1 files changed, 38 insertions, 47 deletions

diff --git a/nova/tests/unit/policies/test_availability_zone.py b/nova/tests/unit/policies/test_availability_zone.py
index 454692fde8..1852f8444c 100644
--- a/nova/tests/unit/policies/test_availability_zone.py
+++ b/nova/tests/unit/policies/test_availability_zone.py
@@ -10,7 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import mock
+from unittest import mock
 
 from nova.api.openstack.compute import availability_zone
 from nova.tests.unit.api.openstack import fakes
@@ -31,49 +31,38 @@ class AvailabilityZonePolicyTest(base.BasePolicyTest):
         self.controller = availability_zone.AvailabilityZoneController()
         self.req = fakes.HTTPRequest.blank('')
 
-        # Check that everyone is able to list the AZ
-        self.everyone_authorized_contexts = [
+        # With legacy rule and scope check disabled by default, system admin,
+        # legacy admin, and project admin will be able to get AZ with host
+        # information.
+        self.project_admin_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
-            self.project_admin_context, self.system_member_context,
-            self.system_reader_context, self.system_foo_context,
-            self.project_member_context, self.other_project_member_context,
-            self.project_foo_context, self.project_reader_context,
-            self.other_project_reader_context,
-        ]
-        self.everyone_unauthorized_contexts = []
-
-        # Check that system reader is able to list the AZ Detail
-        # NOTE(gmann): Until old default rule which is admin_api is
-        # deprecated and not removed, project admin and legacy admin
-        # will be able to list the AZ. This make sure that existing
-        # tokens will keep working even we have changed this policy defaults
-        # to reader role.
-        self.reader_authorized_contexts = [
-            self.system_admin_context, self.system_member_context,
-            self.system_reader_context, self.legacy_admin_context,
             self.project_admin_context]
-        # Check that non-system-reader are not able to list the AZ.
-        self.reader_unauthorized_contexts = [
-            self.system_foo_context, self.other_project_member_context,
-            self.project_foo_context, self.project_member_context,
-            self.project_reader_context,
-            self.other_project_reader_context,
-        ]
+        self.project_authorized_contexts = self.all_contexts
 
     @mock.patch('nova.objects.Instance.save')
     def test_availability_zone_list_policy(self, mock_save):
         rule_name = "os_compute_api:os-availability-zone:list"
-        self.common_policy_check(self.everyone_authorized_contexts,
-                                 self.everyone_unauthorized_contexts,
-                                 rule_name, self.controller.index,
-                                 self.req)
+        self.common_policy_auth(self.project_authorized_contexts,
+                                rule_name, self.controller.index,
+                                self.req)
 
     def test_availability_zone_detail_policy(self):
         rule_name = "os_compute_api:os-availability-zone:detail"
-        self.common_policy_check(self.reader_authorized_contexts,
-                                 self.reader_unauthorized_contexts,
-                                 rule_name, self.controller.detail,
-                                 self.req)
+        self.common_policy_auth(self.project_admin_authorized_contexts,
+                                rule_name, self.controller.detail,
+                                self.req)
+
+
+class AvailabilityZoneNoLegacyNoScopePolicyTest(AvailabilityZonePolicyTest):
+    """Test Availability Zones APIs policies with no legacy deprecated rules
+    and no scope checks which means new defaults only. In this case
+    system admin, legacy admin, and project admin will be able to get
+    AZ with host information. Legacy admin will be allowed as policy
+    is just admin if no scope checks.
+
+    """
+
+    without_deprecated_rules = True
 
 
 class AvailabilityZoneScopeTypePolicyTest(AvailabilityZonePolicyTest):
@@ -91,15 +80,17 @@ class AvailabilityZoneScopeTypePolicyTest(AvailabilityZonePolicyTest):
         super(AvailabilityZoneScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
 
-        # Check that system reader is able to list the AZ.
-        self.reader_authorized_contexts = [
-            self.system_admin_context, self.system_member_context,
-            self.system_reader_context]
-        # Check that non-system-reader is not able to list AZ.
-        self.reader_unauthorized_contexts = [
-            self.system_foo_context, self.legacy_admin_context,
-            self.project_admin_context, self.project_member_context,
-            self.other_project_member_context,
-            self.project_foo_context, self.project_reader_context,
-            self.other_project_reader_context,
-        ]
+        # With scope checks enable, only project-scoped admins are
+        # able to get AZ with host information.
+        self.project_admin_authorized_contexts = [self.legacy_admin_context,
+                                                  self.project_admin_context]
+        self.project_authorized_contexts = self.all_project_contexts
+
+
+class AZScopeTypeNoLegacyPolicyTest(AvailabilityZoneScopeTypePolicyTest):
+    """Test Availability Zones APIs policies with no legacy deprecated rules
+    and scope checks enabled which means scope + new defaults so
+    only system admin is able to get AZ with host information.
+    """
+
+    without_deprecated_rules = True