commit 9c97850301c2a48e903ff94178a91b2714f03fd7
author Felipe Monteiro <felipe.monteiro@att.com> Fri Jan 27 17:07:54 2017 -0500
committer Felipe Monteiro <felipe.monteiro@att.com> Mon Jan 30 21:53:08 2017 +0000
tree d7fdfa00d3e36f12eb4d5b0bd18a312e48d723fa
parent b7ce413ed8fa3abb45c311c9f10da5a7c9717a30

Improve is_admin support in Patrole converter framework.

Right now is_admin rules are still causing issues. Fixes those
issues by checking for context_is_admin in the policy file under
test and whether the current role is_admin according to the rule
context_is_admin. This ensures that is_admin is reliably
passed to oslo policy's check.

Also adds support for services like nova, which does not
auto-generate a policy.json file. Uses oslo_policy.generator
in this case.

Change-Id: I91b567fd13130ebd9e3a9c49c46488c76d99d7a8

tests/test_rbac_role_converter.py

diff --git a/tests/test_rbac_role_converter.py b/tests/test_rbac_role_converter.py
index 04eb626..f3a97ab 100644
--- a/tests/test_rbac_role_converter.py
+++ b/tests/test_rbac_role_converter.py
@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import mock
 import os
 
 from tempest import config
@@ -35,8 +36,12 @@
         self.admin_policy_file = os.path.join(current_directory,
                                               'resources',
                                               'admin_rbac_policy.json')
+        self.alt_admin_policy_file = os.path.join(current_directory,
+                                                  'resources',
+                                                  'alt_admin_rbac_policy.json')
 
-    def test_custom_policy(self):
+    @mock.patch.object(rbac_role_converter, 'LOG', autospec=True)
+    def test_custom_policy(self, m_log):
         default_roles = ['zero', 'one', 'two', 'three', 'four',
                          'five', 'six', 'seven', 'eight', 'nine']
 
@@ -56,7 +61,10 @@
         fake_rule = 'fake_rule'
 
         for role in default_roles:
-            self.assertRaises(KeyError, converter.allowed, fake_rule, role)
+            self.assertFalse(converter.allowed(fake_rule, role))
+            m_log.debug.assert_called_once_with(
+                "{0} not found in policy file.".format('fake_rule'))
+            m_log.debug.reset_mock()
 
         for rule, role_list in expected.items():
             for role in role_list:
@@ -70,10 +78,9 @@
 
         role = 'admin'
         allowed_rules = [
-            'admin_rule'
+            'admin_rule', 'is_admin_rule', 'alt_admin_rule'
         ]
-        disallowed_rules = [
-            'is_admin_rule', 'alt_admin_rule', 'non_admin_rule']
+        disallowed_rules = ['non_admin_rule']
 
         for rule in allowed_rules:
             allowed = converter.allowed(rule, role)
@@ -101,3 +108,31 @@
         for rule in disallowed_rules:
             allowed = converter.allowed(rule, role)
             self.assertFalse(allowed)
+
+    def test_admin_policy_file_with_context_is_admin(self):
+        converter = rbac_role_converter.RbacPolicyConverter(
+            None, "test", self.alt_admin_policy_file)
+
+        role = 'fake_admin'
+        allowed_rules = ['non_admin_rule']
+        disallowed_rules = ['admin_rule']
+
+        for rule in allowed_rules:
+            allowed = converter.allowed(rule, role)
+            self.assertTrue(allowed)
+
+        for rule in disallowed_rules:
+            allowed = converter.allowed(rule, role)
+            self.assertFalse(allowed)
+
+        role = 'super_admin'
+        allowed_rules = ['admin_rule']
+        disallowed_rules = ['non_admin_rule']
+
+        for rule in allowed_rules:
+            allowed = converter.allowed(rule, role)
+            self.assertTrue(allowed)
+
+        for rule in disallowed_rules:
+            allowed = converter.allowed(rule, role)
+            self.assertFalse(allowed)