def test_templatized_enforcement(self): target_mine = {'project_id': 'fake'} target_not_mine = {'project_id': 'another'} action = "example:my_file" policy.enforce(self.context, action, target_mine) self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, self.context, action, target_not_mine)
def enforce(context, action, target): """Verifies that the action is valid on the target in this context. :param context: nova context :param action: string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance compute:attach_volume volume:attach_volume :param object: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id} :raises: `nova.exception.PolicyNotAllowed` if verification fails. """ init() match_list = ('rule:%s' % action,) credentials = context.to_dict() try: policy.enforce(match_list, target, credentials) except policy.NotAuthorized: raise exception.PolicyNotAuthorized(action=action)
def enforce(context, action, target): """Verifies that the action is valid on the target in this context. :param context: nova context :param action: string representing the action to be checked this should be colon separated for clarity. i.e. compute:create_instance compute:attach_volume volume:attach_volume :param object: dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id} :raises: `nova.exception.PolicyNotAllowed` if verification fails. """ init() match_list = ('rule:%s' % action, ) credentials = context.to_dict() try: policy.enforce(match_list, target, credentials) except policy.NotAuthorized: raise exception.PolicyNotAuthorized(action=action)
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_admin" uppercase_action = "example:uppercase_admin" # NOTE(dprince) we mix case in the Admin role here to ensure # case is ignored admin_context = context.RequestContext('admin', 'fake', roles=['AdMiN']) policy.enforce(admin_context, lowercase_action, self.target) policy.enforce(admin_context, uppercase_action, self.target)
def test_modified_policy_reloads(self): action = "example:test" with open(self.tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": []}""") policy.enforce(self.context, action, self.target) with open(self.tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": ["false:false"]}""") # NOTE(vish): reset stored policy cache so we don't have to sleep(1) policy._POLICY_CACHE = {} self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, self.context, action, self.target)
def test_modified_policy_reloads(self): with utils.tempdir() as tmpdir: tmpfilename = os.path.join(tmpdir, 'policy') self.flags(policy_file=tmpfilename) action = "example:test" with open(tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": []}""") policy.enforce(self.context, action, self.target) with open(tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": ["false:false"]}""") # NOTE(vish): reset stored policy cache so we don't have to # sleep(1) policy._POLICY_CACHE = {} self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, self.context, action, self.target)
def test_enforce_http_true(self): def fakeurlopen(url, post_data): return StringIO.StringIO("True") self.stubs.Set(urllib2, 'urlopen', fakeurlopen) action = "example:get_http" target = {} result = policy.enforce(self.context, action, target) self.assertEqual(result, None)
def test_not_found_policy_calls_default(self): policy.enforce(self.context, "example:noexist", {})
def test_early_OR_enforcement(self): action = "example:early_or_success" policy.enforce(self.context, action, self.target)
def test_enforce_good_action(self): action = "example:allowed" policy.enforce(self.context, action, self.target)