4f36fba996
Rather than refuse to start, it's nicer to use a sane set of default policies when no policy file is found. Fixes bug 1043482 Change-Id: I849737c61c0266952d931395fbc2ad3745c46f6e
80 lines
3.0 KiB
Python
80 lines
3.0 KiB
Python
# Copyright 2012 OpenStack, LLC
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the 'License'); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an 'AS IS' BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import os.path
|
|
|
|
import glance.api.policy
|
|
from glance.common import exception
|
|
import glance.context
|
|
from glance.tests import utils as test_utils
|
|
from glance.tests.unit import base
|
|
|
|
|
|
class TestPolicyEnforcer(base.IsolatedUnitTest):
|
|
def test_policy_file_default_rules_default_location(self):
|
|
enforcer = glance.api.policy.Enforcer()
|
|
|
|
context = glance.context.RequestContext(roles=[])
|
|
enforcer.enforce(context, 'get_image', {})
|
|
|
|
def test_policy_file_custom_rules_default_location(self):
|
|
rules = {"get_image": [["false:false"]]}
|
|
self.set_policy_rules(rules)
|
|
|
|
enforcer = glance.api.policy.Enforcer()
|
|
|
|
context = glance.context.RequestContext(roles=[])
|
|
self.assertRaises(exception.Forbidden,
|
|
enforcer.enforce, context, 'get_image', {})
|
|
|
|
def test_policy_file_custom_location(self):
|
|
self.config(policy_file=os.path.join(self.test_dir, 'gobble.gobble'))
|
|
|
|
rules = {"get_image": [["false:false"]]}
|
|
self.set_policy_rules(rules)
|
|
|
|
enforcer = glance.api.policy.Enforcer()
|
|
|
|
context = glance.context.RequestContext(roles=[])
|
|
self.assertRaises(exception.Forbidden,
|
|
enforcer.enforce, context, 'get_image', {})
|
|
|
|
|
|
class TestPolicyEnforcerNoFile(test_utils.BaseTestCase):
|
|
def test_policy_file_specified_but_not_found(self):
|
|
"""Missing defined policy file should result in a default ruleset"""
|
|
self.config(policy_file='gobble.gobble')
|
|
enforcer = glance.api.policy.Enforcer()
|
|
|
|
context = glance.context.RequestContext(roles=[])
|
|
enforcer.enforce(context, 'get_image', {})
|
|
self.assertRaises(exception.Forbidden,
|
|
enforcer.enforce, context, 'manage_image_cache', {})
|
|
|
|
admin_context = glance.context.RequestContext(roles=['admin'])
|
|
enforcer.enforce(admin_context, 'manage_image_cache', {})
|
|
|
|
def test_policy_file_default_not_found(self):
|
|
"""Missing default policy file should result in a default ruleset"""
|
|
enforcer = glance.api.policy.Enforcer()
|
|
|
|
context = glance.context.RequestContext(roles=[])
|
|
enforcer.enforce(context, 'get_image', {})
|
|
self.assertRaises(exception.Forbidden,
|
|
enforcer.enforce, context, 'manage_image_cache', {})
|
|
|
|
admin_context = glance.context.RequestContext(roles=['admin'])
|
|
enforcer.enforce(admin_context, 'manage_image_cache', {})
|