diff options
| author | guohliu <guohliu@cn.ibm.com> | 2013-07-19 10:10:19 +0800 |
|---|---|---|
| committer | guohliu <guohliu@cn.ibm.com> | 2013-07-29 10:41:43 +0800 |
| commit | 3626b6db91ce1e897d1993fb4e13ac4237d04b7f (patch) | |
| tree | 9edd26c6c0cac7b070792ce15e4dd39806518838 /tests/unit | |
| parent | b4148c2b88069f50eb0b215daf71d798fd0d892c (diff) | |
| download | oslo-3626b6db91ce1e897d1993fb4e13ac4237d04b7f.tar.gz oslo-3626b6db91ce1e897d1993fb4e13ac4237d04b7f.tar.xz oslo-3626b6db91ce1e897d1993fb4e13ac4237d04b7f.zip | |
Fix policy default_rule issue
This patch fixed the following issue in policy:
1. Default_rule wasn't set correctly when using enforcer.
2. When overwrite=True set_rule method doesn't work.
3. Add type check in __missing__ of dict and return
the correct value of default_rule.
4. Partially refactor the test_policy code based on the
related change.
Fixed #bug 1202771
Change-Id: I9be1ac8bdc995adae201e9b45ee124dd525e4822
Diffstat (limited to 'tests/unit')
| -rw-r--r-- | tests/unit/test_policy.py | 47 |
1 files changed, 38 insertions, 9 deletions
diff --git a/tests/unit/test_policy.py b/tests/unit/test_policy.py index b7d38a3..2ccf71e 100644 --- a/tests/unit/test_policy.py +++ b/tests/unit/test_policy.py @@ -170,6 +170,44 @@ class EnforcerTest(PolicyBaseTestCase): creds = {'roles': ''} self.assertEqual(self.enforcer.enforce(action, {}, creds), True) + def test_enforcer_with_default_rule(self): + rules_json = """{ + "deny_stack_user": "not role:stack_user", + "cloudwatch:PutMetricData": "" + }""" + rules = policy.Rules.load_json(rules_json) + default_rule = policy.TrueCheck() + enforcer = policy.Enforcer(default_rule=default_rule) + enforcer.set_rules(rules) + action = "cloudwatch:PutMetricData" + creds = {'roles': ''} + self.assertEqual(enforcer.enforce(action, {}, creds), True) + + def test_enforcer_force_reload_true(self): + self.enforcer.set_rules({'test': 'test'}) + self.enforcer.load_rules(force_reload=True) + self.assertNotIn({'test': 'test'}, self.enforcer.rules) + self.assertIn('default', self.enforcer.rules) + self.assertIn('admin', self.enforcer.rules) + + def test_enforcer_force_reload_false(self): + self.enforcer.set_rules({'test': 'test'}) + self.enforcer.load_rules(force_reload=False) + self.assertIn('test', self.enforcer.rules) + self.assertNotIn('default', self.enforcer.rules) + self.assertNotIn('admin', self.enforcer.rules) + + def test_enforcer_overwrite_rules(self): + self.enforcer.set_rules({'test': 'test'}) + self.enforcer.set_rules({'test': 'test1'}, overwrite=True) + self.assertEquals(self.enforcer.rules, {'test': 'test1'}) + + def test_enforcer_update_rules(self): + self.enforcer.set_rules({'test': 'test'}) + self.enforcer.set_rules({'test1': 'test1'}, overwrite=False) + self.assertEquals(self.enforcer.rules, {'test': 'test', + 'test1': 'test1'}) + class FakeCheck(policy.BaseCheck): def __init__(self, result=None): @@ -187,24 +225,15 @@ class FakeCheck(policy.BaseCheck): class CheckFunctionTestCase(PolicyBaseTestCase): def test_check_explicit(self): - self.enforcer.load_rules() - self.enforcer.rules = None rule = FakeCheck() result = self.enforcer.enforce(rule, "target", "creds") - self.assertEqual(result, ("target", "creds", self.enforcer)) - self.assertEqual(self.enforcer.rules, None) def test_check_no_rules(self): - self.enforcer.load_rules() - self.enforcer.rules = None result = self.enforcer.enforce('rule', "target", "creds") - self.assertEqual(result, False) - self.assertEqual(self.enforcer.rules, None) def test_check_missing_rule(self): - self.enforcer.rules = {} result = self.enforcer.enforce('rule', 'target', 'creds') self.assertEqual(result, False) |