Python oslo_policy.policy.DocumentedRuleDefault() Examples

def test_with_operations(self):
        results = '\n'.join(list(sphinxext._format_policy_section(
            'foo', [policy.DocumentedRuleDefault(
                'rule_a', '@', 'My sample rule', [
                    {'method': 'GET', 'path': '/foo'},
                    {'method': 'POST', 'path': '/some'}])]
        )))

        self.assertEqual(textwrap.dedent("""
        foo
        ===

        ``rule_a``
            :Default: ``@``
            :Operations:
                - **GET** ``/foo``
                - **POST** ``/some``

            My sample rule
        """).lstrip(), results) 

def test_deprecated_policy_must_include_deprecated_since(self):
        deprecated_rule = policy.DeprecatedRule(
            name='foo:bar',
            check_str='rule:baz'
        )

        self.assertRaises(
            ValueError,
            policy.DocumentedRuleDefault,
            name='foo:bar',
            check_str='rule:baz',
            description='Create a foo.',
            operations=[{'path': '/v1/foos/', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='Some reason.'
        ) 

def test_suppress_default_change_warnings_flag_not_log_warning(self):
        deprecated_rule = policy.DeprecatedRule(
            name='foo:create_bar',
            check_str='role:fizz'
        )

        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:bang',
            description='Create a bar.',
            operations=[{'path': '/v1/bars', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='"role:bang" is a better default',
            deprecated_since='N'
        )]
        enforcer = policy.Enforcer(self.conf)
        enforcer.suppress_default_change_warnings = True
        enforcer.register_defaults(rule_list)
        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules()
            mock_warn.assert_not_called() 

def test_deprecate_name_suppress_does_not_log_warning(self):
        deprecated_rule = policy.DeprecatedRule(
            name='foo:bar',
            check_str='role:baz'
        )

        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:baz',
            description='Create a bar.',
            operations=[{'path': '/v1/bars/', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='"foo:bar" is not granular enough.',
            deprecated_since='N'
        )]

        rules = jsonutils.dumps({'foo:bar': 'role:bang'})
        self.create_config_file('policy.json', rules)
        enforcer = policy.Enforcer(self.conf)
        enforcer.suppress_deprecation_warnings = True
        enforcer.register_defaults(rule_list)

        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules()
            mock_warn.assert_not_called() 

def test_deprecate_check_str_suppress_does_not_log_warning(self):
        deprecated_rule = policy.DeprecatedRule(
            name='foo:create_bar',
            check_str='role:fizz'
        )

        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:bang',
            description='Create a bar.',
            operations=[{'path': '/v1/bars', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='"role:bang" is a better default',
            deprecated_since='N'
        )]
        enforcer = policy.Enforcer(self.conf)
        enforcer.suppress_deprecation_warnings = True
        enforcer.register_defaults(rule_list)
        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules()
            mock_warn.assert_not_called() 

def test_deprecate_a_policy_for_removal_does_not_log_warning(self):
        # We should only log a warning for operators if they are supplying an
        # override for a policy that is deprecated for removal.
        rule_list = [policy.DocumentedRuleDefault(
            name='foo:bar',
            check_str='role:baz',
            description='Create a foo.',
            operations=[{'path': '/v1/foos/', 'method': 'POST'}],
            deprecated_for_removal=True,
            deprecated_reason=(
                '"foo:bar" is no longer a policy used by the service'
            ),
            deprecated_since='N'
        )]
        enforcer = policy.Enforcer(self.conf)
        enforcer.register_defaults(rule_list)

        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules()
            mock_warn.assert_not_called() 

def test_deprecate_a_policy_for_removal_logs_warning_when_overridden(self):
        rule_list = [policy.DocumentedRuleDefault(
            name='foo:bar',
            check_str='role:baz',
            description='Create a foo.',
            operations=[{'path': '/v1/foos/', 'method': 'POST'}],
            deprecated_for_removal=True,
            deprecated_reason=(
                '"foo:bar" is no longer a policy used by the service'
            ),
            deprecated_since='N'
        )]
        expected_msg = (
            'Policy "foo:bar":"role:baz" was deprecated for removal in N. '
            'Reason: "foo:bar" is no longer a policy used by the service. Its '
            'value may be silently ignored in the future.'
        )
        rules = jsonutils.dumps({'foo:bar': 'role:bang'})
        self.create_config_file('policy.json', rules)
        enforcer = policy.Enforcer(self.conf)
        enforcer.register_defaults(rule_list)

        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules()
            mock_warn.assert_called_once_with(expected_msg) 

def test_operation_must_have_path(self):
        invalid_op = [{'method': 'POST'}]
        self.assertRaises(policy.InvalidRuleDefault,
                          policy.DocumentedRuleDefault,
                          name='foo',
                          check_str='rule:foo',
                          description='foo_api',
                          operations=invalid_op) 

def test_operation_must_contain_method_and_path_only(self):
        invalid_op = [{'path': '/some/path/',
                       'method': 'GET',
                       'break': 'me'}]
        self.assertRaises(policy.InvalidRuleDefault,
                          policy.DocumentedRuleDefault,
                          name='foo',
                          check_str='rule:foo',
                          description='foo_api',
                          operations=invalid_op) 

def setUp(self):
        super(UpgradePolicyTestCase, self).setUp()
        policy_json_contents = jsonutils.dumps({
            "deprecated_name": "rule:admin"
        })
        self.create_config_file('policy.json', policy_json_contents)
        deprecated_policy = policy.DeprecatedRule(
            name='deprecated_name',
            check_str='rule:admin'
        )
        self.new_policy = policy.DocumentedRuleDefault(
            name='new_policy_name',
            check_str='rule:admin',
            description='test_policy',
            operations=[{'path': '/test', 'method': 'GET'}],
            deprecated_rule=deprecated_policy,
            deprecated_reason='test',
            deprecated_since='Stein'
        )
        self.extensions = []
        ext = stevedore.extension.Extension(name='test_upgrade',
                                            entry_point=None,
                                            plugin=None,
                                            obj=[self.new_policy])
        self.extensions.append(ext)
        # Just used for cli opt parsing
        self.local_conf = cfg.ConfigOpts() 

def __init__(self, name, check_str, description, operations,
                 deprecated_rule=None, deprecated_for_removal=False,
                 deprecated_reason=None, deprecated_since=None,
                 scope_types=None):
        super(DocumentedRuleDefault, self).__init__(
            name, check_str, description,
            deprecated_rule=deprecated_rule,
            deprecated_for_removal=deprecated_for_removal,
            deprecated_reason=deprecated_reason,
            deprecated_since=deprecated_since,
            scope_types=scope_types
        )
        self.operations = operations 

def test_operation_must_be_list_of_dicts(self):
        invalid_op = ['invalid_op']
        self.assertRaises(policy.InvalidRuleDefault,
                          policy.DocumentedRuleDefault,
                          name='foo',
                          check_str='rule:foo',
                          description='foo_api',
                          operations=invalid_op) 

def _format_rule_default_json(default):
    """Create a json node from policy.RuleDefault or policy.DocumentedRuleDefault.

    :param default: A policy.RuleDefault or policy.DocumentedRuleDefault object
    :returns: A string containing a json representation of the RuleDefault
    """
    return ('"%(name)s": "%(check_str)s"' %
            {'name': default.name,
             'check_str': default.check_str}) 

def test_operation_must_be_list(self):
        invalid_op = 'invalid_op'
        self.assertRaises(policy.InvalidRuleDefault,
                          policy.DocumentedRuleDefault,
                          name='foo',
                          check_str='rule:foo',
                          description='foo_api',
                          operations=invalid_op) 

def test_operation_not_empty_list(self):
        invalid_op = []
        self.assertRaises(policy.InvalidRuleDefault,
                          policy.DocumentedRuleDefault,
                          name='foo',
                          check_str='rule:foo',
                          description='foo_api',
                          operations=invalid_op) 

def test_description_not_empty(self):
        invalid_desc = ''
        self.assertRaises(policy.InvalidRuleDefault,
                          policy.DocumentedRuleDefault,
                          name='foo',
                          check_str='rule:foo',
                          description=invalid_desc,
                          operations=[{'path': '/foo/', 'method': 'GET'}]) 

def test_contain_operations(self):
        opt = policy.DocumentedRuleDefault(
            name='foo', check_str='rule:foo', description='foo_api',
            operations=[{'path': '/foo/', 'method': 'GET'}])

        self.assertEqual(1, len(opt.operations)) 

def test_enforce_new_defaults_no_old_check_string(self):
        self.conf.set_override('enforce_new_defaults', True,
                               group='oslo_policy')
        deprecated_rule = policy.DeprecatedRule(
            name='foo:create_bar',
            check_str='role:fizz'
        )

        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:bang',
            description='Create a bar.',
            operations=[{'path': '/v1/bars', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='"role:bang" is a better default',
            deprecated_since='N'
        )]
        enforcer = policy.Enforcer(self.conf)
        enforcer.register_defaults(rule_list)

        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules()
            mock_warn.assert_not_called()
        self.assertTrue(
            enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']})
        )
        self.assertFalse(
            enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']})
        )
        self.assertFalse(
            enforcer.enforce('foo:create_bar', {}, {'roles': ['baz']})
        ) 

def test_override_deprecated_policy_with_new_rule(self):
        # Simulate an operator overriding a deprecated policy with a reference
        # to the new policy, as done by the sample policy generator.
        rules = jsonutils.dumps({'old_rule': 'rule:new_rule'})
        self.create_config_file('policy.json', rules)

        # Deprecate the policy name in favor of something better.
        deprecated_rule = policy.DeprecatedRule(
            name='old_rule',
            check_str='role:bang'
        )
        rule_list = [policy.DocumentedRuleDefault(
            name='new_rule',
            check_str='role:bang',
            description='Replacement for old_rule.',
            operations=[{'path': '/v1/bars', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='"old_rule" is a bad name',
            deprecated_since='N'
        )]
        self.enforcer.register_defaults(rule_list)

        # Make sure the override supplied by the operator using the old policy
        # name is used in favor of the old or new default.
        self.assertFalse(
            self.enforcer.enforce('new_rule', {}, {'roles': ['fizz']})
        )
        self.assertTrue(
            self.enforcer.enforce('new_rule', {}, {'roles': ['bang']})
        )
        # Verify that we didn't overwrite the new rule.
        self.assertEqual('bang', self.enforcer.rules['new_rule'].match) 

def test_override_deprecated_policy_with_new_name(self):
        # Simulate an operator overriding a policy using the new policy name
        rules = jsonutils.dumps({'foo:create_bar': 'role:bazz'})
        self.create_config_file('policy.json', rules)

        # Deprecate the policy name and check string in favor of something
        # better.
        deprecated_rule = policy.DeprecatedRule(
            name='foo:bar',
            check_str='role:fizz'
        )
        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:bang',
            description='Create a bar.',
            operations=[{'path': '/v1/bars', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='"role:bang" is a better default',
            deprecated_since='N'
        )]
        self.enforcer.register_defaults(rule_list)

        # Make sure the override supplied by the operator is being used in
        # place of either default value.
        self.assertFalse(
            self.enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']})
        )
        self.assertFalse(
            self.enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']})
        )
        self.assertTrue(
            self.enforcer.enforce('foo:create_bar', {}, {'roles': ['bazz']})
        ) 

def test_deprecated_policy_must_include_deprecated_reason(self):
        self.assertRaises(
            ValueError,
            policy.DocumentedRuleDefault,
            name='foo:bar',
            check_str='rule:baz',
            description='Create a foo.',
            operations=[{'path': '/v1/foos/', 'method': 'POST'}],
            deprecated_for_removal=True,
            deprecated_since='N'
        ) 

def test_deprecated_rule_requires_deprecated_rule_object(self):
        self.assertRaises(
            ValueError,
            policy.DocumentedRuleDefault,
            name='foo:bar',
            check_str='rule:baz',
            description='Create a foo.',
            operations=[{'path': '/v1/foos/', 'method': 'POST'}],
            deprecated_rule='foo:bar',
            deprecated_reason='Some reason.'
        ) 

def test_deprecated_policy_for_removal_must_include_deprecated_since(self):
        self.assertRaises(
            ValueError,
            policy.DocumentedRuleDefault,
            name='foo:bar',
            check_str='rule:baz',
            description='Create a foo.',
            operations=[{'path': '/v1/foos/', 'method': 'POST'}],
            deprecated_for_removal=True,
            deprecated_reason='Some reason.'
        ) 

def test_deprecate_an_empty_policy_check_string(self):
        deprecated_rule = policy.DeprecatedRule(
            name='foo:create_bar',
            check_str=''
        )

        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:bang',
            description='Create a bar.',
            operations=[{'path': '/v1/bars', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='because of reasons',
            deprecated_since='N'
        )]
        enforcer = policy.Enforcer(self.conf)
        enforcer.register_defaults(rule_list)

        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules()
            mock_warn.assert_called_once()

        enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']},
                         do_raise=True)
        enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']},
                         do_raise=True) 

def test_deprecate_a_policy_check_string(self):
        deprecated_rule = policy.DeprecatedRule(
            name='foo:create_bar',
            check_str='role:fizz'
        )

        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:bang',
            description='Create a bar.',
            operations=[{'path': '/v1/bars', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='"role:bang" is a better default',
            deprecated_since='N'
        )]
        enforcer = policy.Enforcer(self.conf)
        enforcer.register_defaults(rule_list)
        expected_msg = (
            'Policy "foo:create_bar":"role:fizz" was deprecated in N in favor '
            'of "foo:create_bar":"role:bang". Reason: "role:bang" is a better '
            'default. Either ensure your deployment is ready for the new '
            'default or copy/paste the deprecated policy into your policy '
            'file and maintain it manually.'
        )

        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules()
            mock_warn.assert_called_once_with(expected_msg)

        self.assertTrue(
            enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']})
        )
        self.assertTrue(
            enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']})
        )
        self.assertFalse(
            enforcer.enforce('foo:create_bar', {}, {'roles': ['baz']})
        ) 

def test_with_scope_types(self):
        operations = [
            {'method': 'GET', 'path': '/foo'},
            {'method': 'POST', 'path': '/some'}
        ]
        scope_types = ['bar']
        rule = policy.DocumentedRuleDefault(
            'rule_a', '@', 'My sample rule', operations,
            scope_types=scope_types
        )

        results = '\n'.join(list(sphinxext._format_policy_section(
            'foo', [rule]
        )))

        self.assertEqual(textwrap.dedent("""
        foo
        ===

        ``rule_a``
            :Default: ``@``
            :Operations:
                - **GET** ``/foo``
                - **POST** ``/some``
            :Scope Types:
                - **bar**

            My sample rule
        """).lstrip(), results) 

def test_override_both_new_and_old_policy(self):
        # Simulate an operator overriding a policy using both the the new and
        # old policy names. The following doesn't make a whole lot of sense
        # because the overrides are conflicting, but we want to make sure that
        # oslo.policy uses foo:create_bar instead of foo:bar.
        rules_dict = {
            'foo:create_bar': 'role:bazz',
            'foo:bar': 'role:wee'
        }
        rules = jsonutils.dumps(rules_dict)
        self.create_config_file('policy.json', rules)

        # Deprecate the policy name and check string in favor of something
        # better.
        deprecated_rule = policy.DeprecatedRule(
            name='foo:bar',
            check_str='role:fizz'
        )
        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:bang',
            description='Create a bar.',
            operations=[{'path': '/v1/bars', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason='"role:bang" is a better default',
            deprecated_since='N'
        )]
        self.enforcer.register_defaults(rule_list)

        # The default check string for the old policy name foo:bar should fail
        self.assertFalse(
            self.enforcer.enforce('foo:create_bar', {}, {'roles': ['fizz']})
        )

        # The default check string for the new policy name foo:create_bar
        # should fail
        self.assertFalse(
            self.enforcer.enforce('foo:create_bar', {}, {'roles': ['bang']})
        )

        # The override for the old policy name foo:bar should fail
        self.assertFalse(
            self.enforcer.enforce('foo:create_bar', {}, {'roles': ['wee']})
        )

        # The override for foo:create_bar should pass
        self.assertTrue(
            self.enforcer.enforce('foo:create_bar', {}, {'roles': ['bazz']})
        ) 

def test_deprecate_a_policy_name(self):
        deprecated_rule = policy.DeprecatedRule(
            name='foo:bar',
            check_str='role:baz'
        )

        rule_list = [policy.DocumentedRuleDefault(
            name='foo:create_bar',
            check_str='role:baz',
            description='Create a bar.',
            operations=[{'path': '/v1/bars/', 'method': 'POST'}],
            deprecated_rule=deprecated_rule,
            deprecated_reason=(
                '"foo:bar" is not granular enough. If your deployment has '
                'overridden "foo:bar", ensure you override the new policies '
                'with same role or rule. Not doing this will require the '
                'service to assume the new defaults for "foo:bar:create", '
                '"foo:bar:update", "foo:bar:list", and "foo:bar:delete", '
                'which might be backwards incompatible for your deployment'
            ),
            deprecated_since='N'
        )]
        expected_msg = (
            'Policy "foo:bar":"role:baz" was deprecated in N in favor of '
            '"foo:create_bar":"role:baz". Reason: "foo:bar" is not granular '
            'enough. If your deployment has overridden "foo:bar", ensure you '
            'override the new policies with same role or rule. Not doing this '
            'will require the service to assume the new defaults for '
            '"foo:bar:create", "foo:bar:update", "foo:bar:list", and '
            '"foo:bar:delete", which might be backwards incompatible for your '
            'deployment. Either ensure your deployment is ready for the new '
            'default or copy/paste the deprecated policy into your policy '
            'file and maintain it manually.'
        )

        rules = jsonutils.dumps({'foo:bar': 'role:bang'})
        self.create_config_file('policy.json', rules)
        enforcer = policy.Enforcer(self.conf)
        enforcer.register_defaults(rule_list)

        with mock.patch('warnings.warn') as mock_warn:
            enforcer.load_rules(True)
            mock_warn.assert_called_once_with(expected_msg)