diff options
Diffstat (limited to 'nova/tests/unit/policies/test_aggregates.py')
-rw-r--r-- | nova/tests/unit/policies/test_aggregates.py | 157 |
1 files changed, 65 insertions, 92 deletions
diff --git a/nova/tests/unit/policies/test_aggregates.py b/nova/tests/unit/policies/test_aggregates.py index ce3c00f30b..6ac7b6e010 100644 --- a/nova/tests/unit/policies/test_aggregates.py +++ b/nova/tests/unit/policies/test_aggregates.py @@ -10,7 +10,8 @@ # License for the specific language governing permissions and limitations # under the License. -import mock +from unittest import mock + from oslo_utils.fixture import uuidsentinel as uuids from nova.api.openstack.compute import aggregates @@ -31,39 +32,19 @@ class AggregatesPolicyTest(base.BasePolicyTest): super(AggregatesPolicyTest, self).setUp() self.controller = aggregates.AggregateController() self.req = fakes.HTTPRequest.blank('') - # Check that admin is able to perform Aggregate Operations - self.admin_authorized_contexts = [ + # With legacy rule and scope check disabled by default, system admin, + # legacy admin, and project admin will be able to perform Aggregate + # Operations. + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] - # Check that non-admin is not able to perform Aggregate Operations - self.admin_unauthorized_contexts = [ - self.system_member_context, self.system_reader_context, - self.system_foo_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] - - # Check that system reader is able to get Aggregate - self.system_reader_authorized_contexts = [ - self.legacy_admin_context, self.system_admin_context, - self.project_admin_context, self.system_member_context, - self.system_reader_context] - # Check that non-admin is not able to get Aggregate - self.system_reader_unauthorized_contexts = [ - self.system_foo_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] @mock.patch('nova.compute.api.AggregateAPI.get_aggregate_list') def test_list_aggregate_policy(self, mock_list): rule_name = "os_compute_api:os-aggregates:index" - self.common_policy_check(self.system_reader_authorized_contexts, - self.system_reader_unauthorized_contexts, - rule_name, self.controller.index, - self.req) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.index, + self.req) @mock.patch('nova.compute.api.AggregateAPI.create_aggregate') def test_create_aggregate_policy(self, mock_create): @@ -74,66 +55,59 @@ class AggregatesPolicyTest(base.BasePolicyTest): "hosts": ["host1", "host2"]}) body = {"aggregate": {"name": "test", "availability_zone": "nova1"}} - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, - self.controller.create, - self.req, body=body) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, + self.controller.create, + self.req, body=body) @mock.patch('nova.compute.api.AggregateAPI.update_aggregate') def test_update_aggregate_policy(self, mock_update): rule_name = "os_compute_api:os-aggregates:update" - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, self.controller.update, - self.req, 1, - body={"aggregate": {"name": "new_name"}}) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.update, + self.req, 1, + body={"aggregate": {"name": "new_name"}}) @mock.patch('nova.compute.api.AggregateAPI.delete_aggregate') def test_delete_aggregate_policy(self, mock_delete): rule_name = "os_compute_api:os-aggregates:delete" - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, - self.controller.delete, - self.req, 1) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, + self.controller.delete, + self.req, 1) @mock.patch('nova.compute.api.AggregateAPI.get_aggregate') def test_show_aggregate_policy(self, mock_show): rule_name = "os_compute_api:os-aggregates:show" - self.common_policy_check(self.system_reader_authorized_contexts, - self.system_reader_unauthorized_contexts, - rule_name, self.controller.show, - self.req, 1) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.show, + self.req, 1) @mock.patch('nova.compute.api.AggregateAPI.update_aggregate_metadata') def test_set_metadata_aggregate_policy(self, mock_metadata): rule_name = "os_compute_api:os-aggregates:set_metadata" body = {"set_metadata": {"metadata": {"foo": "bar"}}} - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, - self.controller._set_metadata, - self.req, 1, body=body) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, + self.controller._set_metadata, + self.req, 1, body=body) @mock.patch('nova.compute.api.AggregateAPI.add_host_to_aggregate') def test_add_host_aggregate_policy(self, mock_add): rule_name = "os_compute_api:os-aggregates:add_host" - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, self.controller._add_host, - self.req, 1, - body={"add_host": {"host": "host1"}}) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller._add_host, + self.req, 1, + body={"add_host": {"host": "host1"}}) @mock.patch('nova.compute.api.AggregateAPI.remove_host_from_aggregate') def test_remove_host_aggregate_policy(self, mock_remove): rule_name = "os_compute_api:os-aggregates:remove_host" - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, - self.controller._remove_host, - self.req, 1, - body={"remove_host": {"host": "host1"}}) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, + self.controller._remove_host, + self.req, 1, + body={"remove_host": {"host": "host1"}}) @mock.patch('nova.compute.api.AggregateAPI.get_aggregate') def test_images_aggregate_policy(self, mock_get): @@ -144,10 +118,21 @@ class AggregatesPolicyTest(base.BasePolicyTest): body = {'cache': [{'id': uuids.fake_id}]} req = fakes.HTTPRequest.blank('', version='2.81') with mock.patch('nova.conductor.api.ComputeTaskAPI.cache_images'): - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, self.controller.images, - req, 1, body=body) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.images, + req, 1, body=body) + + +class AggregatesNoLegacyNoScopePolicyTest(AggregatesPolicyTest): + """Test Aggregates APIs policies with no legacy deprecated rules + and no scope checks which means new defaults only. In this case + system admin, legacy admin, and project admin will be able to + perform Aggregate Operations. Legacy admin will be allowed as policy + is just admin if no scope checks. + + """ + + without_deprecated_rules = True class AggregatesScopeTypePolicyTest(AggregatesPolicyTest): @@ -164,28 +149,16 @@ class AggregatesScopeTypePolicyTest(AggregatesPolicyTest): super(AggregatesScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # Check that system admin is able to perform Aggregate Operations. - self.admin_authorized_contexts = [ - self.system_admin_context] - # Check that non-system or non-admin is not able to perform - # Aggregate Operations. - self.admin_unauthorized_contexts = [ - self.legacy_admin_context, self.system_member_context, - self.system_reader_context, self.system_foo_context, - self.project_admin_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] - # Check that system reader is able to get Aggregate - self.system_reader_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context] - # Check that non-admin is not able to get Aggregate - self.system_reader_unauthorized_contexts = [ - self.legacy_admin_context, self.project_admin_context, - self.system_foo_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] + # With scope checks enabled, only project-scoped admins are + # able to perform Aggregate Operations. + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] + + +class AggregatesScopeTypeNoLegacyPolicyTest(AggregatesScopeTypePolicyTest): + """Test Aggregates APIs policies with no legacy deprecated rules + and scope checks enabled which means scope + new defaults so + only system admin is able to perform aggregates Operations. + """ + + without_deprecated_rules = True |