def test_verify_show_cant_view_other_tenant(self): req = webob.Request.blank('/v2/faketenant_1/os-simple-tenant-usage/' 'faketenant_0?start=%s&end=%s' % (START.isoformat(), STOP.isoformat())) req.method = "GET" req.headers["content-type"] = "application/json" rules = { "compute_extension:simple_tenant_usage:show": [["role:admin"], ["project_id:%(project_id)s"]] } common_policy.set_brain(common_policy.HttpBrain(rules)) try: res = req.get_response( fakes.wsgi_app(fake_auth_context=self.alt_user_context)) self.assertEqual(res.status_int, 403) finally: policy.reset()
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": [], "example:allowed": [], "example:denied": [["false:false"]], "example:get_http": [["http:http://www.example.com"]], "example:my_file": [["role:compute_admin"], ["project_id:%(project_id)s"]], "example:early_and_fail": [["false:false", "rule:true"]], "example:early_or_success": [["rule:true"], ["false:false"]], "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]], "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]], } # NOTE(vish): then overload underlying brain common_policy.set_brain(common_policy.HttpBrain(rules)) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}