# Copyright 2021 Red Hat, Inc # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from unittest import mock import webob.exc from glance.api.v2 import policy from glance.common import exception from glance.tests import utils class APIPolicyBase(utils.BaseTestCase): def setUp(self): super(APIPolicyBase, self).setUp() self.enforcer = mock.MagicMock() self.context = mock.MagicMock() self.policy = policy.APIPolicyBase(self.context, enforcer=self.enforcer) def test_enforce(self): # Enforce passes self.policy._enforce('fake_rule') self.enforcer.enforce.assert_called_once_with( self.context, 'fake_rule', mock.ANY) # Make sure that Forbidden gets caught and translated self.enforcer.enforce.side_effect = exception.Forbidden self.assertRaises(webob.exc.HTTPForbidden, self.policy._enforce, 'fake_rule') # Any other exception comes straight through self.enforcer.enforce.side_effect = exception.ImageNotFound self.assertRaises(exception.ImageNotFound, self.policy._enforce, 'fake_rule') def test_check(self): # Check passes self.assertTrue(self.policy.check('_enforce', 'fake_rule')) # Check fails self.enforcer.enforce.side_effect = exception.Forbidden self.assertFalse(self.policy.check('_enforce', 'fake_rule')) class APIImagePolicy(APIPolicyBase): def setUp(self): super(APIImagePolicy, self).setUp() self.image = mock.MagicMock() self.policy = policy.ImageAPIPolicy(self.context, self.image, enforcer=self.enforcer) def test_enforce(self): self.assertRaises(webob.exc.HTTPNotFound, super(APIImagePolicy, self).test_enforce) @mock.patch('glance.api.policy._enforce_image_visibility') def test_enforce_visibility(self, mock_enf): # Visibility passes self.policy._enforce_visibility('something') mock_enf.assert_called_once_with(self.enforcer, self.context, 'something', mock.ANY) # Make sure that Forbidden gets caught and translated mock_enf.side_effect = exception.Forbidden self.assertRaises(webob.exc.HTTPForbidden, self.policy._enforce_visibility, 'something') # Any other exception comes straight through mock_enf.side_effect = exception.ImageNotFound self.assertRaises(exception.ImageNotFound, self.policy._enforce_visibility, 'something') def test_update_property(self): with mock.patch.object(self.policy, '_enforce') as mock_enf: self.policy.update_property('foo', None) mock_enf.assert_called_once_with('modify_image') with mock.patch.object(self.policy, '_enforce_visibility') as mock_enf: self.policy.update_property('visibility', 'foo') mock_enf.assert_called_once_with('foo') def test_update_locations(self): self.policy.update_locations() self.enforcer.enforce.assert_called_once_with(self.context, 'set_image_location', mock.ANY) def test_delete_locations(self): self.policy.delete_locations() self.enforcer.enforce.assert_called_once_with(self.context, 'delete_image_location', mock.ANY) def test_enforce_exception_behavior(self): with mock.patch.object(self.policy.enforcer, 'enforce') as mock_enf: # First make sure we can update if allowed self.policy.update_property('foo', None) self.assertTrue(mock_enf.called) # Make sure that if modify_image and get_image both return # Forbidden then we should get NotFound. This is because # we are not allowed to delete the image, nor see that it # even exists. mock_enf.reset_mock() mock_enf.side_effect = exception.Forbidden self.assertRaises(webob.exc.HTTPNotFound, self.policy.update_property, 'foo', None) # Make sure we checked modify_image, and then get_image. mock_enf.assert_has_calls([ mock.call(mock.ANY, 'modify_image', mock.ANY), mock.call(mock.ANY, 'get_image', mock.ANY)]) # Make sure that if modify_image is disallowed, but # get_image is allowed, that we get Forbidden. This is # because we are allowed to see the image, but not modify # it, so 403 indicates that without confusing the user and # returning "not found" for an image they are able to GET. mock_enf.reset_mock() mock_enf.side_effect = [exception.Forbidden, lambda *a: None] self.assertRaises(webob.exc.HTTPForbidden, self.policy.update_property, 'foo', None) # Make sure we checked modify_image, and then get_image. mock_enf.assert_has_calls([ mock.call(mock.ANY, 'modify_image', mock.ANY), mock.call(mock.ANY, 'get_image', mock.ANY)]) def test_get_image(self): self.policy.get_image() self.enforcer.enforce.assert_called_once_with(self.context, 'get_image', mock.ANY) def test_get_images(self): self.policy.get_images() self.enforcer.enforce.assert_called_once_with(self.context, 'get_images', mock.ANY)