def test_get_roles_context_is_admin_rule_missing(self): rules = dict((k, common_policy.parse_rule(v)) for k, v in { "some_other_rule": "role:admin", }.items()) common_policy.set_rules(common_policy.Rules(rules)) # 'admin' role is expected for bw compatibility self.assertEqual(['admin'], policy.get_admin_roles())
def _set_rules(data): default_rule = 'default' LOG.debug(_("loading policies from file: %s"), _POLICY_PATH) # Ensure backward compatibility with folsom/grizzly convention # for extension rules policies = policy.Rules.load_json(data, default_rule) for pol in policies.keys(): if any([pol.startswith(depr_pol) for depr_pol in DEPRECATED_POLICY_MAP.keys()]): LOG.warn(_("Found deprecated policy rule:%s. Please consider " "upgrading your policy configuration file"), pol) pol_name, action = pol.rsplit(':', 1) try: new_actions = DEPRECATED_ACTION_MAP[action] new_policies = DEPRECATED_POLICY_MAP[pol_name] # bind new actions and policies together for actual_policy in ['_'.join(item) for item in itertools.product(new_actions, new_policies)]: if actual_policy not in policies: # New policy, same rule LOG.info(_("Inserting policy:%(new_policy)s in place " "of deprecated policy:%(old_policy)s"), {'new_policy': actual_policy, 'old_policy': pol}) policies[actual_policy] = policies[pol] # Remove old-style policy del policies[pol] except KeyError: LOG.error(_("Backward compatibility unavailable for " "deprecated policy %s. The policy will " "not be enforced"), pol) policy.set_rules(policies)
def test_get_roles_with_rule_check(self): rules = dict( (k, common_policy.parse_rule(v)) for k, v in {policy.ADMIN_CTX_POLICY: "rule:some_other_rule", "some_other_rule": "role:admin"}.items() ) common_policy.set_rules(common_policy.Rules(rules)) self.assertEqual(["admin"], policy.get_admin_roles())
def test_get_roles_with_rule_check(self): rules = dict((k, common_policy.parse_rule(v)) for k, v in { policy.ADMIN_CTX_POLICY: "rule:some_other_rule", "some_other_rule": "role:admin", }.items()) common_policy.set_rules(common_policy.Rules(rules)) self.assertEqual(['admin'], policy.get_admin_roles())
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() self.addCleanup(policy.reset) # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": "@", "example:allowed": "@", "example:denied": "!", "example:get_http": "http:http://www.example.com", "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying rules common_policy.set_rules(common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context("fake", "fake", roles=["member"]) self.target = {}
def _set_rules(data): default_rule = 'default' LOG.debug(_("loading policies from file: %s"), _POLICY_PATH) # Ensure backward compatibility with folsom/grizzly convention # for extension rules policies = policy.Rules.load_json(data, default_rule) for pol in policies.keys(): if any([ pol.startswith(depr_pol) for depr_pol in DEPRECATED_POLICY_MAP.keys() ]): LOG.warn( _("Found deprecated policy rule:%s. Please consider " "upgrading your policy configuration file"), pol) pol_name, action = pol.rsplit(':', 1) try: new_actions = DEPRECATED_ACTION_MAP[action] new_policies = DEPRECATED_POLICY_MAP[pol_name] # bind new actions and policies together for actual_policy in [ '_'.join(item) for item in itertools.product( new_actions, new_policies) ]: if not actual_policy in policies: # New policy, same rule LOG.info( _("Inserting policy:%(new_policy)s in place " "of deprecated policy:%(old_policy)s"), { 'new_policy': actual_policy, 'old_policy': pol }) policies[actual_policy] = policies[pol] # Remove old-style policy del policies[pol] except KeyError: LOG.error( _("Backward compatibility unavailable for " "deprecated policy %s. The policy will " "not be enforced"), pol) policy.set_rules(policies)
def setUp(self): super(PolicyTestCase, self).setUp() policy.reset() # NOTE(vish): preload rules to circumvent reloading from file policy.init() rules = { "true": '@', "example:allowed": '@', "example:denied": '!', "example:get_http": "http:http://www.example.com", "example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s", "example:early_and_fail": "! and @", "example:early_or_success": "@ or !", "example:lowercase_admin": "role:admin or role:sysadmin", "example:uppercase_admin": "role:ADMIN or role:sysadmin", } # NOTE(vish): then overload underlying rules common_policy.set_rules(common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in rules.items()))) self.context = context.Context('fake', 'fake', roles=['member']) self.target = {}
def _set_rules(data): default_rule = 'default' policy.set_rules(policy.Rules.load_json(data, default_rule))
def fakepolicyinit(): common_policy.set_rules(common_policy.Rules(self.rules))
def _set_rules(self, default_rule): rules = common_policy.Rules( dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()), default_rule) common_policy.set_rules(rules)
def _set_rules(self, default_rule): rules = common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in self.rules.items()), default_rule) common_policy.set_rules(rules)
def _set_rules(data): default_rule = 'default' LOG.debug(_("loading policies from file: %s"), _POLICY_PATH) policy.set_rules(policy.Rules.load_json(data, default_rule))
def _set_rules(data): default_rule = 'default' LOG.debug(_("loading policies from file: %s"), _POLICY_PATH) # TODO(salvatore-orlando): Ensure backward compatibility with # folsom/grizzly style for extension rules (bp/make-authz-orthogonal) policy.set_rules(policy.Rules.load_json(data, default_rule))