diff options
Diffstat (limited to 'nova/tests/unit/policies/test_availability_zone.py')
-rw-r--r-- | nova/tests/unit/policies/test_availability_zone.py | 85 |
1 files changed, 38 insertions, 47 deletions
diff --git a/nova/tests/unit/policies/test_availability_zone.py b/nova/tests/unit/policies/test_availability_zone.py index 454692fde8..1852f8444c 100644 --- a/nova/tests/unit/policies/test_availability_zone.py +++ b/nova/tests/unit/policies/test_availability_zone.py @@ -10,7 +10,7 @@ # License for the specific language governing permissions and limitations # under the License. -import mock +from unittest import mock from nova.api.openstack.compute import availability_zone from nova.tests.unit.api.openstack import fakes @@ -31,49 +31,38 @@ class AvailabilityZonePolicyTest(base.BasePolicyTest): self.controller = availability_zone.AvailabilityZoneController() self.req = fakes.HTTPRequest.blank('') - # Check that everyone is able to list the AZ - self.everyone_authorized_contexts = [ + # With legacy rule and scope check disabled by default, system admin, + # legacy admin, and project admin will be able to get AZ with host + # information. + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, - self.project_admin_context, self.system_member_context, - self.system_reader_context, self.system_foo_context, - self.project_member_context, self.other_project_member_context, - self.project_foo_context, self.project_reader_context, - self.other_project_reader_context, - ] - self.everyone_unauthorized_contexts = [] - - # Check that system reader is able to list the AZ Detail - # NOTE(gmann): Until old default rule which is admin_api is - # deprecated and not removed, project admin and legacy admin - # will be able to list the AZ. This make sure that existing - # tokens will keep working even we have changed this policy defaults - # to reader role. - self.reader_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context, self.legacy_admin_context, self.project_admin_context] - # Check that non-system-reader are not able to list the AZ. - self.reader_unauthorized_contexts = [ - self.system_foo_context, self.other_project_member_context, - self.project_foo_context, self.project_member_context, - self.project_reader_context, - self.other_project_reader_context, - ] + self.project_authorized_contexts = self.all_contexts @mock.patch('nova.objects.Instance.save') def test_availability_zone_list_policy(self, mock_save): rule_name = "os_compute_api:os-availability-zone:list" - self.common_policy_check(self.everyone_authorized_contexts, - self.everyone_unauthorized_contexts, - rule_name, self.controller.index, - self.req) + self.common_policy_auth(self.project_authorized_contexts, + rule_name, self.controller.index, + self.req) def test_availability_zone_detail_policy(self): rule_name = "os_compute_api:os-availability-zone:detail" - self.common_policy_check(self.reader_authorized_contexts, - self.reader_unauthorized_contexts, - rule_name, self.controller.detail, - self.req) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.detail, + self.req) + + +class AvailabilityZoneNoLegacyNoScopePolicyTest(AvailabilityZonePolicyTest): + """Test Availability Zones APIs policies with no legacy deprecated rules + and no scope checks which means new defaults only. In this case + system admin, legacy admin, and project admin will be able to get + AZ with host information. Legacy admin will be allowed as policy + is just admin if no scope checks. + + """ + + without_deprecated_rules = True class AvailabilityZoneScopeTypePolicyTest(AvailabilityZonePolicyTest): @@ -91,15 +80,17 @@ class AvailabilityZoneScopeTypePolicyTest(AvailabilityZonePolicyTest): super(AvailabilityZoneScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # Check that system reader is able to list the AZ. - self.reader_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context] - # Check that non-system-reader is not able to list AZ. - self.reader_unauthorized_contexts = [ - self.system_foo_context, self.legacy_admin_context, - self.project_admin_context, self.project_member_context, - self.other_project_member_context, - self.project_foo_context, self.project_reader_context, - self.other_project_reader_context, - ] + # With scope checks enable, only project-scoped admins are + # able to get AZ with host information. + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] + self.project_authorized_contexts = self.all_project_contexts + + +class AZScopeTypeNoLegacyPolicyTest(AvailabilityZoneScopeTypePolicyTest): + """Test Availability Zones APIs policies with no legacy deprecated rules + and scope checks enabled which means scope + new defaults so + only system admin is able to get AZ with host information. + """ + + without_deprecated_rules = True |