#!/usr/bin/python # Unix SMB/CIFS implementation. # Copyright (C) Jelmer Vernooij 2007 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import os from samba.provision import setup_secretsdb import samba.tests from ldb import Dn setup_dir = "setup" def setup_path(file): return os.path.join(setup_dir, file) class ProvisionTestCase(samba.tests.TestCaseInTempDir): def test_setup_secretsdb(self): path = os.path.join(self.tempdir, "secrets.ldb") ldb = setup_secretsdb(path, setup_path, None, None, None) try: self.assertEquals("LSA Secrets", ldb.searchone(Dn(ldb, "CN=LSA Secrets"), "CN")) finally: del ldb os.unlink(path) class Disabled: def test_setup_templatesdb(self): raise NotImplementedError(self.test_setup_templatesdb) def test_setup_registry(self): raise NotImplementedError(self.test_setup_registry) def test_setup_samdb_rootdse(self): raise NotImplementedError(self.test_setup_samdb_rootdse) def test_setup_samdb_partitions(self): raise NotImplementedError(self.test_setup_samdb_partitions) def test_create_phpldapadmin_config(self): raise NotImplementedError(self.test_create_phpldapadmin_config) def test_provision_dns(self): raise NotImplementedError(self.test_provision_dns) def test_provision_ldapbase(self): raise NotImplementedError(self.test_provision_ldapbase) def test_provision_guess(self): raise NotImplementedError(self.test_provision_guess) def test_join_domain(self): raise NotImplementedError(self.test_join_domain) def test_vampire(self): raise NotImplementedError(self.test_vampire) def test_erase_partitions(self): raise NotImplementedError(self.test_erase_partitions) or
path: root/nova/policy.py
blob: 68f44969641ea5bd4fc86d4f4be3d038a1700dad (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

# vim: tabstop=4 shiftwidth=4 softtabstop=4

# Copyright (c) 2011 OpenStack Foundation
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

"""Policy Engine For Nova."""

import os.path

from oslo.config import cfg

from nova import exception
from nova.openstack.common import policy
from nova import utils


policy_opts = [
    cfg.StrOpt('policy_file',
               default='policy.json',
               help=_('JSON file representing policy')),
    cfg.StrOpt('policy_default_rule',
               default='default',
               help=_('Rule checked when requested rule is not found')),
    ]

CONF = cfg.CONF
CONF.register_opts(policy_opts)

_POLICY_PATH = None
_POLICY_CACHE = {}


def reset():
    global _POLICY_PATH
    global _POLICY_CACHE
    _POLICY_PATH = None
    _POLICY_CACHE = {}
    policy.reset()


def init():
    global _POLICY_PATH
    global _POLICY_CACHE
    if not _POLICY_PATH:
        _POLICY_PATH = CONF.policy_file
        if not os.path.exists(_POLICY_PATH):
            _POLICY_PATH = CONF.find_file(_POLICY_PATH)
        if not _POLICY_PATH:
            raise exception.ConfigNotFound(path=CONF.policy_file)
    utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE,
                           reload_func=_set_rules)


def _set_rules(data):
    default_rule = CONF.policy_default_rule
    policy.set_rules(policy.Rules.load_json(data, default_rule))


def enforce(context, action, target, do_raise=True):
    """Verifies that the action is valid on the target in this context.

       :param context: nova context
       :param action: string representing the action to be checked
           this should be colon separated for clarity.
           i.e. ``compute:create_instance``,
           ``compute:attach_volume``,
           ``volume:attach_volume``
       :param target: dictionary representing the object of the action
           for object creation this should be a dictionary representing the
           location of the object e.g. ``{'project_id': context.project_id}``
       :param do_raise: if True (the default), raises PolicyNotAuthorized;
           if False, returns False

       :raises nova.exception.PolicyNotAuthorized: if verification fails
           and do_raise is True.

       :return: returns a non-False value (not necessarily "True") if
           authorized, and the exact value False if not authorized and
           do_raise is False.
    """
    init()

    credentials = context.to_dict()

    # Add the exception arguments if asked to do a raise
    extra = {}
    if do_raise:
        extra.update(exc=exception.PolicyNotAuthorized, action=action)

    return policy.check(action, target, credentials, **extra)


def check_is_admin(context):
    """Whether or not roles contains 'admin' role according to policy setting.

    """
    init()

    #the target is user-self
    credentials = context.to_dict()
    target = credentials

    return policy.check('context_is_admin', target, credentials)


@policy.register('is_admin')
class IsAdminCheck(policy.Check):
    """An explicit check for is_admin."""

    def __init__(self, kind, match):
        """Initialize the check."""

        self.expected = (match.lower() == 'true')

        super(IsAdminCheck, self).__init__(kind, str(self.expected))

    def __call__(self, target, creds):
        """Determine whether is_admin matches the requested value."""

        return creds['is_admin'] == self.expected
generated by cgit (git 2.34.1) at 2025-06-20 08:57:01 +0000