mirror of
https://github.com/OpenKMIP/PyKMIP.git
synced 2025-05-31 04:00:07 +02:00
008f86cfa9
This change tweaks the format of operation policy files, renaming the 'default' section of each policy to 'preset'. This reinforces the idea that this section of the policy is used only when group- based access control is disabled. It also removes any ambiguity between this section of the policy and the actual 'default' policy built into the server.
289 lines
8.4 KiB
Python
289 lines
8.4 KiB
Python
# Copyright (c) 2016 The Johns Hopkins University/Applied Physics Laboratory
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import shutil
|
|
import tempfile
|
|
import testtools
|
|
|
|
from kmip.core import enums
|
|
from kmip.core import policy
|
|
|
|
|
|
class TestPolicy(testtools.TestCase):
|
|
|
|
def setUp(self):
|
|
super(TestPolicy, self).setUp()
|
|
|
|
self.temp_dir = tempfile.mkdtemp()
|
|
self.addCleanup(shutil.rmtree, self.temp_dir)
|
|
|
|
def tearDown(self):
|
|
super(TestPolicy, self).tearDown()
|
|
|
|
def test_parse_policy(self):
|
|
"""
|
|
Test that parsing a text-based policy works correctly.
|
|
"""
|
|
object_policy = {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}
|
|
observed = policy.parse_policy(object_policy)
|
|
|
|
expected = {
|
|
enums.ObjectType.CERTIFICATE: {
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
|
|
self.assertEqual(expected, observed)
|
|
|
|
def test_parse_policy_with_bad_object_type(self):
|
|
"""
|
|
Test that policy parsing correctly handles an invalid object type
|
|
string.
|
|
"""
|
|
object_policy = {"INVALID": {"LOCATE": "ALLOW_ALL"}}
|
|
|
|
args = (object_policy, )
|
|
regex = "'INVALID' is not a valid ObjectType value."
|
|
self.assertRaisesRegexp(
|
|
ValueError,
|
|
regex,
|
|
policy.parse_policy,
|
|
*args
|
|
)
|
|
|
|
def test_parse_policy_with_bad_operation(self):
|
|
"""
|
|
Test that policy parsing correctly handles an invalid operation string.
|
|
"""
|
|
object_policy = {"CERTIFICATE": {"INVALID": "ALLOW_ALL"}}
|
|
|
|
args = (object_policy, )
|
|
regex = "'INVALID' is not a valid Operation value."
|
|
self.assertRaisesRegexp(
|
|
ValueError,
|
|
regex,
|
|
policy.parse_policy,
|
|
*args
|
|
)
|
|
|
|
def test_parse_policy_with_bad_permission(self):
|
|
"""
|
|
Test that policy parsing correctly handles an invalid permission
|
|
string.
|
|
"""
|
|
object_policy = {"CERTIFICATE": {"LOCATE": "INVALID"}}
|
|
|
|
args = (object_policy, )
|
|
regex = "'INVALID' is not a valid Policy value."
|
|
self.assertRaisesRegexp(
|
|
ValueError,
|
|
regex,
|
|
policy.parse_policy,
|
|
*args
|
|
)
|
|
|
|
def test_read_policy_from_file(self):
|
|
"""
|
|
Test that reading a policy file works correctly.
|
|
"""
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir,
|
|
delete=False
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"test": {'
|
|
'"groups": {"group_A": {"SPLIT_KEY": {"GET": "ALLOW_ALL"}}}, '
|
|
'"preset": {"SPLIT_KEY": {"GET": "ALLOW_ALL"}}}'
|
|
'}'
|
|
)
|
|
|
|
policies = policy.read_policy_from_file(policy_file.name)
|
|
|
|
self.assertEqual(1, len(policies))
|
|
self.assertIn('test', policies.keys())
|
|
|
|
expected = {
|
|
'groups': {
|
|
'group_A': {
|
|
enums.ObjectType.SPLIT_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
},
|
|
'preset': {
|
|
enums.ObjectType.SPLIT_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
}
|
|
|
|
self.assertEqual(expected, policies.get('test'))
|
|
|
|
def test_read_policy_from_file_groups_only(self):
|
|
"""
|
|
Test that reading a policy file with only a groups section works
|
|
correctly.
|
|
"""
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir,
|
|
delete=False
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"test": '
|
|
'{"groups": {"group_A": {"SPLIT_KEY": {"GET": "ALLOW_ALL"}}}}}'
|
|
)
|
|
|
|
policies = policy.read_policy_from_file(policy_file.name)
|
|
|
|
self.assertEqual(1, len(policies))
|
|
self.assertIn('test', policies.keys())
|
|
|
|
expected = {
|
|
'groups': {
|
|
'group_A': {
|
|
enums.ObjectType.SPLIT_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
self.assertEqual(expected, policies.get('test'))
|
|
|
|
def test_read_policy_from_file_default_only(self):
|
|
"""
|
|
Test that reading a policy file with only a preset section works
|
|
correctly.
|
|
"""
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir,
|
|
delete=False
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"test": '
|
|
'{"preset": {"SPLIT_KEY": {"GET": "ALLOW_ALL"}}}}'
|
|
)
|
|
|
|
policies = policy.read_policy_from_file(policy_file.name)
|
|
|
|
self.assertEqual(1, len(policies))
|
|
self.assertIn('test', policies.keys())
|
|
|
|
expected = {
|
|
'preset': {
|
|
enums.ObjectType.SPLIT_KEY: {
|
|
enums.Operation.GET: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
}
|
|
|
|
self.assertEqual(expected, policies.get('test'))
|
|
|
|
def test_read_policy_from_file_invalid_section(self):
|
|
"""
|
|
Test that reading a policy file with an invalid section generates
|
|
the right error.
|
|
"""
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir,
|
|
delete=False
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"test": {'
|
|
'"invalid": {"group_A": {"SPLIT_KEY": {"GET": "ALLOW_ALL"}}}}}'
|
|
)
|
|
|
|
args = (policy_file.name, )
|
|
regex = "Policy 'test' contains an invalid section named: invalid"
|
|
self.assertRaisesRegexp(
|
|
ValueError,
|
|
regex,
|
|
policy.read_policy_from_file,
|
|
*args
|
|
)
|
|
|
|
def test_read_policy_from_file_legacy(self):
|
|
"""
|
|
Test that reading a legacy policy file works correctly.
|
|
|
|
Note: legacy policy file support may be removed in the future.
|
|
"""
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir,
|
|
delete=False
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"test": {"CERTIFICATE": {"LOCATE": "ALLOW_ALL"}}}'
|
|
)
|
|
|
|
policies = policy.read_policy_from_file(policy_file.name)
|
|
|
|
self.assertEqual(1, len(policies))
|
|
self.assertIn('test', policies.keys())
|
|
|
|
expected = {
|
|
'preset': {
|
|
enums.ObjectType.CERTIFICATE: {
|
|
enums.Operation.LOCATE: enums.Policy.ALLOW_ALL
|
|
}
|
|
}
|
|
}
|
|
|
|
self.assertEqual(expected, policies.get('test'))
|
|
|
|
def test_read_policy_from_file_empty(self):
|
|
"""
|
|
Test that reading an empty policy file generates the right error.
|
|
"""
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir,
|
|
delete=False
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write('')
|
|
|
|
args = (policy_file.name, )
|
|
regex = "Loading the policy file '{}' generated a JSON error:".format(
|
|
policy_file.name
|
|
)
|
|
self.assertRaisesRegexp(
|
|
ValueError,
|
|
regex,
|
|
policy.read_policy_from_file,
|
|
*args
|
|
)
|
|
|
|
def test_read_policy_from_file_empty_policy(self):
|
|
"""
|
|
Test that reading a file with an empty policy is handled correctly.
|
|
"""
|
|
policy_file = tempfile.NamedTemporaryFile(
|
|
dir=self.temp_dir,
|
|
delete=False
|
|
)
|
|
with open(policy_file.name, 'w') as f:
|
|
f.write(
|
|
'{"test": {}}'
|
|
)
|
|
|
|
policies = policy.read_policy_from_file(policy_file.name)
|
|
|
|
self.assertEqual(0, len(policies))
|