diff --git a/keystone/common/policies/policy.py b/keystone/common/policies/policy.py index 49a53723b6..e3dffbc50f 100644 --- a/keystone/common/policies/policy.py +++ b/keystone/common/policies/policy.py @@ -10,27 +10,54 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy from keystone.common.policies import base +deprecated_get_policy = policy.DeprecatedRule( + name=base.IDENTITY % 'get_policy', + check_str=base.RULE_ADMIN_REQUIRED, +) + +deprecated_list_policies = policy.DeprecatedRule( + name=base.IDENTITY % 'list_policies', + check_str=base.RULE_ADMIN_REQUIRED, +) + + +DEPRECATED_REASON = """ +As of the Train release, the policy API now understands default roles and +system-scoped tokens, making the API more granular by default without +compromising security. The new policy defaults account for these changes +automatically. Be sure to take these new defaults into consideration if you are +relying on overrides in your deployment for the policy API. +""" + + policy_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_policy', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, # This API isn't really exposed to usable, it's actually deprecated. # More-or-less adding scope_types to be consistent with other policies. scope_types=['system'], description='Show policy details.', - operations=[{'path': '/v3/policy/{policy_id}', - 'method': 'GET'}]), + operations=[{'path': '/v3/policies/{policy_id}', + 'method': 'GET'}], + deprecated_rule=deprecated_get_policy, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_policies', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description='List policies.', operations=[{'path': '/v3/policies', - 'method': 'GET'}]), + 'method': 'GET'}], + deprecated_rule=deprecated_list_policies, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_policy', check_str=base.RULE_ADMIN_REQUIRED, diff --git a/keystone/tests/unit/protection/v3/test_policy.py b/keystone/tests/unit/protection/v3/test_policy.py new file mode 100644 index 0000000000..da3620f6e4 --- /dev/null +++ b/keystone/tests/unit/protection/v3/test_policy.py @@ -0,0 +1,161 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import json +import uuid + +from six.moves import http_client + +from keystone.common import provider_api +import keystone.conf +from keystone.tests.common import auth as common_auth +from keystone.tests import unit +from keystone.tests.unit import base_classes +from keystone.tests.unit import ksfixtures + +CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs + + +class _SystemUserPoliciesTests(object): + """Common default functionality for all system users.""" + + def test_user_can_list_policies(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + + with self.test_client() as c: + r = c.get('/v3/policies', headers=self.headers) + policies = [] + for policy in r.json['policies']: + policies.append(policy['id']) + + self.assertIn(policy['id'], policies) + + def test_user_can_get_policy(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + + with self.test_client() as c: + c.get('/v3/policies/%s' % policy['id'], + headers=self.headers) + + +class _SystemReaderAndMemberPoliciesTests(object): + """Common default functionality for system readers and system members.""" + + def test_user_cannot_create_policy(self): + create = { + 'id': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + 'description': uuid.uuid4().hex, + 'enabled': True, + # Store serialized JSON data as the blob to mimic real world usage. + 'blob': json.dumps({'data': uuid.uuid4().hex, }), + 'type': uuid.uuid4().hex, + } + with self.test_client() as c: + c.post( + '/v3/policies', json=create, headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_update_policy(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + + update = {'policy': {'name': uuid.uuid4().hex}} + + with self.test_client() as c: + c.patch( + '/v3/policies/%s' % policy['id'], json=update, + headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_delete_policy(self): + policy = unit.new_policy_ref() + policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) + + with self.test_client() as c: + c.delete( + '/v3/policies/%s' % policy['id'], headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + +class SystemReaderTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserPoliciesTests, + _SystemReaderAndMemberPoliciesTests): + + def setUp(self): + super(SystemReaderTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + system_reader = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + self.user_id = PROVIDERS.identity_api.create_user( + system_reader + )['id'] + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user_id, self.bootstrapper.reader_role_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, password=system_reader['password'], + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + +class SystemMemberTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserPoliciesTests, + _SystemReaderAndMemberPoliciesTests): + + def setUp(self): + super(SystemMemberTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + system_member = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + self.user_id = PROVIDERS.identity_api.create_user( + system_member + )['id'] + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user_id, self.bootstrapper.member_role_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, password=system_member['password'], + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id}