1 files changed, 26 insertions, 37 deletions

diff --git a/nova/tests/unit/policies/test_evacuate.py b/nova/tests/unit/policies/test_evacuate.py
index 203cc136e9..b9e4c29dba 100644
--- a/nova/tests/unit/policies/test_evacuate.py
+++ b/nova/tests/unit/policies/test_evacuate.py
@@ -10,8 +10,9 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from unittest import mock
+
 import fixtures
-import mock
 from oslo_utils.fixture import uuidsentinel as uuids
 from oslo_utils import timeutils
 
@@ -55,18 +56,12 @@ class EvacuatePolicyTest(base.BasePolicyTest):
                 id=1, uuid=uuid, user_id=user_id, vm_state=vm_states.ACTIVE,
                 task_state=None, launched_at=timeutils.utcnow())
         self.mock_get.return_value = self.instance
-        # Check that admin is able to evacuate the server
-        self.admin_authorized_contexts = [
+        # By default, legacy rule are enable and scope check is disabled.
+        # system admin, legacy admin, and project admin is able to evacuate
+        # the server.
+        self.project_action_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
             self.project_admin_context]
-        # Check that non-admin is not able to evacuate the server
-        self.admin_unauthorized_contexts = [
-            self.system_member_context, self.system_reader_context,
-            self.system_foo_context, self.project_member_context,
-            self.other_project_member_context,
-            self.other_project_reader_context,
-            self.project_foo_context, self.project_reader_context
-        ]
 
     @mock.patch('nova.compute.api.API.evacuate')
     def test_evacuate_policy(self, mock_evacuate):
@@ -75,11 +70,10 @@ class EvacuatePolicyTest(base.BasePolicyTest):
                              'onSharedStorage': 'False',
                              'adminPass': 'admin_pass'}
                }
-        self.common_policy_check(self.admin_authorized_contexts,
-                                 self.admin_unauthorized_contexts,
-                                 rule_name, self.controller._evacuate,
-                                 self.req, uuids.fake_id,
-                                 body=body)
+        self.common_policy_auth(self.project_action_authorized_contexts,
+                                rule_name, self.controller._evacuate,
+                                self.req, uuids.fake_id,
+                                body=body)
 
     def test_evacuate_policy_failed_with_other_user(self):
         rule_name = "os_compute_api:os-evacuate"
@@ -109,7 +103,16 @@ class EvacuatePolicyTest(base.BasePolicyTest):
         evacuate_mock.assert_called_once_with(
             self.user_req.environ['nova.context'],
             mock.ANY, 'my-host', False,
-            'MyNewPass', None)
+            'MyNewPass', None, None)
+
+
+class EvacuateNoLegacyNoScopePolicyTest(EvacuatePolicyTest):
+    """Test Evacuate APIs policies with no legacy deprecated rules
+    and no scope checks which means new defaults only.
+
+    """
+
+    without_deprecated_rules = True
 
 
 class EvacuateScopeTypePolicyTest(EvacuatePolicyTest):
@@ -126,28 +129,14 @@ class EvacuateScopeTypePolicyTest(EvacuatePolicyTest):
     def setUp(self):
         super(EvacuateScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+        # With scope enable, system admin will not be able to
+        # evacuate the server.
+        self.project_action_authorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context]
 
 
-class EvacuateNoLegacyPolicyTest(EvacuateScopeTypePolicyTest):
+class EvacuateScopeTypeNoLegacyPolicyTest(EvacuateScopeTypePolicyTest):
     """Test Evacuate APIs policies with system scope enabled,
-    and no more deprecated rules that allow the legacy admin API to
-    access system APIs.
+    and no more deprecated rules which means scope + new defaults.
     """
     without_deprecated_rules = True
-
-    def setUp(self):
-        super(EvacuateNoLegacyPolicyTest, self).setUp()
-
-        # Check that system admin is able to evacuate server.
-        self.admin_authorized_contexts = [
-            self.system_admin_context]
-        # Check that non-system or non-admin is not able to evacuate
-        # server.
-        self.admin_unauthorized_contexts = [
-            self.legacy_admin_context, self.system_member_context,
-            self.system_reader_context, self.system_foo_context,
-            self.project_admin_context, self.project_member_context,
-            self.other_project_member_context,
-            self.other_project_reader_context,
-            self.project_foo_context, self.project_reader_context
-        ]