diff options
| author | Steven Hardy <shardy@redhat.com> | 2013-11-29 14:50:07 +0000 |
|---|---|---|
| committer | Steven Hardy <shardy@redhat.com> | 2013-11-29 17:29:11 +0000 |
| commit | 3a1e7838ff6da9b3c59408068d7ec6721b1dc957 (patch) | |
| tree | b9089ff29b87ea8d61f3dcc5ae7e2378c9b0f6eb /heat/tests/test_common_context.py | |
| parent | 1aa3ce7460fd8db9bff39def14d7ae36c69b6d7d (diff) | |
| download | heat-3a1e7838ff6da9b3c59408068d7ec6721b1dc957.tar.gz | |
Derive context is_admin from policy
Use a rule in the policy.json to correctly derive a user's admin-ness
based on their roles, when it is not explicitly specified in the
RequestContext constructor.
Keystone auth_token tests X-Roles based on the user role membership
for the tenant the token is scoped to, so this will allow us to define
per-tenant admins (the admin everywhere issue described in keystone
bug #968696 won't apply here, that is specific to keystone).
Remove the admin_role config option, which doensn't do anything, and
now this should be specified via policy.json.
Change-Id: I1921a2b515ecc8ca5d37205e3cdb6b7b8695b1ac
bluprint: request-scoping-policy
Diffstat (limited to 'heat/tests/test_common_context.py')
| -rw-r--r-- | heat/tests/test_common_context.py | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/heat/tests/test_common_context.py b/heat/tests/test_common_context.py index a3a2d8eac..41bdfef45 100644 --- a/heat/tests/test_common_context.py +++ b/heat/tests/test_common_context.py @@ -12,9 +12,14 @@ # License for the specific language governing permissions and limitations # under the License. +import mock +import os + from heat.common import context from heat.tests.common import HeatTestCase +policy_path = os.path.dirname(os.path.realpath(__file__)) + "/policy/" + class TestRequestContext(HeatTestCase): @@ -22,11 +27,11 @@ class TestRequestContext(HeatTestCase): self.ctx = {'username': 'mick', 'trustor_user_id': None, 'auth_token': '123', - 'is_admin': True, + 'is_admin': False, 'user': 'mick', 'password': 'foo', 'trust_id': None, - 'roles': ['arole', 'admin'], + 'roles': ['arole', 'notadmin'], 'tenant_id': '456tenant', 'tenant': 'atenant', 'auth_url': 'http://xyz', @@ -62,3 +67,21 @@ class TestRequestContext(HeatTestCase): override = '%s_override' % k setattr(ctx, k, override) self.assertEqual(ctx.to_dict().get(k), override) + + def test_get_admin_context(self): + ctx = context.get_admin_context() + self.assertTrue(ctx.is_admin) + + def test_admin_context_policy_true(self): + policy_check = 'heat.common.policy.Enforcer.check_is_admin' + with mock.patch(policy_check) as pc: + pc.return_value = True + ctx = context.RequestContext(roles=['admin']) + self.assertTrue(ctx.is_admin) + + def test_admin_context_policy_false(self): + policy_check = 'heat.common.policy.Enforcer.check_is_admin' + with mock.patch(policy_check) as pc: + pc.return_value = False + ctx = context.RequestContext(roles=['notadmin']) + self.assertFalse(ctx.is_admin) |