diff --git a/mistral/api/access_control.py b/mistral/api/access_control.py index 004a827d5..692f3b1f3 100644 --- a/mistral/api/access_control.py +++ b/mistral/api/access_control.py @@ -21,7 +21,6 @@ from oslo_policy import policy from mistral import exceptions as exc from mistral import policies - _ENFORCER = None @@ -62,11 +61,6 @@ def enforce(action, context, target=None, do_raise=True, do_raise is False. """ - if cfg.CONF.auth_type != 'keystone': - # Policy enforcement is supported now only with Keystone - # authentication. - return - target_obj = { 'project_id': context.project_id, 'user_id': context.user_id, @@ -81,7 +75,7 @@ def enforce(action, context, target=None, do_raise=True, _ensure_enforcer_initialization() - return _ENFORCER.enforce( + return _ENFORCER.authorize( action, target_obj, policy_context, diff --git a/mistral/tests/unit/api/test_access_control.py b/mistral/tests/unit/api/test_access_control.py index dee8b8a96..83e463bcc 100644 --- a/mistral/tests/unit/api/test_access_control.py +++ b/mistral/tests/unit/api/test_access_control.py @@ -19,7 +19,7 @@ from mistral.tests.unit.mstrlfixtures import policy_fixtures class PolicyTestCase(base.BaseTest): - """Tests whether the configuration of the policy engine is corect.""" + """Tests whether the configuration of the policy engine is correct.""" def setUp(self): super(PolicyTestCase, self).setUp() @@ -30,7 +30,7 @@ class PolicyTestCase(base.BaseTest): "example:admin_or_owner": "rule:admin_or_owner" } - self.policy.set_rules(rules) + self.policy.register_rules(rules) def test_admin_api_allowed(self): auth_ctx = base.get_context(default=True, admin=True) diff --git a/mistral/tests/unit/api/test_policies.py b/mistral/tests/unit/api/test_policies.py new file mode 100644 index 000000000..db8211496 --- /dev/null +++ b/mistral/tests/unit/api/test_policies.py @@ -0,0 +1,78 @@ +# Copyright 2016 NEC Corporation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +import datetime + +import mock + +from mistral.db.v2 import api as db_api +from mistral.db.v2.sqlalchemy import models +from mistral.tests.unit.api import base +from mistral.tests.unit.mstrlfixtures import policy_fixtures + +WF_DEFINITION = """ +--- +version: '2.0' + +flow: + type: direct + input: + - param1 + + tasks: + task1: + action: std.echo output="Hi" +""" + +WF_DB = models.WorkflowDefinition( + id='123e4567-e89b-12d3-a456-426655440000', + name='flow', + definition=WF_DEFINITION, + created_at=datetime.datetime(1970, 1, 1), + updated_at=datetime.datetime(1970, 1, 1), + spec={'input': ['param1']} +) + +WF = { + 'id': '123e4567-e89b-12d3-a456-426655440000', + 'name': 'flow', + 'definition': WF_DEFINITION, + 'created_at': '1970-01-01 00:00:00', + 'updated_at': '1970-01-01 00:00:00', + 'input': 'param1' +} + +MOCK_WF = mock.MagicMock(return_value=WF_DB) + + +class TestPolicies(base.APITest): + @mock.patch.object(db_api, "get_workflow_definition", MOCK_WF) + def get(self): + resp = self.app.get('/v2/workflows/123', expect_errors=True) + return resp.status_int + + def test_disable_workflow_api(self): + self.policy = self.useFixture(policy_fixtures.PolicyFixture()) + rules = {"workflows:get": "role:FAKE"} + self.policy.change_policy_definition(rules) + response_value = self.get() + self.assertEqual(403, response_value) + + def test_enable_workflow_api(self): + self.policy = self.useFixture(policy_fixtures.PolicyFixture()) + rules = {"workflows:get": "role:FAKE or rule:admin_or_owner"} + self.policy.change_policy_definition(rules) + response_value = self.get() + self.assertEqual(200, response_value) diff --git a/mistral/tests/unit/mstrlfixtures/policy_fixtures.py b/mistral/tests/unit/mstrlfixtures/policy_fixtures.py index 885589246..801514e68 100644 --- a/mistral/tests/unit/mstrlfixtures/policy_fixtures.py +++ b/mistral/tests/unit/mstrlfixtures/policy_fixtures.py @@ -13,16 +13,15 @@ # under the License. import fixtures + +from mistral.api import access_control as acl +from mistral import policies from oslo_config import cfg from oslo_policy import opts as policy_opts from oslo_policy import policy as oslo_policy -from mistral.api import access_control as acl -from mistral import policies - class PolicyFixture(fixtures.Fixture): - def setUp(self): super(PolicyFixture, self).setUp() @@ -34,7 +33,14 @@ class PolicyFixture(fixtures.Fixture): self.addCleanup(acl._ENFORCER.clear) - def set_rules(self, rules, overwrite=False): - policy = acl._ENFORCER + def register_rules(self, rules): + enf = acl._ENFORCER + for rule_name, rule_check_str in rules.items(): + enf.register_default(oslo_policy.RuleDefault(rule_name, + rule_check_str)) - policy.set_rules(oslo_policy.Rules.from_dict(rules), overwrite) + def change_policy_definition(self, rules): + enf = acl._ENFORCER + for rule_name, rule_check_str in rules.items(): + enf.rules[rule_name] = oslo_policy.RuleDefault( + rule_name, rule_check_str).check