def test_resource_enforce_fail(self): context = utils.dummy_context(roles=['non-admin']) enforcer = policy.ResourceEnforcer() res_type = "OS::Nova::Quota" ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context, res_type, None, None, True) self.assertIn(res_type, ex.message)
def test_resource_enforce_returns_false(self): context = utils.dummy_context(roles=['non-admin']) enforcer = policy.ResourceEnforcer( policy_file=self.get_policy_file('resources.json'), exc=None) res_type = "OS::Test::AdminOnly" self.assertFalse(enforcer.enforce(context, res_type))
def get_types(self, cnxt=None, support_status=None, type_name=None, version=None): """Return a list of valid resource types.""" # validate the support status if support_status is not None and not support.is_valid_status( support_status): msg = (_('Invalid support status and should be one of %s') % six.text_type(support.SUPPORT_STATUSES)) raise exception.Invalid(reason=msg) def is_resource(key): return isinstance(self._registry[key], (ClassResourceInfo, TemplateResourceInfo)) def status_matches(cls): return (support_status is None or cls.get_class().support_status.status == support_status) def is_available(cls): if cnxt is None: return True return cls.get_class().is_service_available(cnxt) def not_hidden_matches(cls): return cls.get_class().support_status.status != support.HIDDEN def is_allowed(enforcer, name): if cnxt is None: return True try: enforcer.enforce(cnxt, name) except enforcer.exc: return False else: return True enforcer = policy.ResourceEnforcer() def name_matches(name): try: return type_name is None or re.match(type_name, name) except: # noqa return False def version_matches(cls): return (version is None or cls.get_class().support_status.version == version) return [ name for name, cls in six.iteritems(self._registry) if (is_resource(name) and name_matches(name) and status_matches( cls) and is_available(cls) and is_allowed(enforcer, name) and not_hidden_matches(cls) and version_matches(cls)) ]
def test_resource_enforce_returns_false(self): context = utils.dummy_context(roles=['non-admin']) enforcer = policy.ResourceEnforcer(exc=None) res_type = "OS::Keystone::User" self.assertFalse(enforcer.enforce(context, res_type, is_registered_policy=True)) self.assertIsNotNone(enforcer.enforce(context, res_type, is_registered_policy=True))
def test_resource_enforce_fail(self): context = utils.dummy_context(roles=['non-admin']) enforcer = policy.ResourceEnforcer( policy_file=self.get_policy_file('resources.json')) res_type = "OS::Test::AdminOnly" ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context, res_type) self.assertIn(res_type, ex.message)
def test_resource_enforce_override_deny_admin(self): context = utils.dummy_context(roles=['admin']) enforcer = policy.ResourceEnforcer( policy_file=self.get_policy_file('resources.json')) res_type = "OS::Cinder::Quota" ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context, res_type, None, None, True) self.assertIn(res_type, ex.message)
def test_resource_wildcard_enforce_fail(self): context = utils.dummy_context(roles=['non-admin']) enforcer = policy.ResourceEnforcer() res_type = "OS::Keystone::User" ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context, res_type, None, None, True) self.assertIn(res_type.split("::", 1)[0], ex.message)
def test_resource_enforce_exc_on_false(self): context = utils.dummy_context(roles=['non-admin']) enforcer = policy.ResourceEnforcer( policy_file=self.get_policy_file('resources.json')) res_type = "OS::Test::AdminOnly" self.patchobject(base_policy.Enforcer, 'enforce', return_value=False) ex = self.assertRaises(exception.Forbidden, enforcer.enforce, context, res_type) self.assertIn(res_type, ex.message)
def get_types(self, cnxt=None, support_status=None): '''Return a list of valid resource types.''' def is_resource(key): return isinstance(self._registry[key], (ClassResourceInfo, TemplateResourceInfo)) def status_matches(cls): return (support_status is None or cls.get_class().support_status.status == support_status) def is_available(cls): if cnxt is None: return True return cls.get_class().is_service_available(cnxt) def not_hidden_matches(cls): return cls.get_class().support_status.status != support.HIDDEN def is_allowed(enforcer, name): if cnxt is None: return True try: enforcer.enforce(cnxt, name) except enforcer.exc: return False else: return True enforcer = policy.ResourceEnforcer() return [name for name, cls in six.iteritems(self._registry) if (is_resource(name) and status_matches(cls) and is_available(cls) and is_allowed(enforcer, name) and not_hidden_matches(cls))]
def get_types(self, cnxt=None, support_status=None, type_name=None, version=None, with_description=False): """Return a list of valid resource types.""" # validate the support status if support_status is not None and not support.is_valid_status( support_status): msg = (_('Invalid support status and should be one of %s') % str(support.SUPPORT_STATUSES)) raise exception.Invalid(reason=msg) def is_resource(key): return isinstance(self._registry[key], (ClassResourceInfo, TemplateResourceInfo)) def status_matches(cls): return (support_status is None or cls.get_class().support_status.status == support_status) def is_available(cls): if cnxt is None: return True try: return cls.get_class().is_service_available(cnxt)[0] except Exception: return False def not_hidden_matches(cls): return cls.get_class().support_status.status != support.HIDDEN def is_allowed(enforcer, name): if cnxt is None: return True try: enforcer.enforce(cnxt, name, is_registered_policy=True) except enforcer.exc: return False else: return True enforcer = policy.ResourceEnforcer() def name_matches(name): try: return type_name is None or re.match(type_name, name) except: # noqa return False def version_matches(cls): return (version is None or cls.get_class().support_status.version == version) import heat.engine.resource def resource_description(name, info, with_description): if not with_description: return name rsrc_cls = info.get_class() if rsrc_cls is None: rsrc_cls = heat.engine.resource.Resource return { 'resource_type': name, 'description': rsrc_cls.getdoc(), } return [ resource_description(name, cls, with_description) for name, cls in self._registry.items() if (is_resource(name) and name_matches(name) and status_matches( cls) and is_available(cls) and is_allowed(enforcer, name) and not_hidden_matches(cls) and version_matches(cls)) ]
def test_resource_enforce_success(self): context = utils.dummy_context(roles=['admin']) enforcer = policy.ResourceEnforcer( policy_file=self.get_policy_file('resources.json')) res_type = "OS::Test::AdminOnly" self.assertIsNone(enforcer.enforce(context, res_type))
def test_resource_default_rule(self): context = utils.dummy_context(roles=['non-admin']) enforcer = policy.ResourceEnforcer( policy_file=self.get_policy_file('resources.json')) res_type = "OS::Test::NotInPolicy" self.assertIsNone(enforcer.enforce(context, res_type))
def test_resource_enforce_success(self): context = utils.dummy_context(roles=['admin']) enforcer = policy.ResourceEnforcer() res_type = "OS::Keystone::User" self.assertTrue(enforcer.enforce(context, res_type, is_registered_policy=True))
def test_resource_default_rule(self): context = utils.dummy_context(roles=['non-admin']) enforcer = policy.ResourceEnforcer() res_type = "OS::Test::NotInPolicy" self.assertTrue(enforcer.enforce(context, res_type, is_registered_policy=True))
def get_types(self, cnxt=None, support_status=None, type_name=None, version=None, with_description=False): """Return a list of valid resource types.""" # validate the support status if support_status is not None and not support.is_valid_status( support_status): msg = (_('Invalid support status and should be one of %s') % str(support.SUPPORT_STATUSES)) raise exception.Invalid(reason=msg) enforcer = policy.ResourceEnforcer() if type_name is not None: try: name_exp = re.compile(type_name) except Exception: return [] else: name_exp = None def matches(name, info): # Only return actual plugins or template resources, not aliases if not isinstance(info, (ClassResourceInfo, TemplateResourceInfo)): return False # If filtering by name, check for match if name_exp is not None and not name_exp.match(name): return False rsrc_cls = info.get_class_to_instantiate() # Never match hidden resource types if rsrc_cls.support_status.status == support.HIDDEN: return False # If filtering by version, check for match if (version is not None and rsrc_cls.support_status.version != version): return False # If filtering by support status, check for match if (support_status is not None and rsrc_cls.support_status.status != support_status): return False if cnxt is not None: # Check for resource policy try: enforcer.enforce(cnxt, name, is_registered_policy=True) except enforcer.exc: return False # Check for service availability try: avail, err = rsrc_cls.is_service_available(cnxt) except Exception: avail = False if not avail: return False return True import heat.engine.resource def resource_description(name, info): if not with_description: return name rsrc_cls = info.get_class() if rsrc_cls is None: rsrc_cls = heat.engine.resource.Resource return { 'resource_type': name, 'description': rsrc_cls.getdoc(), } return [ resource_description(name, info) for name, info in self._registry.items() if matches(name, info) ]