83 lines
2.9 KiB
Python
83 lines
2.9 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import falcon
|
|
import mock
|
|
from oslo_policy import policy as common_policy
|
|
|
|
from deckhand.conf import config
|
|
from deckhand.control import base as api_base
|
|
from deckhand import policy
|
|
from deckhand.tests.unit import base as test_base
|
|
|
|
CONF = config.CONF
|
|
|
|
|
|
class PolicyBaseTestCase(test_base.DeckhandTestCase):
|
|
|
|
def setUp(self):
|
|
super(PolicyBaseTestCase, self).setUp()
|
|
# The default policies in deckhand.policies are automatically
|
|
# registered. Override them with custom rules. '@' allows anyone to
|
|
# perform a policy action.
|
|
self.rules = {
|
|
"deckhand:create_cleartext_documents": [['@']],
|
|
"deckhand:list_cleartext_documents": [['rule:admin_api']]
|
|
}
|
|
self.policy_enforcer = common_policy.Enforcer(CONF)
|
|
self._set_rules()
|
|
|
|
def _set_rules(self):
|
|
rules = common_policy.Rules.from_dict(self.rules)
|
|
self.policy_enforcer.set_rules(rules)
|
|
self.addCleanup(self.policy_enforcer.clear)
|
|
|
|
def _enforce_policy(self, action):
|
|
api_args = self._get_args()
|
|
|
|
@policy.authorize(action)
|
|
def noop(*args, **kwargs):
|
|
pass
|
|
|
|
noop(*api_args)
|
|
|
|
def _get_args(self):
|
|
# Returns the first two arguments that would be passed to any falcon
|
|
# on_{HTTP_VERB} method: (self (which is mocked), falcon Request obj).
|
|
falcon_req = api_base.DeckhandRequest(
|
|
mock.MagicMock(), policy_enforcer=self.policy_enforcer)
|
|
return (mock.Mock(), falcon_req)
|
|
|
|
|
|
class PolicyPositiveTestCase(PolicyBaseTestCase):
|
|
|
|
def test_enforce_allowed_action(self):
|
|
action = "deckhand:create_cleartext_documents"
|
|
self._enforce_policy(action)
|
|
|
|
|
|
class PolicyNegativeTestCase(PolicyBaseTestCase):
|
|
|
|
def test_enforce_disallowed_action(self):
|
|
action = "deckhand:list_cleartext_documents"
|
|
error_re = "Policy doesn't allow %s to be performed." % action
|
|
e = self.assertRaises(
|
|
falcon.HTTPForbidden, self._enforce_policy, action)
|
|
self.assertRegexpMatches(error_re, e.description)
|
|
|
|
def test_enforce_nonexistent_action(self):
|
|
action = "example:undefined"
|
|
error_re = "Policy %s has not been registered" % action
|
|
e = self.assertRaises(
|
|
falcon.HTTPForbidden, self._enforce_policy, action)
|
|
self.assertRegexpMatches(error_re, e.description)
|