def test_resource_enforce_fail(self):
context = utils.dummy_context(roles=['non-admin'])
enforcer = policy.ResourceEnforcer()
res_type = "OS::Nova::Quota"
ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context,
res_type, None, None, True)
self.assertIn(res_type, ex.message)
def test_resource_enforce_returns_false(self):
context = utils.dummy_context(roles=['non-admin'])
enforcer = policy.ResourceEnforcer(
policy_file=self.get_policy_file('resources.json'),
exc=None)
res_type = "OS::Test::AdminOnly"
self.assertFalse(enforcer.enforce(context, res_type))
def get_types(self,
cnxt=None,
support_status=None,
type_name=None,
version=None):
"""Return a list of valid resource types."""
# validate the support status
if support_status is not None and not support.is_valid_status(
support_status):
msg = (_('Invalid support status and should be one of %s') %
six.text_type(support.SUPPORT_STATUSES))
raise exception.Invalid(reason=msg)
def is_resource(key):
return isinstance(self._registry[key],
(ClassResourceInfo, TemplateResourceInfo))
def status_matches(cls):
return (support_status is None
or cls.get_class().support_status.status == support_status)
def is_available(cls):
if cnxt is None:
return True
return cls.get_class().is_service_available(cnxt)
def not_hidden_matches(cls):
return cls.get_class().support_status.status != support.HIDDEN
def is_allowed(enforcer, name):
if cnxt is None:
return True
try:
enforcer.enforce(cnxt, name)
except enforcer.exc:
return False
else:
return True
enforcer = policy.ResourceEnforcer()
def name_matches(name):
try:
return type_name is None or re.match(type_name, name)
except: # noqa
return False
def version_matches(cls):
return (version is None
or cls.get_class().support_status.version == version)
return [
name for name, cls in six.iteritems(self._registry)
if (is_resource(name) and name_matches(name) and status_matches(
cls) and is_available(cls) and is_allowed(enforcer, name)
and not_hidden_matches(cls) and version_matches(cls))
]
def test_resource_enforce_returns_false(self):
context = utils.dummy_context(roles=['non-admin'])
enforcer = policy.ResourceEnforcer(exc=None)
res_type = "OS::Keystone::User"
self.assertFalse(enforcer.enforce(context, res_type,
is_registered_policy=True))
self.assertIsNotNone(enforcer.enforce(context, res_type,
is_registered_policy=True))
def test_resource_enforce_fail(self):
context = utils.dummy_context(roles=['non-admin'])
enforcer = policy.ResourceEnforcer(
policy_file=self.get_policy_file('resources.json'))
res_type = "OS::Test::AdminOnly"
ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context,
res_type)
self.assertIn(res_type, ex.message)
def test_resource_enforce_override_deny_admin(self):
context = utils.dummy_context(roles=['admin'])
enforcer = policy.ResourceEnforcer(
policy_file=self.get_policy_file('resources.json'))
res_type = "OS::Cinder::Quota"
ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context,
res_type, None, None, True)
self.assertIn(res_type, ex.message)
def test_resource_wildcard_enforce_fail(self):
context = utils.dummy_context(roles=['non-admin'])
enforcer = policy.ResourceEnforcer()
res_type = "OS::Keystone::User"
ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context,
res_type, None, None, True)
self.assertIn(res_type.split("::", 1)[0], ex.message)
def test_resource_enforce_exc_on_false(self):
context = utils.dummy_context(roles=['non-admin'])
enforcer = policy.ResourceEnforcer(
policy_file=self.get_policy_file('resources.json'))
res_type = "OS::Test::AdminOnly"
self.patchobject(base_policy.Enforcer, 'enforce', return_value=False)
ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context,
res_type)
self.assertIn(res_type, ex.message)
def get_types(self, cnxt=None, support_status=None):
'''Return a list of valid resource types.'''
def is_resource(key):
return isinstance(self._registry[key], (ClassResourceInfo,
TemplateResourceInfo))
def status_matches(cls):
return (support_status is None or
cls.get_class().support_status.status ==
support_status)
def is_available(cls):
if cnxt is None:
return True
return cls.get_class().is_service_available(cnxt)
def not_hidden_matches(cls):
return cls.get_class().support_status.status != support.HIDDEN
def is_allowed(enforcer, name):
if cnxt is None:
return True
try:
enforcer.enforce(cnxt, name)
except enforcer.exc:
return False
else:
return True
enforcer = policy.ResourceEnforcer()
return [name for name, cls in six.iteritems(self._registry)
if (is_resource(name) and
status_matches(cls) and
is_available(cls) and
is_allowed(enforcer, name) and
not_hidden_matches(cls))]
def get_types(self,
cnxt=None,
support_status=None,
type_name=None,
version=None,
with_description=False):
"""Return a list of valid resource types."""
# validate the support status
if support_status is not None and not support.is_valid_status(
support_status):
msg = (_('Invalid support status and should be one of %s') %
str(support.SUPPORT_STATUSES))
raise exception.Invalid(reason=msg)
def is_resource(key):
return isinstance(self._registry[key],
(ClassResourceInfo, TemplateResourceInfo))
def status_matches(cls):
return (support_status is None
or cls.get_class().support_status.status == support_status)
def is_available(cls):
if cnxt is None:
return True
try:
return cls.get_class().is_service_available(cnxt)[0]
except Exception:
return False
def not_hidden_matches(cls):
return cls.get_class().support_status.status != support.HIDDEN
def is_allowed(enforcer, name):
if cnxt is None:
return True
try:
enforcer.enforce(cnxt, name, is_registered_policy=True)
except enforcer.exc:
return False
else:
return True
enforcer = policy.ResourceEnforcer()
def name_matches(name):
try:
return type_name is None or re.match(type_name, name)
except: # noqa
return False
def version_matches(cls):
return (version is None
or cls.get_class().support_status.version == version)
import heat.engine.resource
def resource_description(name, info, with_description):
if not with_description:
return name
rsrc_cls = info.get_class()
if rsrc_cls is None:
rsrc_cls = heat.engine.resource.Resource
return {
'resource_type': name,
'description': rsrc_cls.getdoc(),
}
return [
resource_description(name, cls, with_description)
for name, cls in self._registry.items()
if (is_resource(name) and name_matches(name) and status_matches(
cls) and is_available(cls) and is_allowed(enforcer, name)
and not_hidden_matches(cls) and version_matches(cls))
]
def test_resource_enforce_success(self):
context = utils.dummy_context(roles=['admin'])
enforcer = policy.ResourceEnforcer(
policy_file=self.get_policy_file('resources.json'))
res_type = "OS::Test::AdminOnly"
self.assertIsNone(enforcer.enforce(context, res_type))
def test_resource_default_rule(self):
context = utils.dummy_context(roles=['non-admin'])
enforcer = policy.ResourceEnforcer(
policy_file=self.get_policy_file('resources.json'))
res_type = "OS::Test::NotInPolicy"
self.assertIsNone(enforcer.enforce(context, res_type))
def test_resource_enforce_success(self):
context = utils.dummy_context(roles=['admin'])
enforcer = policy.ResourceEnforcer()
res_type = "OS::Keystone::User"
self.assertTrue(enforcer.enforce(context, res_type,
is_registered_policy=True))
def test_resource_default_rule(self):
context = utils.dummy_context(roles=['non-admin'])
enforcer = policy.ResourceEnforcer()
res_type = "OS::Test::NotInPolicy"
self.assertTrue(enforcer.enforce(context, res_type,
is_registered_policy=True))
def get_types(self,
cnxt=None,
support_status=None,
type_name=None,
version=None,
with_description=False):
"""Return a list of valid resource types."""
# validate the support status
if support_status is not None and not support.is_valid_status(
support_status):
msg = (_('Invalid support status and should be one of %s') %
str(support.SUPPORT_STATUSES))
raise exception.Invalid(reason=msg)
enforcer = policy.ResourceEnforcer()
if type_name is not None:
try:
name_exp = re.compile(type_name)
except Exception:
return []
else:
name_exp = None
def matches(name, info):
# Only return actual plugins or template resources, not aliases
if not isinstance(info, (ClassResourceInfo, TemplateResourceInfo)):
return False
# If filtering by name, check for match
if name_exp is not None and not name_exp.match(name):
return False
rsrc_cls = info.get_class_to_instantiate()
# Never match hidden resource types
if rsrc_cls.support_status.status == support.HIDDEN:
return False
# If filtering by version, check for match
if (version is not None
and rsrc_cls.support_status.version != version):
return False
# If filtering by support status, check for match
if (support_status is not None
and rsrc_cls.support_status.status != support_status):
return False
if cnxt is not None:
# Check for resource policy
try:
enforcer.enforce(cnxt, name, is_registered_policy=True)
except enforcer.exc:
return False
# Check for service availability
try:
avail, err = rsrc_cls.is_service_available(cnxt)
except Exception:
avail = False
if not avail:
return False
return True
import heat.engine.resource
def resource_description(name, info):
if not with_description:
return name
rsrc_cls = info.get_class()
if rsrc_cls is None:
rsrc_cls = heat.engine.resource.Resource
return {
'resource_type': name,
'description': rsrc_cls.getdoc(),
}
return [
resource_description(name, info)
for name, info in self._registry.items() if matches(name, info)
]
