diff options
Diffstat (limited to 'nova/tests/unit/policies/test_evacuate.py')
-rw-r--r-- | nova/tests/unit/policies/test_evacuate.py | 63 |
1 files changed, 26 insertions, 37 deletions
diff --git a/nova/tests/unit/policies/test_evacuate.py b/nova/tests/unit/policies/test_evacuate.py index 203cc136e9..b9e4c29dba 100644 --- a/nova/tests/unit/policies/test_evacuate.py +++ b/nova/tests/unit/policies/test_evacuate.py @@ -10,8 +10,9 @@ # License for the specific language governing permissions and limitations # under the License. +from unittest import mock + import fixtures -import mock from oslo_utils.fixture import uuidsentinel as uuids from oslo_utils import timeutils @@ -55,18 +56,12 @@ class EvacuatePolicyTest(base.BasePolicyTest): id=1, uuid=uuid, user_id=user_id, vm_state=vm_states.ACTIVE, task_state=None, launched_at=timeutils.utcnow()) self.mock_get.return_value = self.instance - # Check that admin is able to evacuate the server - self.admin_authorized_contexts = [ + # By default, legacy rule are enable and scope check is disabled. + # system admin, legacy admin, and project admin is able to evacuate + # the server. + self.project_action_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] - # Check that non-admin is not able to evacuate the server - self.admin_unauthorized_contexts = [ - self.system_member_context, self.system_reader_context, - self.system_foo_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] @mock.patch('nova.compute.api.API.evacuate') def test_evacuate_policy(self, mock_evacuate): @@ -75,11 +70,10 @@ class EvacuatePolicyTest(base.BasePolicyTest): 'onSharedStorage': 'False', 'adminPass': 'admin_pass'} } - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, self.controller._evacuate, - self.req, uuids.fake_id, - body=body) + self.common_policy_auth(self.project_action_authorized_contexts, + rule_name, self.controller._evacuate, + self.req, uuids.fake_id, + body=body) def test_evacuate_policy_failed_with_other_user(self): rule_name = "os_compute_api:os-evacuate" @@ -109,7 +103,16 @@ class EvacuatePolicyTest(base.BasePolicyTest): evacuate_mock.assert_called_once_with( self.user_req.environ['nova.context'], mock.ANY, 'my-host', False, - 'MyNewPass', None) + 'MyNewPass', None, None) + + +class EvacuateNoLegacyNoScopePolicyTest(EvacuatePolicyTest): + """Test Evacuate APIs policies with no legacy deprecated rules + and no scope checks which means new defaults only. + + """ + + without_deprecated_rules = True class EvacuateScopeTypePolicyTest(EvacuatePolicyTest): @@ -126,28 +129,14 @@ class EvacuateScopeTypePolicyTest(EvacuatePolicyTest): def setUp(self): super(EvacuateScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + # With scope enable, system admin will not be able to + # evacuate the server. + self.project_action_authorized_contexts = [ + self.legacy_admin_context, self.project_admin_context] -class EvacuateNoLegacyPolicyTest(EvacuateScopeTypePolicyTest): +class EvacuateScopeTypeNoLegacyPolicyTest(EvacuateScopeTypePolicyTest): """Test Evacuate APIs policies with system scope enabled, - and no more deprecated rules that allow the legacy admin API to - access system APIs. + and no more deprecated rules which means scope + new defaults. """ without_deprecated_rules = True - - def setUp(self): - super(EvacuateNoLegacyPolicyTest, self).setUp() - - # Check that system admin is able to evacuate server. - self.admin_authorized_contexts = [ - self.system_admin_context] - # Check that non-system or non-admin is not able to evacuate - # server. - self.admin_unauthorized_contexts = [ - self.legacy_admin_context, self.system_member_context, - self.system_reader_context, self.system_foo_context, - self.project_admin_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] |