OpenStack Image Management (Glance)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

test_policy.py 25KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627
  1. # Copyright 2012 OpenStack Foundation
  2. # Copyright 2013 IBM Corp.
  3. # All Rights Reserved.
  4. #
  5. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  6. # not use this file except in compliance with the License. You may obtain
  7. # a copy of the License at
  8. #
  9. # http://www.apache.org/licenses/LICENSE-2.0
  10. #
  11. # Unless required by applicable law or agreed to in writing, software
  12. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  13. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  14. # License for the specific language governing permissions and limitations
  15. # under the License.
  16. import collections
  17. import hashlib
  18. import os.path
  19. import mock
  20. import oslo_config.cfg
  21. import glance.api.policy
  22. from glance.common import exception
  23. import glance.context
  24. from glance.tests.unit import base
  25. import glance.tests.unit.utils as unit_test_utils
  26. from glance.tests import utils as test_utils
  27. UUID1 = 'c80a1a6c-bd1f-41c5-90ee-81afedb1d58d'
  28. class IterableMock(mock.Mock, collections.Iterable):
  29. def __iter__(self):
  30. while False:
  31. yield None
  32. class ImageRepoStub(object):
  33. def get(self, *args, **kwargs):
  34. return 'image_from_get'
  35. def save(self, *args, **kwargs):
  36. return 'image_from_save'
  37. def add(self, *args, **kwargs):
  38. return 'image_from_add'
  39. def list(self, *args, **kwargs):
  40. return ['image_from_list_0', 'image_from_list_1']
  41. class ImageStub(object):
  42. def __init__(self, image_id=None, visibility='private',
  43. container_format='bear', disk_format='raw',
  44. status='active', extra_properties=None,
  45. os_hidden=False):
  46. if extra_properties is None:
  47. extra_properties = {}
  48. self.image_id = image_id
  49. self.visibility = visibility
  50. self.container_format = container_format
  51. self.disk_format = disk_format
  52. self.status = status
  53. self.extra_properties = extra_properties
  54. self.checksum = 'c2e5db72bd7fd153f53ede5da5a06de3'
  55. self.os_hash_algo = 'sha512'
  56. self.os_hash_value = hashlib.sha512(b'glance').hexdigest()
  57. self.created_at = '2013-09-28T15:27:36Z'
  58. self.updated_at = '2013-09-28T15:27:37Z'
  59. self.locations = []
  60. self.min_disk = 0
  61. self.min_ram = 0
  62. self.name = 'image_name'
  63. self.owner = 'tenant1'
  64. self.protected = False
  65. self.size = 0
  66. self.virtual_size = 0
  67. self.tags = []
  68. self.os_hidden = os_hidden
  69. def delete(self):
  70. self.status = 'deleted'
  71. class ImageFactoryStub(object):
  72. def new_image(self, image_id=None, name=None, visibility='private',
  73. min_disk=0, min_ram=0, protected=False, owner=None,
  74. disk_format=None, container_format=None,
  75. extra_properties=None, hidden=False, tags=None,
  76. **other_args):
  77. self.visibility = visibility
  78. self.hidden = hidden
  79. return 'new_image'
  80. class MemberRepoStub(object):
  81. image = None
  82. def add(self, image_member):
  83. image_member.output = 'member_repo_add'
  84. def get(self, *args, **kwargs):
  85. return 'member_repo_get'
  86. def save(self, image_member, from_state=None):
  87. image_member.output = 'member_repo_save'
  88. def list(self, *args, **kwargs):
  89. return 'member_repo_list'
  90. def remove(self, image_member):
  91. image_member.output = 'member_repo_remove'
  92. class ImageMembershipStub(object):
  93. def __init__(self, output=None):
  94. self.output = output
  95. class TaskRepoStub(object):
  96. def get(self, *args, **kwargs):
  97. return 'task_from_get'
  98. def add(self, *args, **kwargs):
  99. return 'task_from_add'
  100. def list(self, *args, **kwargs):
  101. return ['task_from_list_0', 'task_from_list_1']
  102. class TaskStub(object):
  103. def __init__(self, task_id):
  104. self.task_id = task_id
  105. self.status = 'pending'
  106. def run(self, executor):
  107. self.status = 'processing'
  108. class TaskFactoryStub(object):
  109. def new_task(self, *args):
  110. return 'new_task'
  111. class TestPolicyEnforcer(base.IsolatedUnitTest):
  112. def test_policy_file_default_rules_default_location(self):
  113. enforcer = glance.api.policy.Enforcer()
  114. context = glance.context.RequestContext(roles=[])
  115. enforcer.enforce(context, 'get_image', {})
  116. def test_policy_file_custom_rules_default_location(self):
  117. rules = {"get_image": '!'}
  118. self.set_policy_rules(rules)
  119. enforcer = glance.api.policy.Enforcer()
  120. context = glance.context.RequestContext(roles=[])
  121. self.assertRaises(exception.Forbidden,
  122. enforcer.enforce, context, 'get_image', {})
  123. def test_policy_file_custom_location(self):
  124. self.config(policy_file=os.path.join(self.test_dir, 'gobble.gobble'),
  125. group='oslo_policy')
  126. rules = {"get_image": '!'}
  127. self.set_policy_rules(rules)
  128. enforcer = glance.api.policy.Enforcer()
  129. context = glance.context.RequestContext(roles=[])
  130. self.assertRaises(exception.Forbidden,
  131. enforcer.enforce, context, 'get_image', {})
  132. def test_policy_file_check(self):
  133. self.config(policy_file=os.path.join(self.test_dir, 'gobble.gobble'),
  134. group='oslo_policy')
  135. rules = {"get_image": '!'}
  136. self.set_policy_rules(rules)
  137. enforcer = glance.api.policy.Enforcer()
  138. context = glance.context.RequestContext(roles=[])
  139. self.assertEqual(False, enforcer.check(context, 'get_image', {}))
  140. def test_policy_file_get_image_default_everybody(self):
  141. rules = {"default": ''}
  142. self.set_policy_rules(rules)
  143. enforcer = glance.api.policy.Enforcer()
  144. context = glance.context.RequestContext(roles=[])
  145. self.assertEqual(True, enforcer.check(context, 'get_image', {}))
  146. def test_policy_file_get_image_default_nobody(self):
  147. rules = {"default": '!'}
  148. self.set_policy_rules(rules)
  149. enforcer = glance.api.policy.Enforcer()
  150. context = glance.context.RequestContext(roles=[])
  151. self.assertRaises(exception.Forbidden,
  152. enforcer.enforce, context, 'get_image', {})
  153. class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):
  154. def test_policy_file_specified_but_not_found(self):
  155. """Missing defined policy file should result in a default ruleset"""
  156. self.config(policy_file='gobble.gobble', group='oslo_policy')
  157. enforcer = glance.api.policy.Enforcer()
  158. context = glance.context.RequestContext(roles=[])
  159. self.assertRaises(exception.Forbidden,
  160. enforcer.enforce, context, 'manage_image_cache', {})
  161. admin_context = glance.context.RequestContext(roles=['admin'])
  162. enforcer.enforce(admin_context, 'manage_image_cache', {})
  163. def test_policy_file_default_not_found(self):
  164. """Missing default policy file should result in a default ruleset"""
  165. def fake_find_file(self, name):
  166. return None
  167. self.mock_object(oslo_config.cfg.ConfigOpts, 'find_file',
  168. fake_find_file)
  169. enforcer = glance.api.policy.Enforcer()
  170. context = glance.context.RequestContext(roles=[])
  171. self.assertRaises(exception.Forbidden,
  172. enforcer.enforce, context, 'manage_image_cache', {})
  173. admin_context = glance.context.RequestContext(roles=['admin'])
  174. enforcer.enforce(admin_context, 'manage_image_cache', {})
  175. class TestImagePolicy(test_utils.BaseTestCase):
  176. def setUp(self):
  177. self.image_stub = ImageStub(UUID1)
  178. self.image_repo_stub = ImageRepoStub()
  179. self.image_factory_stub = ImageFactoryStub()
  180. self.policy = mock.Mock()
  181. self.policy.enforce = mock.Mock()
  182. super(TestImagePolicy, self).setUp()
  183. def test_publicize_image_not_allowed(self):
  184. self.policy.enforce.side_effect = exception.Forbidden
  185. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  186. self.assertRaises(exception.Forbidden,
  187. setattr, image, 'visibility', 'public')
  188. self.assertEqual('private', image.visibility)
  189. self.policy.enforce.assert_called_once_with({}, "publicize_image",
  190. image.target)
  191. def test_publicize_image_allowed(self):
  192. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  193. image.visibility = 'public'
  194. self.assertEqual('public', image.visibility)
  195. self.policy.enforce.assert_called_once_with({}, "publicize_image",
  196. image.target)
  197. def test_communitize_image_not_allowed(self):
  198. self.policy.enforce.side_effect = exception.Forbidden
  199. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  200. self.assertRaises(exception.Forbidden,
  201. setattr, image, 'visibility', 'community')
  202. self.assertEqual('private', image.visibility)
  203. self.policy.enforce.assert_called_once_with({}, "communitize_image",
  204. image.target)
  205. def test_communitize_image_allowed(self):
  206. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  207. image.visibility = 'community'
  208. self.assertEqual('community', image.visibility)
  209. self.policy.enforce.assert_called_once_with({}, "communitize_image",
  210. image.target)
  211. def test_delete_image_not_allowed(self):
  212. self.policy.enforce.side_effect = exception.Forbidden
  213. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  214. self.assertRaises(exception.Forbidden, image.delete)
  215. self.assertEqual('active', image.status)
  216. self.policy.enforce.assert_called_once_with({}, "delete_image",
  217. image.target)
  218. def test_delete_image_allowed(self):
  219. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  220. args = dict(image.target)
  221. image.delete()
  222. self.assertEqual('deleted', image.status)
  223. self.policy.enforce.assert_called_once_with({}, "delete_image", args)
  224. def test_get_image_not_allowed(self):
  225. self.policy.enforce.side_effect = exception.Forbidden
  226. image_target = IterableMock()
  227. with mock.patch.object(glance.api.policy, 'ImageTarget') as target:
  228. target.return_value = image_target
  229. image_repo = glance.api.policy.ImageRepoProxy(self.image_repo_stub,
  230. {}, self.policy)
  231. self.assertRaises(exception.Forbidden, image_repo.get, UUID1)
  232. self.policy.enforce.assert_called_once_with({}, "get_image",
  233. dict(image_target))
  234. def test_get_image_allowed(self):
  235. image_target = IterableMock()
  236. with mock.patch.object(glance.api.policy, 'ImageTarget') as target:
  237. target.return_value = image_target
  238. image_repo = glance.api.policy.ImageRepoProxy(self.image_repo_stub,
  239. {}, self.policy)
  240. output = image_repo.get(UUID1)
  241. self.assertIsInstance(output, glance.api.policy.ImageProxy)
  242. self.assertEqual('image_from_get', output.image)
  243. self.policy.enforce.assert_called_once_with({}, "get_image",
  244. dict(image_target))
  245. def test_get_images_not_allowed(self):
  246. self.policy.enforce.side_effect = exception.Forbidden
  247. image_repo = glance.api.policy.ImageRepoProxy(self.image_repo_stub,
  248. {}, self.policy)
  249. self.assertRaises(exception.Forbidden, image_repo.list)
  250. self.policy.enforce.assert_called_once_with({}, "get_images", {})
  251. def test_get_images_allowed(self):
  252. image_repo = glance.api.policy.ImageRepoProxy(self.image_repo_stub,
  253. {}, self.policy)
  254. images = image_repo.list()
  255. for i, image in enumerate(images):
  256. self.assertIsInstance(image, glance.api.policy.ImageProxy)
  257. self.assertEqual('image_from_list_%d' % i, image.image)
  258. self.policy.enforce.assert_called_once_with({}, "get_images", {})
  259. def test_modify_image_not_allowed(self):
  260. self.policy.enforce.side_effect = exception.Forbidden
  261. image_repo = glance.api.policy.ImageRepoProxy(self.image_repo_stub,
  262. {}, self.policy)
  263. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  264. self.assertRaises(exception.Forbidden, image_repo.save, image)
  265. self.policy.enforce.assert_called_once_with({}, "modify_image",
  266. image.target)
  267. def test_modify_image_allowed(self):
  268. image_repo = glance.api.policy.ImageRepoProxy(self.image_repo_stub,
  269. {}, self.policy)
  270. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  271. image_repo.save(image)
  272. self.policy.enforce.assert_called_once_with({}, "modify_image",
  273. image.target)
  274. def test_add_image_not_allowed(self):
  275. self.policy.enforce.side_effect = exception.Forbidden
  276. image_repo = glance.api.policy.ImageRepoProxy(self.image_repo_stub,
  277. {}, self.policy)
  278. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  279. self.assertRaises(exception.Forbidden, image_repo.add, image)
  280. self.policy.enforce.assert_called_once_with({}, "add_image",
  281. image.target)
  282. def test_add_image_allowed(self):
  283. image_repo = glance.api.policy.ImageRepoProxy(self.image_repo_stub,
  284. {}, self.policy)
  285. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  286. image_repo.add(image)
  287. self.policy.enforce.assert_called_once_with({}, "add_image",
  288. image.target)
  289. def test_new_image_visibility_public_not_allowed(self):
  290. self.policy.enforce.side_effect = exception.Forbidden
  291. image_factory = glance.api.policy.ImageFactoryProxy(
  292. self.image_factory_stub, {}, self.policy)
  293. self.assertRaises(exception.Forbidden, image_factory.new_image,
  294. visibility='public')
  295. self.policy.enforce.assert_called_once_with({}, "publicize_image", {})
  296. def test_new_image_visibility_public_allowed(self):
  297. image_factory = glance.api.policy.ImageFactoryProxy(
  298. self.image_factory_stub, {}, self.policy)
  299. image_factory.new_image(visibility='public')
  300. self.policy.enforce.assert_called_once_with({}, "publicize_image", {})
  301. def test_new_image_visibility_community_not_allowed(self):
  302. self.policy.enforce.side_effect = exception.Forbidden
  303. image_factory = glance.api.policy.ImageFactoryProxy(
  304. self.image_factory_stub, {}, self.policy)
  305. self.assertRaises(exception.Forbidden, image_factory.new_image,
  306. visibility='community')
  307. self.policy.enforce.assert_called_once_with({},
  308. "communitize_image",
  309. {})
  310. def test_new_image_visibility_community_allowed(self):
  311. image_factory = glance.api.policy.ImageFactoryProxy(
  312. self.image_factory_stub, {}, self.policy)
  313. image_factory.new_image(visibility='community')
  314. self.policy.enforce.assert_called_once_with({},
  315. "communitize_image",
  316. {})
  317. def test_image_get_data_policy_enforced_with_target(self):
  318. extra_properties = {
  319. 'test_key': 'test_4321'
  320. }
  321. image_stub = ImageStub(UUID1, extra_properties=extra_properties)
  322. with mock.patch('glance.api.policy.ImageTarget'):
  323. image = glance.api.policy.ImageProxy(image_stub, {}, self.policy)
  324. target = image.target
  325. self.policy.enforce.side_effect = exception.Forbidden
  326. self.assertRaises(exception.Forbidden, image.get_data)
  327. self.policy.enforce.assert_called_once_with({}, "download_image",
  328. target)
  329. class TestMemberPolicy(test_utils.BaseTestCase):
  330. def setUp(self):
  331. self.policy = mock.Mock()
  332. self.policy.enforce = mock.Mock()
  333. self.image_stub = ImageStub(UUID1)
  334. image = glance.api.policy.ImageProxy(self.image_stub, {}, self.policy)
  335. self.member_repo = glance.api.policy.ImageMemberRepoProxy(
  336. MemberRepoStub(), image, {}, self.policy)
  337. self.target = self.member_repo.target
  338. super(TestMemberPolicy, self).setUp()
  339. def test_add_member_not_allowed(self):
  340. self.policy.enforce.side_effect = exception.Forbidden
  341. self.assertRaises(exception.Forbidden, self.member_repo.add, '')
  342. self.policy.enforce.assert_called_once_with({}, "add_member",
  343. self.target)
  344. def test_add_member_allowed(self):
  345. image_member = ImageMembershipStub()
  346. self.member_repo.add(image_member)
  347. self.assertEqual('member_repo_add', image_member.output)
  348. self.policy.enforce.assert_called_once_with({}, "add_member",
  349. self.target)
  350. def test_get_member_not_allowed(self):
  351. self.policy.enforce.side_effect = exception.Forbidden
  352. self.assertRaises(exception.Forbidden, self.member_repo.get, '')
  353. self.policy.enforce.assert_called_once_with({}, "get_member",
  354. self.target)
  355. def test_get_member_allowed(self):
  356. output = self.member_repo.get('')
  357. self.assertEqual('member_repo_get', output)
  358. self.policy.enforce.assert_called_once_with({}, "get_member",
  359. self.target)
  360. def test_modify_member_not_allowed(self):
  361. self.policy.enforce.side_effect = exception.Forbidden
  362. self.assertRaises(exception.Forbidden, self.member_repo.save, '')
  363. self.policy.enforce.assert_called_once_with({}, "modify_member",
  364. self.target)
  365. def test_modify_member_allowed(self):
  366. image_member = ImageMembershipStub()
  367. self.member_repo.save(image_member)
  368. self.assertEqual('member_repo_save', image_member.output)
  369. self.policy.enforce.assert_called_once_with({}, "modify_member",
  370. self.target)
  371. def test_get_members_not_allowed(self):
  372. self.policy.enforce.side_effect = exception.Forbidden
  373. self.assertRaises(exception.Forbidden, self.member_repo.list, '')
  374. self.policy.enforce.assert_called_once_with({}, "get_members",
  375. self.target)
  376. def test_get_members_allowed(self):
  377. output = self.member_repo.list('')
  378. self.assertEqual('member_repo_list', output)
  379. self.policy.enforce.assert_called_once_with({}, "get_members",
  380. self.target)
  381. def test_delete_member_not_allowed(self):
  382. self.policy.enforce.side_effect = exception.Forbidden
  383. self.assertRaises(exception.Forbidden, self.member_repo.remove, '')
  384. self.policy.enforce.assert_called_once_with({}, "delete_member",
  385. self.target)
  386. def test_delete_member_allowed(self):
  387. image_member = ImageMembershipStub()
  388. self.member_repo.remove(image_member)
  389. self.assertEqual('member_repo_remove', image_member.output)
  390. self.policy.enforce.assert_called_once_with({}, "delete_member",
  391. self.target)
  392. class TestTaskPolicy(test_utils.BaseTestCase):
  393. def setUp(self):
  394. self.task_stub = TaskStub(UUID1)
  395. self.task_repo_stub = TaskRepoStub()
  396. self.task_factory_stub = TaskFactoryStub()
  397. self.policy = unit_test_utils.FakePolicyEnforcer()
  398. super(TestTaskPolicy, self).setUp()
  399. def test_get_task_not_allowed(self):
  400. rules = {"get_task": False}
  401. self.policy.set_rules(rules)
  402. task_repo = glance.api.policy.TaskRepoProxy(
  403. self.task_repo_stub,
  404. {},
  405. self.policy
  406. )
  407. self.assertRaises(exception.Forbidden,
  408. task_repo.get,
  409. UUID1)
  410. def test_get_task_allowed(self):
  411. rules = {"get_task": True}
  412. self.policy.set_rules(rules)
  413. task_repo = glance.api.policy.TaskRepoProxy(
  414. self.task_repo_stub,
  415. {},
  416. self.policy
  417. )
  418. task = task_repo.get(UUID1)
  419. self.assertIsInstance(task, glance.api.policy.TaskProxy)
  420. self.assertEqual('task_from_get', task.task)
  421. def test_get_tasks_not_allowed(self):
  422. rules = {"get_tasks": False}
  423. self.policy.set_rules(rules)
  424. task_repo = glance.api.policy.TaskStubRepoProxy(
  425. self.task_repo_stub,
  426. {},
  427. self.policy
  428. )
  429. self.assertRaises(exception.Forbidden, task_repo.list)
  430. def test_get_tasks_allowed(self):
  431. rules = {"get_task": True}
  432. self.policy.set_rules(rules)
  433. task_repo = glance.api.policy.TaskStubRepoProxy(
  434. self.task_repo_stub,
  435. {},
  436. self.policy
  437. )
  438. tasks = task_repo.list()
  439. for i, task in enumerate(tasks):
  440. self.assertIsInstance(task, glance.api.policy.TaskStubProxy)
  441. self.assertEqual('task_from_list_%d' % i, task.task_stub)
  442. def test_add_task_not_allowed(self):
  443. rules = {"add_task": False}
  444. self.policy.set_rules(rules)
  445. task_repo = glance.api.policy.TaskRepoProxy(
  446. self.task_repo_stub,
  447. {},
  448. self.policy
  449. )
  450. task = glance.api.policy.TaskProxy(self.task_stub, {}, self.policy)
  451. self.assertRaises(exception.Forbidden, task_repo.add, task)
  452. def test_add_task_allowed(self):
  453. rules = {"add_task": True}
  454. self.policy.set_rules(rules)
  455. task_repo = glance.api.policy.TaskRepoProxy(
  456. self.task_repo_stub,
  457. {},
  458. self.policy
  459. )
  460. task = glance.api.policy.TaskProxy(self.task_stub, {}, self.policy)
  461. task_repo.add(task)
  462. class TestContextPolicyEnforcer(base.IsolatedUnitTest):
  463. def _do_test_policy_influence_context_admin(self,
  464. policy_admin_role,
  465. context_role,
  466. context_is_admin,
  467. admin_expected):
  468. self.config(policy_file=os.path.join(self.test_dir, 'gobble.gobble'),
  469. group='oslo_policy')
  470. rules = {'context_is_admin': 'role:%s' % policy_admin_role}
  471. self.set_policy_rules(rules)
  472. enforcer = glance.api.policy.Enforcer()
  473. context = glance.context.RequestContext(roles=[context_role],
  474. is_admin=context_is_admin,
  475. policy_enforcer=enforcer)
  476. self.assertEqual(admin_expected, context.is_admin)
  477. def test_context_admin_policy_admin(self):
  478. self._do_test_policy_influence_context_admin('test_admin',
  479. 'test_admin',
  480. True,
  481. True)
  482. def test_context_nonadmin_policy_admin(self):
  483. self._do_test_policy_influence_context_admin('test_admin',
  484. 'test_admin',
  485. False,
  486. True)
  487. def test_context_admin_policy_nonadmin(self):
  488. self._do_test_policy_influence_context_admin('test_admin',
  489. 'demo',
  490. True,
  491. True)
  492. def test_context_nonadmin_policy_nonadmin(self):
  493. self._do_test_policy_influence_context_admin('test_admin',
  494. 'demo',
  495. False,
  496. False)