2013-11-05 13:08:06 -05:00
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
|
# not use this file except in compliance with the License. You may obtain
|
|
|
|
|
# a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
|
|
|
# License for the specific language governing permissions and limitations
|
|
|
|
|
# under the License.
|
|
|
|
|
|
2012-04-11 14:04:08 -07:00
|
|
|
import os
|
Using /tmp for SECRET_KEY in tests
While using openstack_dashboard/test for the path of SECRET_KEY works
perfectly for building Horizon, including when building the pacakge for
Debian, this is a no-go for Horizon plugins in the Debian context. Indeed,
ironic-ui, manila-ui and sahara-dashboard are all doing:
from openstack_dashboard.test.settings import
While this works in devstack, as it is using a clone of the Horizon git
repository which is writable, it doesn't work in the context of Debian
(or other distro) packaging. Indeed, in this case, the folder becomes
/usr/lib/python2.7/dist-packages/openstack_dashboard/test. This folder,
in all reasonableness, is owned by root, and read only by the user who
is building the package. So at import time, doing this:
SECRET_KEY = secret_key.generate_or_read_from_file(
os.path.join(TEST_DIR, '.secret_key_store'))
just fails miserably when the horizon plugin packages are building.
Simply using /tmp instead of TEST_DIR fixes the issue. This patch makes
it in a portable way using tempfile.gettempdir() to find /tmp. Though
it isn't completely safe, as the file in /tmp is predictable (and then
there can be a symlink attack), though for unit testing we probably
don't care.
Please allow this patch to go through, so we don't have to carry it
at the distribution level.
Change-Id: Iadf0c2bffe19e2c33083a257102e846886d7680f
2016-09-29 13:04:34 +02:00
|
|
|
import tempfile
|
2012-04-11 14:04:08 -07:00
|
|
|
|
2017-05-04 06:59:27 +00:00
|
|
|
import six
|
|
|
|
|
|
Pre-populate the Angular template cache and allow template overrides
This patch populates the Angular template cache from Django.
This eliminates the need for Angular to do an http get for every HTML
fragment.
In addition, now that we are filling the template cache, this patch
introduces the logic needed to override any Angular template HTML from
the current theme.
How it works:
A new template tag is created called "template_cache_preloads". This
tag is used in _scripts.html to generate a list of text/javascript
script tags, each one containing an Angular "run" method that loads
a template contents into the Angular template cache. The first time
any Horizon page is loaded after server start, the template cache
preloads are computed for the current theme.
The output of this tag is cached for 30 days in Django using the
"cache" tag. Further, that cached result is wrapped in a "compress js"
tag to collapse the individual <script> tags into 1 block of
javascript, and compress like all other javascript Horizon serves to
the client.
Finally, when using offline compression, the compressor evaluates the
nodelist (HTML content) of _scripts.html, notices the compress tag
and builds the template cache preloads for each possible theme. Later,
at runtime, when the preloads are generated for the current theme, the
compressor gets the result from the Django cache, and hashes the
contents to determine which manifest file to serve to the client.
Since the preloads generated at run-time are identical to those
generated off-line, the compressor hash matches an existing manifest
which is served to the client.
Notice that even though the template cache pre-loads are generated
off-line...the template_cache_preloads tag will be executed once
every 30 days anyway. However, since the result matches the off-line
compression, the existing manifest continues to be served to the client.
Finally, this patch ALSO watches for 'post_compress' signals. If it
detects that the angular template preloads have been re-compressed, it
clears the old version from the Django cache.
To test the template caching:
- Run horizon
- View page source
- Notice the new <script type="text/javascript"> tags contained in
the body (only visible if COMPRESS_ENABLED=False
- Open the javascript inspector
- Load launch instance
- Notice there are no longer http calls to load each HTML fragment
used by the Angular launch instance
To test the override:
- Set the DEFAULT_THEME='material'
- Create /horizon/openstack_dashboard/themes/material/\
static/templates/framework/widgets/help-panel/help-panel.html
- Set the content to <h1>TEST</h1>
- Run Horizon and open launch instance.
- The help content should contain "TEST"
To test the new template tag:
- set a breakpoint or print in angular.py:template_cache_preloads
and observe when it is called during off-line or run-time use
Co-Authored-By: Diana Whitten <hurgleburgler@gmail.com>
Implements: blueprint angular-template-overrides
Change-Id: I0e4e2623be58abbc68c6e02b2e9c5d7cdaba8e4d
2016-05-31 12:52:14 -06:00
|
|
|
from django.utils.translation import pgettext_lazy
|
2017-05-24 03:01:11 +00:00
|
|
|
from horizon.test.settings import * # noqa: F403,H303
|
2013-08-23 17:26:48 +04:00
|
|
|
from horizon.utils import secret_key
|
2015-04-06 16:45:55 -05:00
|
|
|
from openstack_dashboard import exceptions
|
2012-10-04 15:43:40 -07:00
|
|
|
|
2016-05-03 15:51:49 +10:00
|
|
|
from horizon.utils.escape import monkeypatch_escape
|
|
|
|
|
|
|
|
|
|
# this is used to protect from client XSS attacks, but it's worth
|
|
|
|
|
# enabling in our test setup to find any issues it might cause
|
|
|
|
|
monkeypatch_escape()
|
|
|
|
|
|
2015-07-22 11:15:45 -06:00
|
|
|
from openstack_dashboard.utils import settings as settings_utils
|
2012-10-04 15:43:40 -07:00
|
|
|
|
2012-04-11 14:04:08 -07:00
|
|
|
TEST_DIR = os.path.dirname(os.path.abspath(__file__))
|
|
|
|
|
ROOT_PATH = os.path.abspath(os.path.join(TEST_DIR, ".."))
|
2015-09-29 21:24:11 -07:00
|
|
|
MEDIA_ROOT = os.path.abspath(os.path.join(ROOT_PATH, '..', 'media'))
|
|
|
|
|
MEDIA_URL = '/media/'
|
2014-09-22 10:50:12 -05:00
|
|
|
STATIC_ROOT = os.path.abspath(os.path.join(ROOT_PATH, '..', 'static'))
|
2015-08-17 23:54:29 -06:00
|
|
|
STATIC_URL = '/static/'
|
|
|
|
|
WEBROOT = '/'
|
2012-04-11 14:04:08 -07:00
|
|
|
|
2013-08-23 17:26:48 +04:00
|
|
|
SECRET_KEY = secret_key.generate_or_read_from_file(
|
Using /tmp for SECRET_KEY in tests
While using openstack_dashboard/test for the path of SECRET_KEY works
perfectly for building Horizon, including when building the pacakge for
Debian, this is a no-go for Horizon plugins in the Debian context. Indeed,
ironic-ui, manila-ui and sahara-dashboard are all doing:
from openstack_dashboard.test.settings import
While this works in devstack, as it is using a clone of the Horizon git
repository which is writable, it doesn't work in the context of Debian
(or other distro) packaging. Indeed, in this case, the folder becomes
/usr/lib/python2.7/dist-packages/openstack_dashboard/test. This folder,
in all reasonableness, is owned by root, and read only by the user who
is building the package. So at import time, doing this:
SECRET_KEY = secret_key.generate_or_read_from_file(
os.path.join(TEST_DIR, '.secret_key_store'))
just fails miserably when the horizon plugin packages are building.
Simply using /tmp instead of TEST_DIR fixes the issue. This patch makes
it in a portable way using tempfile.gettempdir() to find /tmp. Though
it isn't completely safe, as the file in /tmp is predictable (and then
there can be a symlink attack), though for unit testing we probably
don't care.
Please allow this patch to go through, so we don't have to carry it
at the distribution level.
Change-Id: Iadf0c2bffe19e2c33083a257102e846886d7680f
2016-09-29 13:04:34 +02:00
|
|
|
os.path.join(tempfile.gettempdir(), '.secret_key_store'))
|
2015-02-18 13:03:02 -07:00
|
|
|
ROOT_URLCONF = 'openstack_dashboard.test.urls'
|
2016-08-04 20:41:46 +01:00
|
|
|
|
|
|
|
|
TEMPLATES[0]['DIRS'] = [
|
|
|
|
|
os.path.join(TEST_DIR, 'templates')
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
TEMPLATES[0]['OPTIONS']['context_processors'].append(
|
|
|
|
|
'openstack_dashboard.context_processors.openstack'
|
2012-10-04 15:43:40 -07:00
|
|
|
)
|
|
|
|
|
|
Pre-populate the Angular template cache and allow template overrides
This patch populates the Angular template cache from Django.
This eliminates the need for Angular to do an http get for every HTML
fragment.
In addition, now that we are filling the template cache, this patch
introduces the logic needed to override any Angular template HTML from
the current theme.
How it works:
A new template tag is created called "template_cache_preloads". This
tag is used in _scripts.html to generate a list of text/javascript
script tags, each one containing an Angular "run" method that loads
a template contents into the Angular template cache. The first time
any Horizon page is loaded after server start, the template cache
preloads are computed for the current theme.
The output of this tag is cached for 30 days in Django using the
"cache" tag. Further, that cached result is wrapped in a "compress js"
tag to collapse the individual <script> tags into 1 block of
javascript, and compress like all other javascript Horizon serves to
the client.
Finally, when using offline compression, the compressor evaluates the
nodelist (HTML content) of _scripts.html, notices the compress tag
and builds the template cache preloads for each possible theme. Later,
at runtime, when the preloads are generated for the current theme, the
compressor gets the result from the Django cache, and hashes the
contents to determine which manifest file to serve to the client.
Since the preloads generated at run-time are identical to those
generated off-line, the compressor hash matches an existing manifest
which is served to the client.
Notice that even though the template cache pre-loads are generated
off-line...the template_cache_preloads tag will be executed once
every 30 days anyway. However, since the result matches the off-line
compression, the existing manifest continues to be served to the client.
Finally, this patch ALSO watches for 'post_compress' signals. If it
detects that the angular template preloads have been re-compressed, it
clears the old version from the Django cache.
To test the template caching:
- Run horizon
- View page source
- Notice the new <script type="text/javascript"> tags contained in
the body (only visible if COMPRESS_ENABLED=False
- Open the javascript inspector
- Load launch instance
- Notice there are no longer http calls to load each HTML fragment
used by the Angular launch instance
To test the override:
- Set the DEFAULT_THEME='material'
- Create /horizon/openstack_dashboard/themes/material/\
static/templates/framework/widgets/help-panel/help-panel.html
- Set the content to <h1>TEST</h1>
- Run Horizon and open launch instance.
- The help content should contain "TEST"
To test the new template tag:
- set a breakpoint or print in angular.py:template_cache_preloads
and observe when it is called during off-line or run-time use
Co-Authored-By: Diana Whitten <hurgleburgler@gmail.com>
Implements: blueprint angular-template-overrides
Change-Id: I0e4e2623be58abbc68c6e02b2e9c5d7cdaba8e4d
2016-05-31 12:52:14 -06:00
|
|
|
# 'key', 'label', 'path'
|
|
|
|
|
AVAILABLE_THEMES = [
|
|
|
|
|
(
|
|
|
|
|
'default',
|
|
|
|
|
pgettext_lazy('Default style theme', 'Default'),
|
|
|
|
|
'themes/default'
|
|
|
|
|
), (
|
|
|
|
|
'material',
|
|
|
|
|
pgettext_lazy("Google's Material Design style theme", "Material"),
|
|
|
|
|
'themes/material'
|
|
|
|
|
),
|
|
|
|
|
]
|
|
|
|
|
|
2016-05-17 15:06:05 -07:00
|
|
|
SELECTABLE_THEMES = [
|
|
|
|
|
(
|
|
|
|
|
'default',
|
|
|
|
|
pgettext_lazy('Default style theme', 'Default'),
|
|
|
|
|
'themes/default'
|
|
|
|
|
),
|
|
|
|
|
]
|
|
|
|
|
|
Pre-populate the Angular template cache and allow template overrides
This patch populates the Angular template cache from Django.
This eliminates the need for Angular to do an http get for every HTML
fragment.
In addition, now that we are filling the template cache, this patch
introduces the logic needed to override any Angular template HTML from
the current theme.
How it works:
A new template tag is created called "template_cache_preloads". This
tag is used in _scripts.html to generate a list of text/javascript
script tags, each one containing an Angular "run" method that loads
a template contents into the Angular template cache. The first time
any Horizon page is loaded after server start, the template cache
preloads are computed for the current theme.
The output of this tag is cached for 30 days in Django using the
"cache" tag. Further, that cached result is wrapped in a "compress js"
tag to collapse the individual <script> tags into 1 block of
javascript, and compress like all other javascript Horizon serves to
the client.
Finally, when using offline compression, the compressor evaluates the
nodelist (HTML content) of _scripts.html, notices the compress tag
and builds the template cache preloads for each possible theme. Later,
at runtime, when the preloads are generated for the current theme, the
compressor gets the result from the Django cache, and hashes the
contents to determine which manifest file to serve to the client.
Since the preloads generated at run-time are identical to those
generated off-line, the compressor hash matches an existing manifest
which is served to the client.
Notice that even though the template cache pre-loads are generated
off-line...the template_cache_preloads tag will be executed once
every 30 days anyway. However, since the result matches the off-line
compression, the existing manifest continues to be served to the client.
Finally, this patch ALSO watches for 'post_compress' signals. If it
detects that the angular template preloads have been re-compressed, it
clears the old version from the Django cache.
To test the template caching:
- Run horizon
- View page source
- Notice the new <script type="text/javascript"> tags contained in
the body (only visible if COMPRESS_ENABLED=False
- Open the javascript inspector
- Load launch instance
- Notice there are no longer http calls to load each HTML fragment
used by the Angular launch instance
To test the override:
- Set the DEFAULT_THEME='material'
- Create /horizon/openstack_dashboard/themes/material/\
static/templates/framework/widgets/help-panel/help-panel.html
- Set the content to <h1>TEST</h1>
- Run Horizon and open launch instance.
- The help content should contain "TEST"
To test the new template tag:
- set a breakpoint or print in angular.py:template_cache_preloads
and observe when it is called during off-line or run-time use
Co-Authored-By: Diana Whitten <hurgleburgler@gmail.com>
Implements: blueprint angular-template-overrides
Change-Id: I0e4e2623be58abbc68c6e02b2e9c5d7cdaba8e4d
2016-05-31 12:52:14 -06:00
|
|
|
# Theme Static Directory
|
|
|
|
|
THEME_COLLECTION_DIR = 'themes'
|
|
|
|
|
|
2015-06-26 13:03:38 -07:00
|
|
|
COMPRESS_OFFLINE = False
|
|
|
|
|
|
2012-10-04 15:43:40 -07:00
|
|
|
INSTALLED_APPS = (
|
2013-03-27 17:16:13 -07:00
|
|
|
'django.contrib.contenttypes',
|
|
|
|
|
'django.contrib.auth',
|
2012-10-04 15:43:40 -07:00
|
|
|
'django.contrib.sessions',
|
|
|
|
|
'django.contrib.staticfiles',
|
|
|
|
|
'django.contrib.messages',
|
|
|
|
|
'django.contrib.humanize',
|
|
|
|
|
'django_nose',
|
|
|
|
|
'openstack_auth',
|
|
|
|
|
'compressor',
|
|
|
|
|
'horizon',
|
|
|
|
|
'openstack_dashboard',
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
AUTHENTICATION_BACKENDS = ('openstack_auth.backend.KeystoneBackend',)
|
|
|
|
|
|
|
|
|
|
SITE_BRANDING = 'OpenStack'
|
|
|
|
|
|
|
|
|
|
HORIZON_CONFIG = {
|
|
|
|
|
"password_validator": {
|
|
|
|
|
"regex": '^.{8,18}$',
|
2013-09-06 14:13:37 +09:00
|
|
|
"help_text": "Password must be between 8 and 18 characters."
|
2012-10-04 15:43:40 -07:00
|
|
|
},
|
|
|
|
|
'user_home': None,
|
2018-03-20 16:19:57 +09:00
|
|
|
'help_url': "https://docs.openstack.org/",
|
2015-04-06 16:45:55 -05:00
|
|
|
'exceptions': {'recoverable': exceptions.RECOVERABLE,
|
|
|
|
|
'not_found': exceptions.NOT_FOUND,
|
|
|
|
|
'unauthorized': exceptions.UNAUTHORIZED},
|
2014-05-08 12:34:21 -06:00
|
|
|
'angular_modules': [],
|
|
|
|
|
'js_files': [],
|
2016-08-10 11:30:20 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ANGULAR_FEATURES = {
|
2016-07-18 13:50:00 -06:00
|
|
|
'images_panel': False, # Use the legacy panel so unit tests are still run
|
|
|
|
|
'flavors_panel': False,
|
2016-07-22 11:32:09 +08:00
|
|
|
'roles_panel': False,
|
2012-10-04 15:43:40 -07:00
|
|
|
}
|
|
|
|
|
|
2015-07-22 11:15:45 -06:00
|
|
|
STATICFILES_DIRS = settings_utils.get_xstatic_dirs(
|
|
|
|
|
settings_utils.BASE_XSTATIC_MODULES, HORIZON_CONFIG
|
|
|
|
|
)
|
|
|
|
|
|
2015-06-30 13:23:41 -06:00
|
|
|
# Load the pluggable dashboard settings
|
|
|
|
|
import openstack_dashboard.enabled
|
|
|
|
|
|
|
|
|
|
INSTALLED_APPS = list(INSTALLED_APPS) # Make sure it's mutable
|
2015-07-22 11:15:45 -06:00
|
|
|
settings_utils.update_dashboards(
|
2015-06-30 13:23:41 -06:00
|
|
|
[
|
|
|
|
|
openstack_dashboard.enabled,
|
|
|
|
|
],
|
|
|
|
|
HORIZON_CONFIG,
|
|
|
|
|
INSTALLED_APPS,
|
|
|
|
|
)
|
|
|
|
|
|
2016-08-30 21:30:57 +03:00
|
|
|
OPENSTACK_PROFILER = {'enabled': False}
|
|
|
|
|
|
2015-07-22 11:15:45 -06:00
|
|
|
settings_utils.find_static_files(HORIZON_CONFIG, AVAILABLE_THEMES,
|
|
|
|
|
THEME_COLLECTION_DIR, ROOT_PATH)
|
2015-08-17 23:54:29 -06:00
|
|
|
|
2016-05-19 18:15:24 +03:00
|
|
|
# Set to 'legacy' or 'direct' to allow users to upload images to glance via
|
|
|
|
|
# Horizon server. When enabled, a file form field will appear on the create
|
|
|
|
|
# image form. If set to 'off', there will be no file form field on the create
|
|
|
|
|
# image form. See documentation for deployment considerations.
|
|
|
|
|
HORIZON_IMAGES_UPLOAD_MODE = 'legacy'
|
2013-01-29 04:35:18 -05:00
|
|
|
|
2012-10-04 15:43:40 -07:00
|
|
|
AVAILABLE_REGIONS = [
|
2017-12-21 02:48:35 +09:00
|
|
|
('http://localhost:5000/v3', 'local'),
|
|
|
|
|
('http://remote:5000/v3', 'remote'),
|
2012-10-04 15:43:40 -07:00
|
|
|
]
|
|
|
|
|
|
2013-10-01 14:58:30 +02:00
|
|
|
OPENSTACK_API_VERSIONS = {
|
2015-01-26 15:12:27 +00:00
|
|
|
"identity": 3,
|
|
|
|
|
"image": 2
|
2013-10-01 14:58:30 +02:00
|
|
|
}
|
|
|
|
|
|
2017-12-21 02:48:35 +09:00
|
|
|
OPENSTACK_KEYSTONE_URL = "http://localhost:5000/v3"
|
2013-12-26 15:37:14 +08:00
|
|
|
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
|
2012-10-04 15:43:40 -07:00
|
|
|
|
2013-05-15 14:43:49 -07:00
|
|
|
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
|
|
|
|
|
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'test_domain'
|
2015-11-12 21:19:45 -08:00
|
|
|
OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT = True
|
2013-05-15 14:43:49 -07:00
|
|
|
|
2012-10-04 15:43:40 -07:00
|
|
|
OPENSTACK_KEYSTONE_BACKEND = {
|
|
|
|
|
'name': 'native',
|
2013-02-09 15:29:56 -08:00
|
|
|
'can_edit_user': True,
|
2013-05-23 23:09:34 -07:00
|
|
|
'can_edit_group': True,
|
2013-05-15 14:43:49 -07:00
|
|
|
'can_edit_project': True,
|
2013-05-15 14:45:03 -06:00
|
|
|
'can_edit_domain': True,
|
|
|
|
|
'can_edit_role': True
|
2012-10-04 15:43:40 -07:00
|
|
|
}
|
|
|
|
|
|
2014-03-28 10:50:01 -05:00
|
|
|
OPENSTACK_CINDER_FEATURES = {
|
|
|
|
|
'enable_backup': True,
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-02 23:37:35 -04:00
|
|
|
OPENSTACK_NEUTRON_NETWORK = {
|
2014-08-09 09:45:56 +09:00
|
|
|
'enable_router': True,
|
2013-05-29 12:15:12 +04:00
|
|
|
'enable_quotas': False, # Enabled in specific tests only
|
2014-08-07 01:00:18 -07:00
|
|
|
'enable_distributed_router': False,
|
2013-02-07 18:15:16 -08:00
|
|
|
}
|
|
|
|
|
|
2012-10-04 15:43:40 -07:00
|
|
|
OPENSTACK_HYPERVISOR_FEATURES = {
|
2013-12-04 09:45:56 +08:00
|
|
|
'can_set_mount_point': False,
|
2013-11-13 15:01:43 +11:00
|
|
|
'can_set_password': True,
|
2012-10-04 15:43:40 -07:00
|
|
|
}
|
|
|
|
|
|
2013-09-03 11:54:58 -07:00
|
|
|
OPENSTACK_IMAGE_BACKEND = {
|
|
|
|
|
'image_formats': [
|
2014-05-15 12:29:27 -04:00
|
|
|
('', 'Select format'),
|
2013-09-06 14:13:37 +09:00
|
|
|
('aki', 'AKI - Amazon Kernel Image'),
|
|
|
|
|
('ami', 'AMI - Amazon Machine Image'),
|
|
|
|
|
('ari', 'ARI - Amazon Ramdisk Image'),
|
|
|
|
|
('iso', 'ISO - Optical Disk Image'),
|
2016-07-11 22:47:46 +03:00
|
|
|
('ploop', 'PLOOP - Virtuozzo/Parallels Loopback Disk'),
|
2013-09-06 14:13:37 +09:00
|
|
|
('qcow2', 'QCOW2 - QEMU Emulator'),
|
|
|
|
|
('raw', 'Raw'),
|
|
|
|
|
('vdi', 'VDI'),
|
|
|
|
|
('vhd', 'VHD'),
|
|
|
|
|
('vmdk', 'VMDK')
|
2013-09-03 11:54:58 -07:00
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-13 04:14:13 +09:00
|
|
|
LOGGING['loggers'].update(
|
|
|
|
|
{
|
|
|
|
|
'openstack_dashboard': {
|
|
|
|
|
'handlers': ['test'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
2014-04-04 09:40:07 +01:00
|
|
|
'openstack_auth': {
|
|
|
|
|
'handlers': ['test'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
2013-11-13 04:14:13 +09:00
|
|
|
'novaclient': {
|
|
|
|
|
'handlers': ['test'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
|
|
|
|
'keystoneclient': {
|
|
|
|
|
'handlers': ['test'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
|
|
|
|
'glanceclient': {
|
|
|
|
|
'handlers': ['test'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
|
|
|
|
'neutronclient': {
|
|
|
|
|
'handlers': ['test'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
2017-12-16 23:17:34 +09:00
|
|
|
'oslo_policy': {
|
|
|
|
|
'handlers': ['test'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
|
|
|
|
'stevedore': {
|
|
|
|
|
'handlers': ['test'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
2013-11-13 04:14:13 +09:00
|
|
|
'iso8601': {
|
|
|
|
|
'handlers': ['null'],
|
|
|
|
|
'propagate': False,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
)
|
2012-10-04 15:43:40 -07:00
|
|
|
|
2013-05-02 17:28:10 +08:00
|
|
|
SECURITY_GROUP_RULES = {
|
|
|
|
|
'all_tcp': {
|
|
|
|
|
'name': 'ALL TCP',
|
|
|
|
|
'ip_protocol': 'tcp',
|
|
|
|
|
'from_port': '1',
|
|
|
|
|
'to_port': '65535',
|
|
|
|
|
},
|
|
|
|
|
'http': {
|
|
|
|
|
'name': 'HTTP',
|
|
|
|
|
'ip_protocol': 'tcp',
|
|
|
|
|
'from_port': '80',
|
|
|
|
|
'to_port': '80',
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-04 15:43:40 -07:00
|
|
|
NOSE_ARGS = ['--nocapture',
|
|
|
|
|
'--nologcapture',
|
|
|
|
|
'--cover-package=openstack_dashboard',
|
|
|
|
|
'--cover-inclusive',
|
|
|
|
|
'--all-modules']
|
2017-05-04 06:59:27 +00:00
|
|
|
# TODO(amotoki): Need to investigate why --with-html-output
|
|
|
|
|
# is unavailable in python3.
|
2017-06-13 16:31:41 +00:00
|
|
|
# NOTE(amotoki): Most horizon plugins import this module in their test
|
|
|
|
|
# settings and they do not necessarily have nosehtmloutput in test-reqs.
|
|
|
|
|
# Assuming nosehtmloutput potentially breaks plugins tests,
|
|
|
|
|
# we check the availability of htmloutput module (from nosehtmloutput).
|
|
|
|
|
try:
|
|
|
|
|
import htmloutput # noqa: F401
|
|
|
|
|
has_html_output = True
|
|
|
|
|
except ImportError:
|
|
|
|
|
has_html_output = False
|
|
|
|
|
if six.PY2 and has_html_output:
|
2017-05-04 06:59:27 +00:00
|
|
|
NOSE_ARGS += ['--with-html-output',
|
|
|
|
|
'--html-out-file=ut_openstack_dashboard_nose_results.html']
|
Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-16 17:28:46 -06:00
|
|
|
|
|
|
|
|
POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf")
|
|
|
|
|
POLICY_FILES = {
|
|
|
|
|
'identity': 'keystone_policy.json',
|
|
|
|
|
'compute': 'nova_policy.json'
|
|
|
|
|
}
|
2013-12-06 15:12:55 +08:00
|
|
|
|
2013-12-04 16:03:56 +08:00
|
|
|
# The openstack_auth.user.Token object isn't JSON-serializable ATM
|
|
|
|
|
SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'
|
2015-04-02 23:49:29 -06:00
|
|
|
|
|
|
|
|
REST_API_SETTING_1 = 'foo'
|
|
|
|
|
REST_API_SETTING_2 = 'bar'
|
|
|
|
|
REST_API_SECURITY = 'SECURITY'
|
|
|
|
|
REST_API_REQUIRED_SETTINGS = ['REST_API_SETTING_1']
|
|
|
|
|
REST_API_ADDITIONAL_SETTINGS = ['REST_API_SETTING_2']
|
2014-11-20 14:53:48 +08:00
|
|
|
|
|
|
|
|
ALLOWED_PRIVATE_SUBNET_CIDR = {'ipv4': [], 'ipv6': []}
|
2017-04-29 11:26:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
# --------------------
|
|
|
|
|
# Test-only settings
|
|
|
|
|
# --------------------
|
|
|
|
|
# TEST_GLOBAL_MOCKS_ON_PANELS: defines what and how methods should be
|
|
|
|
|
# mocked globally for unit tests and Selenium tests.
|
|
|
|
|
# 'method' is required. 'return_value' and 'side_effect'
|
|
|
|
|
# are optional and passed to mock.patch().
|
|
|
|
|
TEST_GLOBAL_MOCKS_ON_PANELS = {
|
|
|
|
|
'aggregates': {
|
|
|
|
|
'method': ('openstack_dashboard.dashboards.admin'
|
|
|
|
|
'.aggregates.panel.Aggregates.can_access'),
|
|
|
|
|
'return_value': True,
|
|
|
|
|
},
|
2018-01-03 14:25:46 +01:00
|
|
|
'domains': {
|
|
|
|
|
'method': ('openstack_dashboard.dashboards.identity'
|
|
|
|
|
'.domains.panel.Domains.can_access'),
|
|
|
|
|
'return_value': True,
|
|
|
|
|
},
|
2017-11-04 14:29:14 +08:00
|
|
|
'server_groups': {
|
|
|
|
|
'method': ('openstack_dashboard.dashboards.project'
|
|
|
|
|
'.server_groups.panel.ServerGroups.can_access'),
|
|
|
|
|
'return_value': True,
|
|
|
|
|
},
|
2018-01-25 07:54:17 +01:00
|
|
|
'trunk-project': {
|
2017-03-14 08:31:28 +01:00
|
|
|
'method': ('openstack_dashboard.dashboards.project'
|
|
|
|
|
'.trunks.panel.Trunks.can_access'),
|
|
|
|
|
'return_value': True,
|
|
|
|
|
},
|
2018-01-25 07:54:17 +01:00
|
|
|
'trunk-admin': {
|
|
|
|
|
'method': ('openstack_dashboard.dashboards.admin'
|
|
|
|
|
'.trunks.panel.Trunks.can_access'),
|
|
|
|
|
'return_value': True,
|
|
|
|
|
},
|
2017-01-11 10:34:51 +00:00
|
|
|
'qos': {
|
|
|
|
|
'method': ('openstack_dashboard.dashboards.project'
|
|
|
|
|
'.network_qos.panel.NetworkQoS.can_access'),
|
|
|
|
|
'return_value': True,
|
|
|
|
|
},
|
2017-04-29 11:26:45 +00:00
|
|
|
}
|