def before(self, state): headers = state.request.headers # Do not pass any token with context for noauth mode auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else headers.get('X-Auth-Token')) creds = { 'user': headers.get('X-User') or headers.get('X-User-Id'), 'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'), 'domain_id': headers.get('X-User-Domain-Id'), 'domain_name': headers.get('X-User-Domain-Name'), 'auth_token': auth_token, 'roles': headers.get('X-Roles', '').split(','), } is_admin = policy.enforce('admin_api', creds, creds) is_public_api = state.request.environ.get('is_public_api', False) show_password = policy.enforce('show_password', creds, creds) state.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, show_password=show_password, **creds)
def before(self, state): headers = state.request.headers # Do not pass any token with context for noauth mode auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else headers.get('X-Auth-Token')) creds = { 'user': headers.get('X-User') or headers.get('X-User-Id'), 'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'), 'domain_id': headers.get('X-User-Domain-Id'), 'domain_name': headers.get('X-User-Domain-Name'), 'auth_token': auth_token, 'roles': headers.get('X-Roles', '').split(','), } # NOTE(adam_g): We also check the previous 'admin' rule to ensure # compat with default juno policy.json. This double check may be # removed in Liberty. is_admin = (policy.enforce('admin_api', creds, creds) or policy.enforce('admin', creds, creds)) is_public_api = state.request.environ.get('is_public_api', False) show_password = policy.enforce('show_password', creds, creds) state.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, show_password=show_password, **creds)
def before(self, state): headers = state.request.headers # Do not pass any token with context for noauth mode auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else headers.get('X-Auth-Token')) creds = { 'user': headers.get('X-User') or headers.get('X-User-Id'), 'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'), 'domain_id': headers.get('X-User-Domain-Id'), 'domain_name': headers.get('X-User-Domain-Name'), 'auth_token': auth_token, 'roles': headers.get('X-Roles', '').split(','), } # NOTE(adam_g): We also check the previous 'admin' rule to ensure # compat with default juno policy.json. This double check may be # removed in L. is_admin = (policy.enforce('admin_api', creds, creds) or policy.enforce('admin', creds, creds)) is_public_api = state.request.environ.get('is_public_api', False) show_password = policy.enforce('show_password', creds, creds) state.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, show_password=show_password, **creds)
def before(self, state): ctx = state.request.context if ctx.is_public_api: return policy.enforce('admin_api', ctx.to_dict(), ctx.to_dict(), do_raise=True, exc=exc.HTTPForbidden)
def test_trusted_call(self): creds = ({'roles': ['Member']}, {'is_public_api': 'False'}, {'roles': ['Member'], 'is_public_api': 'False'}) for c in creds: self.assertFalse(policy.enforce('trusted_call', c, c))
def test_admin_api(self): creds = ({'roles': [u'admin']}, {'roles': ['administrator']}, {'roles': ['admin', 'administrator']}) for c in creds: self.assertTrue(policy.enforce('admin_api', c, c))
def test_admin_api(self): creds = ({ 'roles': [u'admin'] }, { 'roles': ['administrator'] }, { 'roles': ['admin', 'administrator'] }) for c in creds: self.assertTrue(policy.enforce('admin_api', c, c))
def before(self, state): headers = state.request.headers creds = { 'user': headers.get('X-User') or headers.get('X-User-Id'), 'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'), 'domain_id': headers.get('X-User-Domain-Id'), 'domain_name': headers.get('X-User-Domain-Name'), 'auth_token': headers.get('X-Auth-Token'), 'roles': headers.get('X-Roles', '').split(','), } # NOTE(adam_g): We also check the previous 'admin' rule to ensure # compat with default juno policy.json. This double check may be # removed in L. is_admin = (policy.enforce('admin_api', creds, creds) or policy.enforce('admin', creds, creds)) is_public_api = state.request.environ.get('is_public_api', False) state.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, **creds)
def test_trusted_call(self): creds = ({ 'roles': ['Member'] }, { 'is_public_api': 'False' }, { 'roles': ['Member'], 'is_public_api': 'False' }) for c in creds: self.assertFalse(policy.enforce('trusted_call', c, c))
def before(self, state): headers = state.request.headers # Do not pass any token with context for noauth mode auth_token = None if cfg.CONF.auth_strategy == "noauth" else headers.get("X-Auth-Token") creds = { "user": headers.get("X-User") or headers.get("X-User-Id"), "tenant": headers.get("X-Tenant") or headers.get("X-Tenant-Id"), "domain_id": headers.get("X-User-Domain-Id"), "domain_name": headers.get("X-User-Domain-Name"), "auth_token": auth_token, "roles": headers.get("X-Roles", "").split(","), } is_admin = policy.enforce("admin_api", creds, creds) is_public_api = state.request.environ.get("is_public_api", False) show_password = policy.enforce("show_password", creds, creds) state.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, show_password=show_password, **creds )
def test_public_api(self): creds = {'is_public_api': 'True'} self.assertTrue(policy.enforce('public_api', creds, creds))
def test_enforce_existing_rule_fails(self): creds = {'roles': ['bar']} self.assertFalse(policy.enforce('has_foo_role', creds, creds))
def test_show_password(self): creds = {'roles': [u'admin'], 'tenant': 'demo'} self.assertFalse(policy.enforce('show_password', creds, creds))
def test_enforce_missing_rule_fails(self): creds = {'roles': ['foo']} self.assertFalse(policy.enforce('has_bar_role', creds, creds))
def test_admin_api(self): creds = {'roles': ['Member']} self.assertFalse(policy.enforce('admin_api', creds, creds))
def test_enforce_existing_rule_passes(self): creds = {'roles': ['foo']} self.assertTrue(policy.enforce('has_foo_role', creds, creds))
def test_public_api(self): creds = ({'is_public_api': 'False'}, {}) for c in creds: self.assertFalse(policy.enforce('public_api', c, c))