Пример #1
0
 def test_get_roles_context_is_admin_rule_missing(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     # 'admin' role is expected for bw compatibility
     self.assertEqual(['admin'], policy.get_admin_roles())
Пример #2
0
def _set_rules(data):
    default_rule = 'default'
    LOG.debug(_("loading policies from file: %s"), _POLICY_PATH)
    # Ensure backward compatibility with folsom/grizzly convention
    # for extension rules
    policies = policy.Rules.load_json(data, default_rule)
    for pol in policies.keys():
        if any([pol.startswith(depr_pol) for depr_pol in
                DEPRECATED_POLICY_MAP.keys()]):
            LOG.warn(_("Found deprecated policy rule:%s. Please consider "
                       "upgrading your policy configuration file"), pol)
            pol_name, action = pol.rsplit(':', 1)
            try:
                new_actions = DEPRECATED_ACTION_MAP[action]
                new_policies = DEPRECATED_POLICY_MAP[pol_name]
                # bind new actions and policies together
                for actual_policy in ['_'.join(item) for item in
                                      itertools.product(new_actions,
                                                        new_policies)]:
                    if actual_policy not in policies:
                        # New policy, same rule
                        LOG.info(_("Inserting policy:%(new_policy)s in place "
                                   "of deprecated policy:%(old_policy)s"),
                                 {'new_policy': actual_policy,
                                  'old_policy': pol})
                        policies[actual_policy] = policies[pol]
                # Remove old-style policy
                del policies[pol]
            except KeyError:
                LOG.error(_("Backward compatibility unavailable for "
                            "deprecated policy %s. The policy will "
                            "not be enforced"), pol)
    policy.set_rules(policies)
Пример #3
0
 def test_get_roles_with_rule_check(self):
     rules = dict(
         (k, common_policy.parse_rule(v))
         for k, v in {policy.ADMIN_CTX_POLICY: "rule:some_other_rule", "some_other_rule": "role:admin"}.items()
     )
     common_policy.set_rules(common_policy.Rules(rules))
     self.assertEqual(["admin"], policy.get_admin_roles())
Пример #4
0
 def test_get_roles_with_rule_check(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         policy.ADMIN_CTX_POLICY: "rule:some_other_rule",
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     self.assertEqual(['admin'], policy.get_admin_roles())
Пример #5
0
 def test_get_roles_context_is_admin_rule_missing(self):
     rules = dict((k, common_policy.parse_rule(v)) for k, v in {
         "some_other_rule": "role:admin",
     }.items())
     common_policy.set_rules(common_policy.Rules(rules))
     # 'admin' role is expected for bw compatibility
     self.assertEqual(['admin'], policy.get_admin_roles())
Пример #6
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     self.addCleanup(policy.reset)
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": "@",
         "example:allowed": "@",
         "example:denied": "!",
         "example:get_http": "http:http://www.example.com",
         "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     # NOTE(vish): then overload underlying rules
     common_policy.set_rules(common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in rules.items())))
     self.context = context.Context("fake", "fake", roles=["member"])
     self.target = {}
Пример #7
0
def _set_rules(data):
    default_rule = 'default'
    LOG.debug(_("loading policies from file: %s"), _POLICY_PATH)
    # Ensure backward compatibility with folsom/grizzly convention
    # for extension rules
    policies = policy.Rules.load_json(data, default_rule)
    for pol in policies.keys():
        if any([
                pol.startswith(depr_pol)
                for depr_pol in DEPRECATED_POLICY_MAP.keys()
        ]):
            LOG.warn(
                _("Found deprecated policy rule:%s. Please consider "
                  "upgrading your policy configuration file"), pol)
            pol_name, action = pol.rsplit(':', 1)
            try:
                new_actions = DEPRECATED_ACTION_MAP[action]
                new_policies = DEPRECATED_POLICY_MAP[pol_name]
                # bind new actions and policies together
                for actual_policy in [
                        '_'.join(item) for item in itertools.product(
                            new_actions, new_policies)
                ]:
                    if not actual_policy in policies:
                        # New policy, same rule
                        LOG.info(
                            _("Inserting policy:%(new_policy)s in place "
                              "of deprecated policy:%(old_policy)s"), {
                                  'new_policy': actual_policy,
                                  'old_policy': pol
                              })
                        policies[actual_policy] = policies[pol]
                # Remove old-style policy
                del policies[pol]
            except KeyError:
                LOG.error(
                    _("Backward compatibility unavailable for "
                      "deprecated policy %s. The policy will "
                      "not be enforced"), pol)
    policy.set_rules(policies)
Пример #8
0
 def setUp(self):
     super(PolicyTestCase, self).setUp()
     policy.reset()
     # NOTE(vish): preload rules to circumvent reloading from file
     policy.init()
     rules = {
         "true": '@',
         "example:allowed": '@',
         "example:denied": '!',
         "example:get_http": "http:http://www.example.com",
         "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
         "example:early_and_fail": "! and @",
         "example:early_or_success": "@ or !",
         "example:lowercase_admin": "role:admin or role:sysadmin",
         "example:uppercase_admin": "role:ADMIN or role:sysadmin",
     }
     # NOTE(vish): then overload underlying rules
     common_policy.set_rules(common_policy.Rules(
         dict((k, common_policy.parse_rule(v))
              for k, v in rules.items())))
     self.context = context.Context('fake', 'fake', roles=['member'])
     self.target = {}
Пример #9
0
def _set_rules(data):
    default_rule = 'default'
    policy.set_rules(policy.Rules.load_json(data, default_rule))
Пример #10
0
 def fakepolicyinit():
     common_policy.set_rules(common_policy.Rules(self.rules))
Пример #11
0
 def _set_rules(self, default_rule):
     rules = common_policy.Rules(
         dict((k, common_policy.parse_rule(v))
              for k, v in self.rules.items()), default_rule)
     common_policy.set_rules(rules)
Пример #12
0
 def fakepolicyinit():
     common_policy.set_rules(common_policy.Rules(self.rules))
Пример #13
0
 def _set_rules(self, default_rule):
     rules = common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()), default_rule)
     common_policy.set_rules(rules)
Пример #14
0
def _set_rules(data):
    default_rule = 'default'
    LOG.debug(_("loading policies from file: %s"), _POLICY_PATH)
    policy.set_rules(policy.Rules.load_json(data, default_rule))
Пример #15
0
def _set_rules(data):
    default_rule = 'default'
    policy.set_rules(policy.Rules.load_json(data, default_rule))
Пример #16
0
def _set_rules(data):
    default_rule = 'default'
    LOG.debug(_("loading policies from file: %s"), _POLICY_PATH)
    # TODO(salvatore-orlando): Ensure backward compatibility with
    # folsom/grizzly style for extension rules (bp/make-authz-orthogonal)
    policy.set_rules(policy.Rules.load_json(data, default_rule))