af464c9afc
Change-Id: I2e1a809cfca8e88693551d58d33e747f54ee5eb1
121 lines
4.2 KiB
Python
121 lines
4.2 KiB
Python
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import mock
|
|
|
|
from webob import exc
|
|
|
|
from heat.api.openstack.v1 import util
|
|
from heat.common import context
|
|
from heat.common import policy
|
|
from heat.common.wsgi import Request
|
|
from heat.tests.common import HeatTestCase
|
|
|
|
|
|
class TestGetAllowedParams(HeatTestCase):
|
|
def setUp(self):
|
|
super(TestGetAllowedParams, self).setUp()
|
|
req = Request({})
|
|
self.params = req.params.copy()
|
|
self.params.add('foo', 'foo value')
|
|
self.whitelist = {'foo': 'single'}
|
|
|
|
def test_returns_empty_dict(self):
|
|
self.whitelist = {}
|
|
|
|
result = util.get_allowed_params(self.params, self.whitelist)
|
|
self.assertEqual({}, result)
|
|
|
|
def test_only_adds_whitelisted_params_if_param_exists(self):
|
|
self.whitelist = {'foo': 'single'}
|
|
self.params.clear()
|
|
|
|
result = util.get_allowed_params(self.params, self.whitelist)
|
|
self.assertNotIn('foo', result)
|
|
|
|
def test_returns_only_whitelisted_params(self):
|
|
self.params.add('bar', 'bar value')
|
|
|
|
result = util.get_allowed_params(self.params, self.whitelist)
|
|
self.assertIn('foo', result)
|
|
self.assertNotIn('bar', result)
|
|
|
|
def test_handles_single_value_params(self):
|
|
result = util.get_allowed_params(self.params, self.whitelist)
|
|
self.assertEqual('foo value', result['foo'])
|
|
|
|
def test_handles_multiple_value_params(self):
|
|
self.whitelist = {'foo': 'multi'}
|
|
self.params.add('foo', 'foo value 2')
|
|
|
|
result = util.get_allowed_params(self.params, self.whitelist)
|
|
self.assertEqual(2, len(result['foo']))
|
|
self.assertIn('foo value', result['foo'])
|
|
self.assertIn('foo value 2', result['foo'])
|
|
|
|
def test_handles_mixed_value_param_with_multiple_entries(self):
|
|
self.whitelist = {'foo': 'mixed'}
|
|
self.params.add('foo', 'foo value 2')
|
|
|
|
result = util.get_allowed_params(self.params, self.whitelist)
|
|
self.assertEqual(2, len(result['foo']))
|
|
self.assertIn('foo value', result['foo'])
|
|
self.assertIn('foo value 2', result['foo'])
|
|
|
|
def test_handles_mixed_value_param_with_single_entry(self):
|
|
self.whitelist = {'foo': 'mixed'}
|
|
|
|
result = util.get_allowed_params(self.params, self.whitelist)
|
|
self.assertEqual('foo value', result['foo'])
|
|
|
|
def test_ignores_bogus_whitelist_items(self):
|
|
self.whitelist = {'foo': 'blah'}
|
|
result = util.get_allowed_params(self.params, self.whitelist)
|
|
self.assertNotIn('foo', result)
|
|
|
|
|
|
class TestPolicyEnforce(HeatTestCase):
|
|
def setUp(self):
|
|
super(TestPolicyEnforce, self).setUp()
|
|
self.req = Request({})
|
|
self.req.context = context.RequestContext(tenant_id='foo',
|
|
is_admin=False)
|
|
|
|
class DummyController(object):
|
|
REQUEST_SCOPE = 'test'
|
|
|
|
@util.policy_enforce
|
|
def an_action(self, req):
|
|
return 'woot'
|
|
|
|
self.controller = DummyController()
|
|
|
|
@mock.patch.object(policy.Enforcer, 'enforce')
|
|
def test_policy_enforce_tenant_mismatch(self, mock_enforce):
|
|
mock_enforce.return_value = True
|
|
|
|
self.assertEqual('woot',
|
|
self.controller.an_action(self.req, 'foo'))
|
|
|
|
self.assertRaises(exc.HTTPForbidden,
|
|
self.controller.an_action,
|
|
self.req, tenant_id='bar')
|
|
|
|
@mock.patch.object(policy.Enforcer, 'enforce')
|
|
def test_policy_enforce_policy_deny(self, mock_enforce):
|
|
mock_enforce.return_value = False
|
|
|
|
self.assertRaises(exc.HTTPForbidden,
|
|
self.controller.an_action,
|
|
self.req, tenant_id='foo')
|