aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/tests/unit/test_policy.py
diff options
context:
space:
mode:
authorRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
committerRHE <rebirthmonkey@gmail.com>2017-11-24 13:54:26 +0100
commit920a49cfa055733d575282973e23558c33087a4a (patch)
treed371dab34efa5028600dad2e7ca58063626e7ba4 /keystone-moon/keystone/tests/unit/test_policy.py
parentef3eefca70d8abb4a00dafb9419ad32738e934b2 (diff)
remove keystone-moon
Change-Id: I80d7c9b669f19d5f6607e162de8e0e55c2f80fdd Signed-off-by: RHE <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystone-moon/keystone/tests/unit/test_policy.py')
-rw-r--r--keystone-moon/keystone/tests/unit/test_policy.py222
1 files changed, 0 insertions, 222 deletions
diff --git a/keystone-moon/keystone/tests/unit/test_policy.py b/keystone-moon/keystone/tests/unit/test_policy.py
deleted file mode 100644
index d6e911e9..00000000
--- a/keystone-moon/keystone/tests/unit/test_policy.py
+++ /dev/null
@@ -1,222 +0,0 @@
-# Copyright 2011 Piston Cloud Computing, Inc.
-# All Rights Reserved.
-
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import json
-import os
-
-from oslo_policy import policy as common_policy
-import six
-from testtools import matchers
-
-from keystone import exception
-from keystone.policy.backends import rules
-from keystone.tests import unit
-from keystone.tests.unit import ksfixtures
-from keystone.tests.unit.ksfixtures import temporaryfile
-
-
-class PolicyFileTestCase(unit.TestCase):
- def setUp(self):
- # self.tmpfilename should exist before setUp super is called
- # this is to ensure it is available for the config_fixture in
- # the config_overrides call.
- self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
- self.tmpfilename = self.tempfile.file_name
- super(PolicyFileTestCase, self).setUp()
- self.target = {}
-
- def _policy_fixture(self):
- return ksfixtures.Policy(self.tmpfilename, self.config_fixture)
-
- def test_modified_policy_reloads(self):
- action = "example:test"
- empty_credentials = {}
- with open(self.tmpfilename, "w") as policyfile:
- policyfile.write("""{"example:test": []}""")
- rules.enforce(empty_credentials, action, self.target)
- with open(self.tmpfilename, "w") as policyfile:
- policyfile.write("""{"example:test": ["false:false"]}""")
- rules._ENFORCER.clear()
- self.assertRaises(exception.ForbiddenAction, rules.enforce,
- empty_credentials, action, self.target)
-
-
-class PolicyTestCase(unit.TestCase):
- def setUp(self):
- super(PolicyTestCase, self).setUp()
- self.rules = {
- "true": [],
- "example:allowed": [],
- "example:denied": [["false:false"]],
- "example:get_http": [["http:http://www.example.com"]],
- "example:my_file": [["role:compute_admin"],
- ["project_id:%(project_id)s"]],
- "example:early_and_fail": [["false:false", "rule:true"]],
- "example:early_or_success": [["rule:true"], ["false:false"]],
- "example:lowercase_admin": [["role:admin"], ["role:sysadmin"]],
- "example:uppercase_admin": [["role:ADMIN"], ["role:sysadmin"]],
- }
-
- # NOTE(vish): then overload underlying policy engine
- self._set_rules()
- self.credentials = {}
- self.target = {}
-
- def _set_rules(self):
- these_rules = common_policy.Rules.from_dict(self.rules)
- rules._ENFORCER.set_rules(these_rules)
-
- def test_enforce_nonexistent_action_throws(self):
- action = "example:noexist"
- self.assertRaises(exception.ForbiddenAction, rules.enforce,
- self.credentials, action, self.target)
-
- def test_enforce_bad_action_throws(self):
- action = "example:denied"
- self.assertRaises(exception.ForbiddenAction, rules.enforce,
- self.credentials, action, self.target)
-
- def test_enforce_good_action(self):
- action = "example:allowed"
- rules.enforce(self.credentials, action, self.target)
-
- def test_templatized_enforcement(self):
- target_mine = {'project_id': 'fake'}
- target_not_mine = {'project_id': 'another'}
- credentials = {'project_id': 'fake', 'roles': []}
- action = "example:my_file"
- rules.enforce(credentials, action, target_mine)
- self.assertRaises(exception.ForbiddenAction, rules.enforce,
- credentials, action, target_not_mine)
-
- def test_early_AND_enforcement(self):
- action = "example:early_and_fail"
- self.assertRaises(exception.ForbiddenAction, rules.enforce,
- self.credentials, action, self.target)
-
- def test_early_OR_enforcement(self):
- action = "example:early_or_success"
- rules.enforce(self.credentials, action, self.target)
-
- def test_ignore_case_role_check(self):
- lowercase_action = "example:lowercase_admin"
- uppercase_action = "example:uppercase_admin"
- # NOTE(dprince): We mix case in the Admin role here to ensure
- # case is ignored
- admin_credentials = {'roles': ['AdMiN']}
- rules.enforce(admin_credentials, lowercase_action, self.target)
- rules.enforce(admin_credentials, uppercase_action, self.target)
-
-
-class DefaultPolicyTestCase(unit.TestCase):
- def setUp(self):
- super(DefaultPolicyTestCase, self).setUp()
-
- self.rules = {
- "default": [],
- "example:exist": [["false:false"]]
- }
- self._set_rules('default')
- self.credentials = {}
-
- # FIXME(gyee): latest Oslo policy Enforcer class reloads the rules in
- # its enforce() method even though rules has been initialized via
- # set_rules(). To make it easier to do our tests, we're going to
- # monkeypatch load_roles() so it does nothing. This seem like a bug in
- # Oslo policy as we shouldn't have to reload the rules if they have
- # already been set using set_rules().
- self._old_load_rules = rules._ENFORCER.load_rules
- self.addCleanup(setattr, rules._ENFORCER, 'load_rules',
- self._old_load_rules)
- rules._ENFORCER.load_rules = lambda *args, **kwargs: None
-
- def _set_rules(self, default_rule):
- these_rules = common_policy.Rules.from_dict(self.rules, default_rule)
- rules._ENFORCER.set_rules(these_rules)
-
- def test_policy_called(self):
- self.assertRaises(exception.ForbiddenAction, rules.enforce,
- self.credentials, "example:exist", {})
-
- def test_not_found_policy_calls_default(self):
- rules.enforce(self.credentials, "example:noexist", {})
-
- def test_default_not_found(self):
- new_default_rule = "default_noexist"
- # FIXME(gyee): need to overwrite the Enforcer's default_rule first
- # as it is recreating the rules with its own default_rule instead
- # of the default_rule passed in from set_rules(). I think this is a
- # bug in Oslo policy.
- rules._ENFORCER.default_rule = new_default_rule
- self._set_rules(new_default_rule)
- self.assertRaises(exception.ForbiddenAction, rules.enforce,
- self.credentials, "example:noexist", {})
-
-
-class PolicyJsonTestCase(unit.TestCase):
-
- def _load_entries(self, filename):
- return set(json.load(open(filename)))
-
- def test_json_examples_have_matching_entries(self):
- policy_keys = self._load_entries(unit.dirs.etc('policy.json'))
- cloud_policy_keys = self._load_entries(
- unit.dirs.etc('policy.v3cloudsample.json'))
-
- policy_extra_keys = ['admin_or_token_subject',
- 'service_admin_or_token_subject',
- 'token_subject', ]
- expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
- diffs = set(policy_keys).difference(set(expected_policy_keys))
-
- self.assertThat(diffs, matchers.Equals(set()))
-
- def test_all_targets_documented(self):
- # All the targets in the sample policy file must be documented in
- # doc/source/policy_mapping.rst.
-
- policy_keys = self._load_entries(unit.dirs.etc('policy.json'))
-
- # These keys are in the policy.json but aren't targets.
- policy_rule_keys = [
- 'admin_or_owner', 'admin_or_token_subject', 'admin_required',
- 'default', 'owner', 'service_admin_or_token_subject',
- 'service_or_admin', 'service_role', 'token_subject', ]
-
- def read_doc_targets():
- # Parse the doc/source/policy_mapping.rst file and return the
- # targets.
-
- doc_path = os.path.join(
- unit.ROOTDIR, 'doc', 'source', 'policy_mapping.rst')
- with open(doc_path) as doc_file:
- for line in doc_file:
- if line.startswith('Target'):
- break
- for line in doc_file:
- # Skip === line
- if line.startswith('==='):
- break
- for line in doc_file:
- line = line.rstrip()
- if not line or line.startswith(' '):
- continue
- if line.startswith('=='):
- break
- target, dummy, dummy = line.partition(' ')
- yield six.text_type(target)
-
- doc_targets = list(read_doc_targets())
- self.assertItemsEqual(policy_keys, doc_targets + policy_rule_keys)