def test_project_id_is_none(self):
policy = _policy.Policy(POLICY_FILE)
self._test_policy(policy, 'project-none', True, {'project_id': None},
tests_base.TestCredentials({}))
self._test_policy(policy, 'project-none',
False, {'project_id': '1234'},
tests_base.TestCredentials({}))
def test_custom_attr(self):
class CustomClass(dict):
def __init__(self, headers):
super(CustomClass,
self).__init__(cred_attr=headers['cred-attr'])
policy = _policy.Policy(POLICY_FILE)
self._test_policy(policy, 'target-attribute',
True, {'target_attr': '1'},
CustomClass({'cred-attr': '1'}))
self._test_policy(policy, 'target-attribute',
False, {'target_attr': '2'},
CustomClass({'cred-attr': '1'}))
def test_add_rule(self):
policy = _policy.Policy(POLICY_FILE)
self._test_policy(
policy, 'user-moshe', True, {},
tests_base.TestCredentials({tests_base.HEADER_USER_NAME: 'moshe'}))
self._test_policy(
policy, 'user-haim', False, {},
tests_base.TestCredentials({tests_base.HEADER_USER_NAME: 'haim'}))
policy.set({'user-haim': 'user_name:haim'})
self._test_policy(
policy, 'user-moshe', True, {},
tests_base.TestCredentials({tests_base.HEADER_USER_NAME: 'moshe'}))
self._test_policy(
policy, 'user-haim', True, {},
tests_base.TestCredentials({tests_base.HEADER_USER_NAME: 'haim'}))
def __init__(self,
api,
resource_package,
policy_file=None,
credentials_class=None,
backend_args=None,
**resource_params):
backend_args = backend_args or {}
self._backend = backends.get(api, **backend_args)
self._policy = policy.Policy(policy_file=policy_file)
self._resources = resource_node.ResourceNode()
resource_params.update({
'_policy': self._policy,
'_resource_package': resource_package,
'_credentials_class': credentials_class,
})
self._backend.add_resources(self._resources, resource_package,
**resource_params)
self._backend.add_resources(self._resources, common_resources,
**resource_params)
def test_policy(self):
policy = _policy.Policy(POLICY_FILE)
self._test_policy(
policy, 'project-admin', True, {'project_id': 'project-id-1'},
tests_base.TestCredentials({
tests_base.HEADER_ROLES:
'project_admin',
tests_base.HEADER_PROJECT_ID:
'project-id-1'
}))
self._test_policy(
policy, 'project-admin', True, {'project_id': 'project-id-2'},
tests_base.TestCredentials({
tests_base.HEADER_ROLES:
'admin',
tests_base.HEADER_PROJECT_ID:
'project-id-1'
}))
self._test_policy(
policy, 'project-admin', False, {'project_id': 'project-id-2'},
tests_base.TestCredentials({
tests_base.HEADER_ROLES:
'project_admin',
tests_base.HEADER_PROJECT_ID:
'project-id-1'
}))
self._test_policy(
policy, 'project-admin-list', True, {'project_id': 'project-id-1'},
tests_base.TestCredentials({
tests_base.HEADER_ROLES:
'project_admin',
tests_base.HEADER_PROJECT_ID:
'project-id-1'
}))
self._test_policy(
policy, 'project-admin-list', True, {'project_id': 'project-id-2'},
tests_base.TestCredentials({
tests_base.HEADER_ROLES:
'admin',
tests_base.HEADER_PROJECT_ID:
'project-id-1'
}))
self._test_policy(
policy, 'project-admin-list', False,
{'project_id': 'project-id-2'},
tests_base.TestCredentials({
tests_base.HEADER_ROLES:
'project_admin',
tests_base.HEADER_PROJECT_ID:
'project-id-1'
}))
self._test_policy(
policy, 'user-moshe-reference', True, {},
tests_base.TestCredentials({tests_base.HEADER_USER_NAME: 'moshe'}))
self._test_policy(
policy, 'user-moshe-reference', False, {},
tests_base.TestCredentials({tests_base.HEADER_USER_NAME: 'haim'}))
self._test_policy(policy, 'allow-all', True, {}, {})
self._test_policy(policy, 'deny-all', False, {}, {})
self._test_policy(policy, 'rule-does-not-exists', False, {}, {})