def test_str_true(self):
exemplar = """{
"admin_or_owner": ""
}"""
rules = policy.Rules(dict(admin_or_owner=_checks.TrueCheck(), ))
self.assertEqual(exemplar, str(rules))
def _parse_check(rule):
"""Parse a single base check rule into an appropriate Check object."""
# Handle the special checks
if rule == '!':
return _checks.FalseCheck()
elif rule == '@':
return _checks.TrueCheck()
try:
kind, match = rule.split(':', 1)
except Exception:
LOG.exception('Failed to understand rule %s', rule)
# If the rule is invalid, we'll fail closed
return _checks.FalseCheck()
# Find what implements the check
extension_checks = _checks.get_extensions()
if kind in extension_checks:
return extension_checks[kind](kind, match)
elif kind in _checks.registered_checks:
return _checks.registered_checks[kind](kind, match)
elif None in _checks.registered_checks:
return _checks.registered_checks[None](kind, match)
else:
LOG.error('No handler for matches of kind %s', kind)
return _checks.FalseCheck()
def test_str_true(self):
exemplar = jsonutils.dumps({
"admin_or_owner": ""
}, indent=4)
rules = policy.Rules(dict(
admin_or_owner=_checks.TrueCheck(),
))
self.assertEqual(exemplar, str(rules))
def test_enforcer_with_default_rule(self):
rules_json = jsonutils.dumps({
"deny_stack_user": "******",
"cloudwatch:PutMetricData": ""
})
rules = policy.Rules.load(rules_json)
default_rule = _checks.TrueCheck()
enforcer = policy.Enforcer(self.conf, default_rule=default_rule)
enforcer.set_rules(rules)
action = 'cloudwatch:PutMetricData'
creds = {'roles': ''}
self.assertTrue(enforcer.enforce(action, {}, creds))
def _parse_list_rule(rule):
"""Translates the old list-of-lists syntax into a tree of Check objects.
Provided for backwards compatibility.
"""
# Empty rule defaults to True
if not rule:
return _checks.TrueCheck()
# Outer list is joined by "or"; inner list by "and"
or_list = []
for inner_rule in rule:
# Skip empty inner lists
if not inner_rule:
continue
# Handle bare strings
if isinstance(inner_rule, six.string_types):
inner_rule = [inner_rule]
# Parse the inner rules into Check objects
and_list = [_parse_check(r) for r in inner_rule]
# Append the appropriate check to the or_list
if len(and_list) == 1:
or_list.append(and_list[0])
else:
or_list.append(_checks.AndCheck(and_list))
# If we have only one check, omit the "or"
if not or_list:
return _checks.FalseCheck()
elif len(or_list) == 1:
return or_list[0]
return _checks.OrCheck(or_list)
def _parse_text_rule(rule):
"""Parses policy to the tree.
Translates a policy written in the policy language into a tree of
Check objects.
"""
# Empty rule means always accept
if not rule:
return _checks.TrueCheck()
# Parse the token stream
state = ParseState()
for tok, value in _parse_tokenize(rule):
state.shift(tok, value)
try:
return state.result
except ValueError:
# Couldn't parse the rule
LOG.exception(_LE('Failed to understand rule %s'), rule)
# Fail closed
return _checks.FalseCheck()
def test_call_true(self):
rule = _checks.TrueCheck()
check = _checks.NotCheck(rule)
self.assertFalse(check('target', 'cred', None))
def test_call(self):
check = _checks.TrueCheck()
self.assertTrue(check('target', 'creds', None))
def test_str(self):
check = _checks.TrueCheck()
self.assertEqual('@', str(check))
