Merge "Adding Keycloak authorization support."
This commit is contained in:
commit
1d4ff0ab40
|
@ -21,7 +21,6 @@ from oslo_policy import policy
|
|||
from mistral import exceptions as exc
|
||||
from mistral import policies
|
||||
|
||||
|
||||
_ENFORCER = None
|
||||
|
||||
|
||||
|
@ -62,11 +61,6 @@ def enforce(action, context, target=None, do_raise=True,
|
|||
do_raise is False.
|
||||
"""
|
||||
|
||||
if cfg.CONF.auth_type != 'keystone':
|
||||
# Policy enforcement is supported now only with Keystone
|
||||
# authentication.
|
||||
return
|
||||
|
||||
target_obj = {
|
||||
'project_id': context.project_id,
|
||||
'user_id': context.user_id,
|
||||
|
@ -81,7 +75,7 @@ def enforce(action, context, target=None, do_raise=True,
|
|||
|
||||
_ensure_enforcer_initialization()
|
||||
|
||||
return _ENFORCER.enforce(
|
||||
return _ENFORCER.authorize(
|
||||
action,
|
||||
target_obj,
|
||||
policy_context,
|
||||
|
|
|
@ -19,7 +19,7 @@ from mistral.tests.unit.mstrlfixtures import policy_fixtures
|
|||
|
||||
|
||||
class PolicyTestCase(base.BaseTest):
|
||||
"""Tests whether the configuration of the policy engine is corect."""
|
||||
"""Tests whether the configuration of the policy engine is correct."""
|
||||
def setUp(self):
|
||||
super(PolicyTestCase, self).setUp()
|
||||
|
||||
|
@ -30,7 +30,7 @@ class PolicyTestCase(base.BaseTest):
|
|||
"example:admin_or_owner": "rule:admin_or_owner"
|
||||
}
|
||||
|
||||
self.policy.set_rules(rules)
|
||||
self.policy.register_rules(rules)
|
||||
|
||||
def test_admin_api_allowed(self):
|
||||
auth_ctx = base.get_context(default=True, admin=True)
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
# Copyright 2016 NEC Corporation. All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
import datetime
|
||||
|
||||
import mock
|
||||
|
||||
from mistral.db.v2 import api as db_api
|
||||
from mistral.db.v2.sqlalchemy import models
|
||||
from mistral.tests.unit.api import base
|
||||
from mistral.tests.unit.mstrlfixtures import policy_fixtures
|
||||
|
||||
WF_DEFINITION = """
|
||||
---
|
||||
version: '2.0'
|
||||
|
||||
flow:
|
||||
type: direct
|
||||
input:
|
||||
- param1
|
||||
|
||||
tasks:
|
||||
task1:
|
||||
action: std.echo output="Hi"
|
||||
"""
|
||||
|
||||
WF_DB = models.WorkflowDefinition(
|
||||
id='123e4567-e89b-12d3-a456-426655440000',
|
||||
name='flow',
|
||||
definition=WF_DEFINITION,
|
||||
created_at=datetime.datetime(1970, 1, 1),
|
||||
updated_at=datetime.datetime(1970, 1, 1),
|
||||
spec={'input': ['param1']}
|
||||
)
|
||||
|
||||
WF = {
|
||||
'id': '123e4567-e89b-12d3-a456-426655440000',
|
||||
'name': 'flow',
|
||||
'definition': WF_DEFINITION,
|
||||
'created_at': '1970-01-01 00:00:00',
|
||||
'updated_at': '1970-01-01 00:00:00',
|
||||
'input': 'param1'
|
||||
}
|
||||
|
||||
MOCK_WF = mock.MagicMock(return_value=WF_DB)
|
||||
|
||||
|
||||
class TestPolicies(base.APITest):
|
||||
@mock.patch.object(db_api, "get_workflow_definition", MOCK_WF)
|
||||
def get(self):
|
||||
resp = self.app.get('/v2/workflows/123', expect_errors=True)
|
||||
return resp.status_int
|
||||
|
||||
def test_disable_workflow_api(self):
|
||||
self.policy = self.useFixture(policy_fixtures.PolicyFixture())
|
||||
rules = {"workflows:get": "role:FAKE"}
|
||||
self.policy.change_policy_definition(rules)
|
||||
response_value = self.get()
|
||||
self.assertEqual(403, response_value)
|
||||
|
||||
def test_enable_workflow_api(self):
|
||||
self.policy = self.useFixture(policy_fixtures.PolicyFixture())
|
||||
rules = {"workflows:get": "role:FAKE or rule:admin_or_owner"}
|
||||
self.policy.change_policy_definition(rules)
|
||||
response_value = self.get()
|
||||
self.assertEqual(200, response_value)
|
|
@ -13,16 +13,15 @@
|
|||
# under the License.
|
||||
|
||||
import fixtures
|
||||
|
||||
from mistral.api import access_control as acl
|
||||
from mistral import policies
|
||||
from oslo_config import cfg
|
||||
from oslo_policy import opts as policy_opts
|
||||
from oslo_policy import policy as oslo_policy
|
||||
|
||||
from mistral.api import access_control as acl
|
||||
from mistral import policies
|
||||
|
||||
|
||||
class PolicyFixture(fixtures.Fixture):
|
||||
|
||||
def setUp(self):
|
||||
super(PolicyFixture, self).setUp()
|
||||
|
||||
|
@ -34,7 +33,14 @@ class PolicyFixture(fixtures.Fixture):
|
|||
|
||||
self.addCleanup(acl._ENFORCER.clear)
|
||||
|
||||
def set_rules(self, rules, overwrite=False):
|
||||
policy = acl._ENFORCER
|
||||
def register_rules(self, rules):
|
||||
enf = acl._ENFORCER
|
||||
for rule_name, rule_check_str in rules.items():
|
||||
enf.register_default(oslo_policy.RuleDefault(rule_name,
|
||||
rule_check_str))
|
||||
|
||||
policy.set_rules(oslo_policy.Rules.from_dict(rules), overwrite)
|
||||
def change_policy_definition(self, rules):
|
||||
enf = acl._ENFORCER
|
||||
for rule_name, rule_check_str in rules.items():
|
||||
enf.rules[rule_name] = oslo_policy.RuleDefault(
|
||||
rule_name, rule_check_str).check
|
||||
|
|
Loading…
Reference in New Issue