diff --git a/manila/policy.py b/manila/policy.py index 13879f1954..7f9a6a68a5 100644 --- a/manila/policy.py +++ b/manila/policy.py @@ -16,48 +16,27 @@ """Policy Engine For Manila""" import functools -import os.path - -from oslo.config import cfg from manila import exception from manila.openstack.common import policy -from manila import utils - -CONF = cfg.CONF _ENFORCER = None -_POLICY_PATH = None -_POLICY_CACHE = {} def reset(): - global _POLICY_PATH - global _POLICY_CACHE global _ENFORCER - _POLICY_PATH = None - _POLICY_CACHE = {} - _ENFORCER = None + if _ENFORCER: + _ENFORCER.clear() + _ENFORCER = None -def init(): - global _POLICY_PATH - global _POLICY_CACHE +def init(policy_path=None): global _ENFORCER - if not _POLICY_PATH: - _POLICY_PATH = CONF.policy_file - if not os.path.exists(_POLICY_PATH): - _POLICY_PATH = utils.find_config(_POLICY_PATH) if not _ENFORCER: - _ENFORCER = policy.Enforcer(policy_file=_POLICY_PATH) - utils.read_cached_file(_POLICY_PATH, _POLICY_CACHE, reload_func=_set_rules) - - -def _set_rules(data): - global _ENFORCER - default_rule = CONF.policy_default_rule - _ENFORCER.set_rules(policy.Rules.load_json( - data, default_rule)) + _ENFORCER = policy.Enforcer() + if policy_path: + _ENFORCER.policy_path = policy_path + _ENFORCER.load_rules() def enforce(context, action, target, do_raise=True): diff --git a/manila/tests/conf_fixture.py b/manila/tests/conf_fixture.py index a376a3f882..447afea18e 100644 --- a/manila/tests/conf_fixture.py +++ b/manila/tests/conf_fixture.py @@ -14,9 +14,13 @@ # License for the specific language governing permissions and limitations # under the License. -from oslo.config import cfg +import os -CONF = cfg.CONF +from manila.common import config + +CONF = config.CONF +_POLICY_PATH = os.path.abspath(os.path.join(CONF.state_path, + 'manila/tests/policy.json')) def set_defaults(conf): @@ -24,7 +28,7 @@ def set_defaults(conf): conf.set_default('verbose', True) conf.set_default('connection', "sqlite://", group='database') conf.set_default('sqlite_synchronous', False) - conf.set_default('policy_file', 'manila/tests/policy.json') + conf.set_default('policy_file', _POLICY_PATH) conf.set_default('share_export_ip', '0.0.0.0') conf.set_default('service_instance_user', 'fake_user') conf.set_default('share_driver', diff --git a/manila/tests/test_policy.py b/manila/tests/test_policy.py index 66a98c5644..55daccb13e 100644 --- a/manila/tests/test_policy.py +++ b/manila/tests/test_policy.py @@ -33,6 +33,7 @@ CONF = cfg.CONF class PolicyFileTestCase(test.TestCase): + def setUp(self): super(PolicyFileTestCase, self).setUp() # since is_admin is defined by policy, create context before reset @@ -40,26 +41,27 @@ class PolicyFileTestCase(test.TestCase): policy.reset() self.target = {} - def tearDown(self): - super(PolicyFileTestCase, self).tearDown() - policy.reset() - def test_modified_policy_reloads(self): with utils.tempdir() as tmpdir: tmpfilename = os.path.join(tmpdir, 'policy') self.flags(policy_file=tmpfilename) - action = "example:test" with open(tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": []}""") + policy.init(tmpfilename) policy.enforce(self.context, action, self.target) with open(tmpfilename, "w") as policyfile: policyfile.write("""{"example:test": ["false:false"]}""") # NOTE(vish): reset stored policy cache so we don't have to # sleep(1) - policy._POLICY_CACHE = {} - self.assertRaises(exception.PolicyNotAuthorized, policy.enforce, - self.context, action, self.target) + policy._ENFORCER.load_rules(True) + self.assertRaises( + exception.PolicyNotAuthorized, + policy.enforce, + self.context, + action, + self.target, + ) class PolicyTestCase(test.TestCase):