = 'DELETE'
self.assertRaises(exception.Forbidden, self.KeyPairController.delete,
req, 'FAKE')
def test_keypair_create_pass_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {
'compute_extension:keypairs:create': common_policy.parse_rule('')
}
policy.set_rules(rules)
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
req.method = 'POST'
res = self.KeyPairController.create(req, body)
self.assertIn('keypair', res)
def test_stop_policy_failed_with_other_project(self):
rules = {self.stop_policy: "project_id:%(project_id)s"}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
body = dict(stop="")
# Change the project_id in request context.
self.req.environ['nova.context'].project_id = 'other-project'
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._stop_server, self.req,
uuids.instance, body)
self.assertIn(self.stop_policy, exc.format_message())
def test_unshelve_allowed(self):
rules = {'compute:get': common_policy.parse_rule(''),
'compute_extension:%sunshelve' % self.prefix:
common_policy.parse_rule('')}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
req = self._fake_request()
self.assertRaises(exception.Forbidden, self.controller._unshelve,
req, str(uuid.uuid4()), {})
def test_start_policy_failed(self):
rules = {
self.start_policy: "project_id:non_fake"
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
body = dict(start="")
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._start_server,
self.req, uuids.instance, body)
self.assertIn(self.start_policy, exc.format_message())
def test_unshelve_restricted_by_role(self):
rules = {
'compute_extension:%sunshelve' % self.prefix:
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
req = self._fake_request()
self.assertRaises(exception.Forbidden, self.controller._unshelve, req,
str(uuid.uuid4()), {})
def test_unshelve_restricted_by_role(self):
rules = {
'compute_extension:v3:os-shelve:unshelve':
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
self.assertRaises(exception.Forbidden, self.controller._unshelve, req,
str(uuid.uuid4()), {})
def _set_policy_rules(self):
rules = {
'compute:get':
common_policy.parse_rule(''),
'compute_extension:instance_actions':
common_policy.parse_rule(''),
'compute_extension:instance_actions:events':
common_policy.parse_rule('is_admin:True')
}
policy.set_rules(rules)
def _set_policy_rules(self):
rules = {
'compute:get':
common_policy.parse_rule(''),
'os_compute_api:os-instance-actions':
common_policy.parse_rule(''),
'os_compute_api:os-instance-actions:events':
common_policy.parse_rule('is_admin:True')
}
policy.set_rules(rules)
def test_start_policy_failed(self):
rules = {
self.start_policy: common_policy.parse_rule("project_id:non_fake")
}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get)
body = dict(start="")
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._start_server, self.req,
'test_inst', body)
self.assertIn(self.start_policy, exc.format_message())
def test_start_overridden_policy_failed_with_other_user_in_same_project(
self):
rules = {self.start_policy: "user_id:%(user_id)s"}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
# Change the user_id in request context.
self.req.environ['nova.context'].user_id = 'other-user'
body = dict(start="")
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._start_server, self.req,
uuids.instance, body)
self.assertIn(self.start_policy, exc.format_message())
def test_certificates_create_policy_failed(self):
rules = {
"compute_extension:v3:os-certificates:create":
common_policy.parse_rule("!")
}
policy.set_rules(rules)
req = fakes.HTTPRequestV3.blank('/os-certificates/')
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.create, req)
self.assertIn("compute_extension:v3:os-certificates:create",
exc.format_message())
def test_keypair_create_fail_policy(self):
body = {'keypair': {'name': 'create_test'}}
rules = {
self.policy_path + ':create':
common_policy.parse_rule('role:admin')
}
policy.set_rules(rules)
self.assertRaises(exception.Forbidden,
self.KeyPairController.create,
self.req,
body=body)
def test_stop_policy_failed(self):
rules = {
self.stop_policy: "project_id:non_fake"
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.stub_out('nova.db.instance_get_by_uuid', fake_instance_get)
body = dict(stop="")
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._stop_server,
self.req, 'test_inst', body)
self.assertIn(self.stop_policy, exc.format_message())
def test_shelve_offload_allowed(self):
rules = {
'compute:get':
common_policy.parse_rule(''),
'compute_extension:%s%s' % (self.prefix, self.offload):
common_policy.parse_rule('')
}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
self.assertRaises(exception.Forbidden, self.controller._shelve_offload,
self.req, str(uuid.uuid4()), {})
def test_start_policy_failed(self):
rules = {
"compute:start": common_policy.parse_rule("project_id:non_fake")
}
policy.set_rules(rules)
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get)
req = fakes.HTTPRequest.blank('/v2/fake/servers/test_inst/action')
body = dict(start="")
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller._start_server, req,
'test_inst', body)
self.assertIn('compute:start', exc.format_message())