def test_keypair_create_pass_policy(self): body = {'keypair': {'name': 'create_test'}} rules = {self.policy_path + ':create': common_policy.parse_rule('')} policy.set_rules(rules) res = self.KeyPairController.create(self.req, body=body) self.assertIn('keypair', res)
def test_keypair_list_fail_policy(self): rules = {self.policy_path + ':index': common_policy.parse_rule('role:admin')} policy.set_rules(rules) self.assertRaises(exception.Forbidden, self.KeyPairController.index, self.req)
def test_keypair_show_fail_policy(self): rules = { self.policy_path + ':show': common_policy.parse_rule('role:admin') } policy.set_rules(rules) self.assertRaises(exception.Forbidden, self.KeyPairController.show, self.req, 'FAKE')
def test_keypair_list_fail_policy(self): rules = { self.policy_path + ':index': common_policy.parse_rule('role:admin') } policy.set_rules(rules) self.assertRaises(exception.Forbidden, self.KeyPairController.index, self.req)
def test_keypair_delete_fail_policy(self): rules = {self.policy_path + ':delete': common_policy.parse_rule('role:admin')} policy.set_rules(rules) self.assertRaises(exception.Forbidden, self.KeyPairController.delete, self.req, 'FAKE')
def _set_policy_rules(self): rules = { 'compute:get': common_policy.parse_rule(''), 'compute_extension:instance_actions': common_policy.parse_rule('project_id:%(project_id)s') } policy.set_rules(rules)
def test_keypair_create_fail_policy(self): body = {'keypair': {'name': 'create_test'}} rules = {self.policy_path + ':create': common_policy.parse_rule('role:admin')} policy.set_rules(rules) self.assertRaises(exception.Forbidden, self.KeyPairController.create, self.req, body=body)
def _set_policy_rules(self): rules = { 'compute:get': common_policy.parse_rule(''), 'os_compute_api:os-instance-actions': common_policy.parse_rule('project_id:%(project_id)s') } policy.set_rules(rules)
def test_shelve_allowed(self): rules = { "compute:get": common_policy.parse_rule(""), "compute_extension:%sshelve" % self.prefix: common_policy.parse_rule(""), } policy.set_rules(rules) self.stubs.Set(db, "instance_get_by_uuid", fake_instance_get_by_uuid) self.assertRaises(exception.Forbidden, self.controller._shelve, self.req, str(uuid.uuid4()), {})
def test_certificates_create_policy_failed(self): rules = { self.certificate_create_extension: common_policy.parse_rule("!") } policy.set_rules(rules) exc = self.assertRaises(exception.PolicyNotAuthorized, self.controller.create, self.req) self.assertIn(self.certificate_create_extension, exc.format_message())
def test_shelve_offload_restricted_by_role(self): rules = { 'compute_extension:%s%s' % (self.prefix, self.offload): common_policy.parse_rule('role:admin') } policy.set_rules(rules) self.assertRaises(exception.Forbidden, self.controller._shelve_offload, self.req, str(uuid.uuid4()), {})
def test_skip_policy(self): policy.reset() rules = {'network:get_all': common_policy.parse_rule('!')} policy.set_rules(common_policy.Rules(rules)) api = network.API() self.assertRaises(exception.PolicyNotAuthorized, api.get_all, self.context) api = network.API(skip_policy_check=True) api.get_all(self.context)
def _set_policy_rules(self): rules = { 'compute:get': common_policy.parse_rule(''), 'compute_extension:instance_actions': common_policy.parse_rule(''), 'compute_extension:instance_actions:events': common_policy.parse_rule('is_admin:True') } policy.set_rules(rules)
def _set_policy_rules(self): rules = { 'compute:get': common_policy.parse_rule(''), 'os_compute_api:os-instance-actions': common_policy.parse_rule(''), 'os_compute_api:os-instance-actions:events': common_policy.parse_rule('is_admin:True') } policy.set_rules(rules)
def test_shelve_allowed(self): rules = { 'compute:get': common_policy.parse_rule(''), 'compute_extension:%sshelve' % self.prefix: common_policy.parse_rule('') } policy.set_rules(rules) self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid) self.assertRaises(exception.Forbidden, self.controller._shelve, self.req, str(uuid.uuid4()), {})
def test_keypair_create_fail_policy(self): body = {'keypair': {'name': 'create_test'}} rules = { self.policy_path + ':create': common_policy.parse_rule('role:admin') } policy.set_rules(rules) self.assertRaises(exception.Forbidden, self.KeyPairController.create, self.req, body=body)
def test_start_policy_failed(self): rules = { self.start_policy: common_policy.parse_rule("project_id:non_fake") } policy.set_rules(rules) self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get) body = dict(start="") exc = self.assertRaises(exception.PolicyNotAuthorized, self.controller._start_server, self.req, 'test_inst', body) self.assertIn(self.start_policy, exc.format_message())
def _test_fail_policy(self, rule, action, data=None): rules = { rule: common_policy.parse_rule("!"), } policy.set_rules(rules) req = fakes.HTTPRequest.blank(self.url + '/20') if data is not None: self.assertRaises(exception.PolicyNotAuthorized, action, req, self.uuid, data) else: self.assertRaises(exception.PolicyNotAuthorized, action, req, self.uuid)
def test_verify_show_cannot_view_other_tenant(self): req = fakes.HTTPRequest.blank('?start=%s&end=%s' % (START.isoformat(), STOP.isoformat())) req.environ['patron.context'] = self.alt_user_context rules = { self.policy_rule_prefix + ":show": common_policy.parse_rule([["role:admin"], ["project_id:%(project_id)s"]]) } policy.set_rules(rules) try: self.assertRaises(exception.PolicyNotAuthorized, self.controller.show, req, 'faketenant_0') finally: policy.reset()
def test_verify_show_cannot_view_other_tenant(self): req = fakes.HTTPRequest.blank('?start=%s&end=%s' % (START.isoformat(), STOP.isoformat())) req.environ['patron.context'] = self.alt_user_context rules = { self.policy_rule_prefix + ":show": common_policy.parse_rule([ ["role:admin"], ["project_id:%(project_id)s"] ]) } policy.set_rules(rules) try: self.assertRaises(exception.PolicyNotAuthorized, self.controller.show, req, 'faketenant_0') finally: policy.reset()
def setUp(self): super(PolicyTestCase, self).setUp() rules = { "true": '@', "example:allowed": '@', "example:denied": "!", "example:get_http": "http://www.example.com", "example:my_file": "role:compute_admin or " "project_id:%(project_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } policy.reset() policy.init() policy.set_rules({k: common_policy.parse_rule(v) for k, v in rules.items()}) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def setUp(self): super(PolicyTestCase, self).setUp() rules = { "true": '@', "example:allowed": '@', "example:denied": "!", "example:get_http": "http://www.example.com", "example:my_file": "role:compute_admin or " "project_id:%(project_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } policy.reset() policy.init() policy.set_rules( {k: common_policy.parse_rule(v) for k, v in rules.items()}) self.context = context.RequestContext('fake', 'fake', roles=['member']) self.target = {}
def test_keypair_list_pass_policy(self): rules = {self.policy_path + ':index': common_policy.parse_rule('')} policy.set_rules(rules) res = self.KeyPairController.index(self.req) self.assertIn('keypairs', res)
def test_keypair_show_pass_policy(self): rules = {self.policy_path + ':show': common_policy.parse_rule('')} policy.set_rules(rules) res = self.KeyPairController.show(self.req, 'FAKE') self.assertIn('keypair', res)
def test_keypair_delete_pass_policy(self): rules = {self.policy_path + ':delete': common_policy.parse_rule('')} policy.set_rules(rules) self.KeyPairController.delete(self.req, 'FAKE')
def set_rules(self, rules): policy = patron.policy._ENFORCER policy.set_rules({k: common_policy.parse_rule(v) for k, v in rules.items()})
def set_rules(self, rules): policy = patron.policy._ENFORCER policy.set_rules( {k: common_policy.parse_rule(v) for k, v in rules.items()})
def test_shelve_offload_restricted_by_role(self): rules = {"compute_extension:%s%s" % (self.prefix, self.offload): common_policy.parse_rule("role:admin")} policy.set_rules(rules) self.assertRaises(exception.Forbidden, self.controller._shelve_offload, self.req, str(uuid.uuid4()), {})