def setUp(self):
super(PolicyTestCase, self).setUp()
self.skipTest("Not ready yet")
policy.reset()
self.addCleanup(policy.reset)
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": '!',
"example:get_http": "http:http://www.example.com",
"example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
# NOTE(vish): then overload underlying rules
common_policy.set_rules(
common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
self.context = context.Context('fake', 'fake', roles=['member'])
self.target = {}
def get_rules(self):
rules = policy.Rules()
# Check whether policy file exists and attempt to read it.
for path in self.policy_files[self.service]:
try:
with open(path, 'r') as fp:
for k, v in policy.Rules.load(fp.read()).items():
if k not in rules:
rules[k] = v
# If the policy name and rule are the same, no
# ambiguity, so no reason to warn.
elif str(v) != str(rules[k]):
msg = ("The same policy name: %s was found in "
"multiple policies files for service %s. "
"This can lead to policy rule ambiguity. "
"Using rule: %s; Rule from file: %s")
LOG.warning(msg, k, self.service, rules[k], v)
except (ValueError, IOError):
LOG.warning("Failed to read policy file '%s' for service %s.",
path, self.service)
# Check whether policy actions are defined in code. Nova and Keystone,
# for example, define their default policy actions in code.
mgr = stevedore.named.NamedExtensionManager(
'oslo.policy.policies',
names=[self.service],
invoke_on_load=True,
warn_on_missing_entrypoint=False)
if mgr:
policy_generator = {plc.name: plc.obj for plc in mgr}
if self.service in policy_generator:
for rule in policy_generator[self.service]:
if rule.name not in rules:
if CONF.patrole.validate_deprecated_rules:
# NOTE (sergey.vilgelm):
# The `DocumentedRuleDefault` object has no
# `deprecated_rule` attribute in Pike
if getattr(rule, 'deprecated_rule', False):
rule = self._handle_deprecated_rule(rule)
rules[rule.name] = rule.check
elif str(rule.check) != str(rules[rule.name]):
msg = ("The same policy name: %s was found in the "
"policies files and in the code for service "
"%s. This can lead to policy rule ambiguity. "
"Using rule: %s; Rule from code: %s")
LOG.warning(msg, rule.name, self.service,
rules[rule.name], rule.check)
if not rules:
msg = (
'Policy files for {0} service were not found among the '
'registered in-code policies or in any of the possible policy '
'files: {1}.'.format(self.service, [
loc % self.service
for loc in CONF.patrole.custom_policy_files
]))
raise rbac_exceptions.RbacParsingException(msg)
return rules
def test_get_roles_with_rule_check(self):
rules = dict((k, common_policy.parse_rule(v)) for k, v in {
policy.ADMIN_CTX_POLICY: "rule:some_other_rule",
"some_other_rule": "role:admin",
}.items())
common_policy.set_rules(common_policy.Rules(rules))
self.assertEqual(['admin'], policy.get_admin_roles())
def test_str_true(self):
exemplar = """{
"admin_or_owner": ""
}"""
rules = policy.Rules(dict(admin_or_owner=_checks.TrueCheck(), ))
self.assertEqual(exemplar, str(rules))
def test_get_roles_context_is_admin_rule_missing(self):
rules = dict((k, common_policy.parse_rule(v)) for k, v in {
"some_other_rule": "role:admin",
}.items())
common_policy.set_rules(common_policy.Rules(rules))
# 'admin' role is expected for bw compatibility
self.assertEqual(['admin'], policy.get_admin_roles())
def test_str(self):
exemplar = jsonutils.dumps(
{"admin_or_owner": "role:admin or project_id:%(project_id)s"},
indent=4)
rules = policy.Rules(
dict(admin_or_owner='role:admin or project_id:%(project_id)s', ))
self.assertEqual(exemplar, str(rules))
def test_str(self):
exemplar = """{
"admin_or_owner": "role:admin or project_id:%(project_id)s"
}"""
rules = policy.Rules(
dict(admin_or_owner='role:admin or project_id:%(project_id)s', ))
self.assertEqual(exemplar, str(rules))
def test_str_true(self):
exemplar = jsonutils.dumps({
"admin_or_owner": ""
}, indent=4)
rules = policy.Rules(dict(
admin_or_owner=_checks.TrueCheck(),
))
self.assertEqual(exemplar, str(rules))
def test_no_default(self):
rules = policy.Rules(dict(a=1, b=2, c=3))
self.assertRaises(KeyError, lambda: rules['d'])
def test_init(self):
rules = policy.Rules(dict(a=1, b=2, c=3), 'a')
self.assertEqual(dict(a=1, b=2, c=3), rules)
self.assertEqual('a', rules.default_rule)
def test_init_basic(self):
rules = policy.Rules()
self.assertEqual({}, rules)
self.assertIsNone(rules.default_rule)
def test_retrieval(self):
rules = policy.Rules(dict(a=1, b=2, c=3), 'b')
self.assertEqual(1, rules['a'])
self.assertEqual(2, rules['b'])
self.assertEqual(3, rules['c'])
def _set_rules(self, default_rule):
rules = common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in self.rules.items()), default_rule)
common_policy.set_rules(rules)
def fakepolicyinit(self, **kwargs):
enf = policy._ENFORCER
enf.set_rules(oslo_policy.Rules(self.rules))
def fakepolicyinit(self, **kwargs):
policy._ENFORCER = oslo_policy.Enforcer(cfg.CONF)
policy._ENFORCER.set_rules(oslo_policy.Rules(self.rules))
def test_missing_default(self):
rules = policy.Rules(dict(a=1, c=3), 'b')
self.assertRaises(KeyError, lambda: rules['d'])
def test_with_default(self):
rules = policy.Rules(dict(a=1, b=2, c=3), 'b')
self.assertEqual(2, rules['d'])
def fakepolicyinit():
common_policy.set_rules(common_policy.Rules(self.rules))
def set_rules(self, rules, overwrite=True):
"""Create a new Rules object based on the provided dict of rules."""
rules_obj = policy.Rules(rules, self.default_rule)
self.enforcer.set_rules(rules_obj, overwrite)
def test_retrieval(self):
rules = policy.Rules(dict(a=1, b=2, c=3), 'b')
self.assertEqual(rules['a'], 1)
self.assertEqual(rules['b'], 2)
self.assertEqual(rules['c'], 3)