Use common code within manila.policy module
Rewrote 'init' and 'reset' functions for using same functionality from common code of policy enforcer. Changed path to test policy file, because policy enforcer uses method of oslo.config 'find_file', that was not used before, and does not know about test policy file. Partially-implements blueprint use-common-code Change-Id: I26ed170d39ed183899ee4420dc04d512cf3172e2
This commit is contained in:
parent
c8112434eb
commit
284936f43b
@ -16,48 +16,27 @@
|
||||
"""Policy Engine For Manila"""
|
||||
|
||||
import functools
|
||||
import os.path
|
||||
|
||||
from oslo.config import cfg
|
||||
|
||||
from manila import exception
|
||||
from manila.openstack.common import policy
|
||||
from manila import utils
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
_ENFORCER = None
|
||||
_POLICY_PATH = None
|
||||
_POLICY_CACHE = {}
|
||||
|
||||
|
||||
def reset():
|
||||
global _POLICY_PATH
|
||||
global _POLICY_CACHE
|
||||
global _ENFORCER
|
||||
_POLICY_PATH = None
|
||||
_POLICY_CACHE = {}
|
||||
_ENFORCER = None
|
||||
if _ENFORCER:
|
||||
_ENFORCER.clear()
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
def init():
|
||||
global _POLICY_PATH
|
||||
global _POLICY_CACHE
|
||||
def init(policy_path=None):
|
||||
global _ENFORCER
|
||||
if not _POLICY_PATH:
|
||||
_POLICY_PATH = CONF.policy_file
|
||||
if not os.path.exists(_POLICY_PATH):
|
||||
_POLICY_PATH = utils.find_config(_POLICY_PATH)
|
||||
if not _ENFORCER:
|
||||
_ENFORCER = policy.Enforcer(policy_file=_POLICY_PATH)
|
||||
utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE, reload_func=_set_rules)
|
||||
|
||||
|
||||
def _set_rules(data):
|
||||
global _ENFORCER
|
||||
default_rule = CONF.policy_default_rule
|
||||
_ENFORCER.set_rules(policy.Rules.load_json(
|
||||
data, default_rule))
|
||||
_ENFORCER = policy.Enforcer()
|
||||
if policy_path:
|
||||
_ENFORCER.policy_path = policy_path
|
||||
_ENFORCER.load_rules()
|
||||
|
||||
|
||||
def enforce(context, action, target, do_raise=True):
|
||||
|
@ -14,9 +14,13 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo.config import cfg
|
||||
import os
|
||||
|
||||
CONF = cfg.CONF
|
||||
from manila.common import config
|
||||
|
||||
CONF = config.CONF
|
||||
_POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path,
|
||||
'manila/tests/policy.json'))
|
||||
|
||||
|
||||
def set_defaults(conf):
|
||||
@ -24,7 +28,7 @@ def set_defaults(conf):
|
||||
conf.set_default('verbose', True)
|
||||
conf.set_default('connection', "sqlite://", group='database')
|
||||
conf.set_default('sqlite_synchronous', False)
|
||||
conf.set_default('policy_file', 'manila/tests/policy.json')
|
||||
conf.set_default('policy_file', _POLICY_PATH)
|
||||
conf.set_default('share_export_ip', '0.0.0.0')
|
||||
conf.set_default('service_instance_user', 'fake_user')
|
||||
conf.set_default('share_driver',
|
||||
|
@ -33,6 +33,7 @@ CONF = cfg.CONF
|
||||
|
||||
|
||||
class PolicyFileTestCase(test.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(PolicyFileTestCase, self).setUp()
|
||||
# since is_admin is defined by policy, create context before reset
|
||||
@ -40,26 +41,27 @@ class PolicyFileTestCase(test.TestCase):
|
||||
policy.reset()
|
||||
self.target = {}
|
||||
|
||||
def tearDown(self):
|
||||
super(PolicyFileTestCase, self).tearDown()
|
||||
policy.reset()
|
||||
|
||||
def test_modified_policy_reloads(self):
|
||||
with utils.tempdir() as tmpdir:
|
||||
tmpfilename = os.path.join(tmpdir, 'policy')
|
||||
self.flags(policy_file=tmpfilename)
|
||||
|
||||
action = "example:test"
|
||||
with open(tmpfilename, "w") as policyfile:
|
||||
policyfile.write("""{"example:test": []}""")
|
||||
policy.init(tmpfilename)
|
||||
policy.enforce(self.context, action, self.target)
|
||||
with open(tmpfilename, "w") as policyfile:
|
||||
policyfile.write("""{"example:test": ["false:false"]}""")
|
||||
# NOTE(vish): reset stored policy cache so we don't have to
|
||||
# sleep(1)
|
||||
policy._POLICY_CACHE = {}
|
||||
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
|
||||
self.context, action, self.target)
|
||||
policy._ENFORCER.load_rules(True)
|
||||
self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
policy.enforce,
|
||||
self.context,
|
||||
action,
|
||||
self.target,
|
||||
)
|
||||
|
||||
|
||||
class PolicyTestCase(test.TestCase):
|
||||
|
Loading…
Reference in New Issue
Block a user