# Copyright 2013 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from glance.api import policy
from glance.api import property_protections
from glance.common import exception
from glance.common import property_utils
import glance.domain
from glance.tests import utils
TENANT1 = '6838eb7b-6ded-434a-882c-b344c77fe8df'
TENANT2 = '2c014f32-55eb-467d-8fcb-4bd706012f81'
[docs]class TestProtectedImageRepoProxy(utils.BaseTestCase):
[docs] class ImageRepoStub(object):
def __init__(self, fixtures):
self.fixtures = fixtures
[docs] def get(self, image_id):
for f in self.fixtures:
if f.image_id == image_id:
return f
else:
raise ValueError(image_id)
[docs] def setUp(self):
super(TestProtectedImageRepoProxy, self).setUp()
self.set_property_protections()
self.policy = policy.Enforcer()
self.property_rules = property_utils.PropertyRules(self.policy)
self.image_factory = glance.domain.ImageFactory()
extra_props = {'spl_create_prop': 'c',
'spl_read_prop': 'r',
'spl_update_prop': 'u',
'spl_delete_prop': 'd',
'forbidden': 'prop'}
extra_props_2 = {'spl_read_prop': 'r', 'forbidden': 'prop'}
self.fixtures = [
self.image_factory.new_image(image_id='1', owner=TENANT1,
extra_properties=extra_props),
self.image_factory.new_image(owner=TENANT2, visibility='public'),
self.image_factory.new_image(image_id='3', owner=TENANT1,
extra_properties=extra_props_2),
]
self.context = glance.context.RequestContext(roles=['spl_role'])
image_repo = self.ImageRepoStub(self.fixtures)
self.image_repo = property_protections.ProtectedImageRepoProxy(
image_repo, self.context, self.property_rules)
[docs] def test_get_image(self):
image_id = '1'
result_image = self.image_repo.get(image_id)
result_extra_props = result_image.extra_properties
self.assertEqual('c', result_extra_props['spl_create_prop'])
self.assertEqual('r', result_extra_props['spl_read_prop'])
self.assertEqual('u', result_extra_props['spl_update_prop'])
self.assertEqual('d', result_extra_props['spl_delete_prop'])
self.assertNotIn('forbidden', result_extra_props.keys())
[docs] def test_list_image(self):
result_images = self.image_repo.list()
self.assertEqual(3, len(result_images))
result_extra_props = result_images[0].extra_properties
self.assertEqual('c', result_extra_props['spl_create_prop'])
self.assertEqual('r', result_extra_props['spl_read_prop'])
self.assertEqual('u', result_extra_props['spl_update_prop'])
self.assertEqual('d', result_extra_props['spl_delete_prop'])
self.assertNotIn('forbidden', result_extra_props.keys())
result_extra_props = result_images[1].extra_properties
self.assertEqual({}, result_extra_props)
result_extra_props = result_images[2].extra_properties
self.assertEqual('r', result_extra_props['spl_read_prop'])
self.assertNotIn('forbidden', result_extra_props.keys())
[docs]class TestProtectedImageProxy(utils.BaseTestCase):
[docs] def setUp(self):
super(TestProtectedImageProxy, self).setUp()
self.set_property_protections()
self.policy = policy.Enforcer()
self.property_rules = property_utils.PropertyRules(self.policy)
[docs] def test_read_image_with_extra_prop(self):
context = glance.context.RequestContext(roles=['spl_role'])
extra_prop = {'spl_read_prop': 'read', 'spl_fake_prop': 'prop'}
image = self.ImageStub(extra_prop)
result_image = property_protections.ProtectedImageProxy(
image, context, self.property_rules)
result_extra_props = result_image.extra_properties
self.assertEqual('read', result_extra_props['spl_read_prop'])
self.assertNotIn('spl_fake_prop', result_extra_props.keys())
[docs]class TestExtraPropertiesProxy(utils.BaseTestCase):
[docs] def setUp(self):
super(TestExtraPropertiesProxy, self).setUp()
self.set_property_protections()
self.policy = policy.Enforcer()
self.property_rules = property_utils.PropertyRules(self.policy)
[docs] def test_read_extra_property_as_admin_role(self):
extra_properties = {'foo': 'bar', 'ping': 'pong'}
context = glance.context.RequestContext(roles=['admin'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
test_result = extra_prop_proxy['foo']
self.assertEqual('bar', test_result)
[docs] def test_read_extra_property_as_unpermitted_role(self):
extra_properties = {'foo': 'bar', 'ping': 'pong'}
context = glance.context.RequestContext(roles=['unpermitted_role'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
self.assertRaises(KeyError, extra_prop_proxy.__getitem__, 'foo')
[docs] def test_update_extra_property_as_permitted_role_after_read(self):
extra_properties = {'foo': 'bar', 'ping': 'pong'}
context = glance.context.RequestContext(roles=['admin'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
extra_prop_proxy['foo'] = 'par'
self.assertEqual('par', extra_prop_proxy['foo'])
[docs] def test_update_extra_property_as_unpermitted_role_after_read(self):
extra_properties = {'spl_read_prop': 'bar'}
context = glance.context.RequestContext(roles=['spl_role'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
self.assertRaises(exception.ReservedProperty,
extra_prop_proxy.__setitem__,
'spl_read_prop', 'par')
[docs] def test_update_reserved_extra_property(self):
extra_properties = {'spl_create_prop': 'bar'}
context = glance.context.RequestContext(roles=['spl_role'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
self.assertRaises(exception.ReservedProperty,
extra_prop_proxy.__setitem__, 'spl_create_prop',
'par')
[docs] def test_update_empty_extra_property(self):
extra_properties = {'foo': ''}
context = glance.context.RequestContext(roles=['admin'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
extra_prop_proxy['foo'] = 'bar'
self.assertEqual('bar', extra_prop_proxy['foo'])
[docs] def test_create_extra_property_admin(self):
extra_properties = {}
context = glance.context.RequestContext(roles=['admin'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
extra_prop_proxy['boo'] = 'doo'
self.assertEqual('doo', extra_prop_proxy['boo'])
[docs] def test_create_reserved_extra_property(self):
extra_properties = {}
context = glance.context.RequestContext(roles=['spl_role'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
self.assertRaises(exception.ReservedProperty,
extra_prop_proxy.__setitem__, 'boo',
'doo')
[docs] def test_delete_extra_property_as_admin_role(self):
extra_properties = {'foo': 'bar'}
context = glance.context.RequestContext(roles=['admin'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
del extra_prop_proxy['foo']
self.assertRaises(KeyError, extra_prop_proxy.__getitem__, 'foo')
[docs] def test_delete_nonexistant_extra_property_as_admin_role(self):
extra_properties = {}
context = glance.context.RequestContext(roles=['admin'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
self.assertRaises(KeyError, extra_prop_proxy.__delitem__, 'foo')
[docs] def test_delete_reserved_extra_property(self):
extra_properties = {'spl_read_prop': 'r'}
context = glance.context.RequestContext(roles=['spl_role'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
# Ensure property has been created and can be read
self.assertEqual('r', extra_prop_proxy['spl_read_prop'])
self.assertRaises(exception.ReservedProperty,
extra_prop_proxy.__delitem__, 'spl_read_prop')
[docs] def test_delete_nonexistant_extra_property(self):
extra_properties = {}
roles = ['spl_role']
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
roles, extra_properties, self.property_rules)
self.assertRaises(KeyError,
extra_prop_proxy.__delitem__, 'spl_read_prop')
[docs] def test_delete_empty_extra_property(self):
extra_properties = {'foo': ''}
context = glance.context.RequestContext(roles=['admin'])
extra_prop_proxy = property_protections.ExtraPropertiesProxy(
context, extra_properties, self.property_rules)
del extra_prop_proxy['foo']
self.assertNotIn('foo', extra_prop_proxy)
[docs]class TestProtectedImageFactoryProxy(utils.BaseTestCase):
[docs] def setUp(self):
super(TestProtectedImageFactoryProxy, self).setUp()
self.set_property_protections()
self.policy = policy.Enforcer()
self.property_rules = property_utils.PropertyRules(self.policy)
self.factory = glance.domain.ImageFactory()
[docs] def test_create_image_no_extra_prop(self):
self.context = glance.context.RequestContext(tenant=TENANT1,
roles=['spl_role'])
self.image_factory = property_protections.ProtectedImageFactoryProxy(
self.factory, self.context,
self.property_rules)
extra_props = {}
image = self.image_factory.new_image(extra_properties=extra_props)
expected_extra_props = {}
self.assertEqual(expected_extra_props, image.extra_properties)
[docs] def test_create_image_extra_prop(self):
self.context = glance.context.RequestContext(tenant=TENANT1,
roles=['spl_role'])
self.image_factory = property_protections.ProtectedImageFactoryProxy(
self.factory, self.context,
self.property_rules)
extra_props = {'spl_create_prop': 'c'}
image = self.image_factory.new_image(extra_properties=extra_props)
expected_extra_props = {'spl_create_prop': 'c'}
self.assertEqual(expected_extra_props, image.extra_properties)
[docs] def test_create_image_extra_prop_reserved_property(self):
self.context = glance.context.RequestContext(tenant=TENANT1,
roles=['spl_role'])
self.image_factory = property_protections.ProtectedImageFactoryProxy(
self.factory, self.context,
self.property_rules)
extra_props = {'foo': 'bar', 'spl_create_prop': 'c'}
# no reg ex for property 'foo' is mentioned for spl_role in config
self.assertRaises(exception.ReservedProperty,
self.image_factory.new_image,
extra_properties=extra_props)
[docs] def test_create_image_extra_prop_admin(self):
self.context = glance.context.RequestContext(tenant=TENANT1,
roles=['admin'])
self.image_factory = property_protections.ProtectedImageFactoryProxy(
self.factory, self.context,
self.property_rules)
extra_props = {'foo': 'bar', 'spl_create_prop': 'c'}
image = self.image_factory.new_image(extra_properties=extra_props)
expected_extra_props = {'foo': 'bar', 'spl_create_prop': 'c'}
self.assertEqual(expected_extra_props, image.extra_properties)
[docs] def test_create_image_extra_prop_invalid_role(self):
self.context = glance.context.RequestContext(tenant=TENANT1,
roles=['imaginary-role'])
self.image_factory = property_protections.ProtectedImageFactoryProxy(
self.factory, self.context,
self.property_rules)
extra_props = {'foo': 'bar', 'spl_create_prop': 'c'}
self.assertRaises(exception.ReservedProperty,
self.image_factory.new_image,
extra_properties=extra_props)