diff options
Diffstat (limited to 'nova/tests/unit/policies/test_flavor_manage.py')
-rw-r--r-- | nova/tests/unit/policies/test_flavor_manage.py | 70 |
1 files changed, 31 insertions, 39 deletions
diff --git a/nova/tests/unit/policies/test_flavor_manage.py b/nova/tests/unit/policies/test_flavor_manage.py index 8a890a85af..0663a689cb 100644 --- a/nova/tests/unit/policies/test_flavor_manage.py +++ b/nova/tests/unit/policies/test_flavor_manage.py @@ -10,7 +10,8 @@ # License for the specific language governing permissions and limitations # under the License. -import mock +from unittest import mock + from oslo_utils.fixture import uuidsentinel as uuids from nova.api.openstack.compute import flavor_manage @@ -31,18 +32,11 @@ class FlavorManagePolicyTest(base.BasePolicyTest): super(FlavorManagePolicyTest, self).setUp() self.controller = flavor_manage.FlavorManageController() self.req = fakes.HTTPRequest.blank('') - # Check that admin is able to manage the flavors. + # With legacy rule and no scope checks, all admin can manage + # the flavors. self.admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context] - # Check that non-admin is not able to manage the flavors. - self.admin_unauthorized_contexts = [ - self.system_member_context, self.system_reader_context, - self.system_foo_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] def test_create_flavor_policy(self): rule_name = fm_policies.POLICY_ROOT % 'create' @@ -67,29 +61,34 @@ class FlavorManagePolicyTest(base.BasePolicyTest): "disk": 1, } } - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, self.controller._create, - self.req, body=body) + self.common_policy_auth(self.admin_authorized_contexts, + rule_name, self.controller._create, + self.req, body=body) @mock.patch('nova.objects.Flavor.get_by_flavor_id') @mock.patch('nova.objects.Flavor.save') def test_update_flavor_policy(self, mock_save, mock_get): rule_name = fm_policies.POLICY_ROOT % 'update' req = fakes.HTTPRequest.blank('', version='2.55') - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, self.controller._update, - req, uuids.fake_id, - body={'flavor': {'description': None}}) + self.common_policy_auth(self.admin_authorized_contexts, + rule_name, self.controller._update, + req, uuids.fake_id, + body={'flavor': {'description': None}}) @mock.patch('nova.objects.Flavor.destroy') def test_delete_flavor_policy(self, mock_delete): rule_name = fm_policies.POLICY_ROOT % 'delete' - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, self.controller._delete, - self.req, uuids.fake_id) + self.common_policy_auth(self.admin_authorized_contexts, + rule_name, self.controller._delete, + self.req, uuids.fake_id) + + +class FlavorManageNoLegacyNoScopeTest(FlavorManagePolicyTest): + """Test Flavor Access API policies with deprecated rules + disabled, but scope checking still disabled. + """ + + without_deprecated_rules = True class FlavorManageScopeTypePolicyTest(FlavorManagePolicyTest): @@ -106,23 +105,16 @@ class FlavorManageScopeTypePolicyTest(FlavorManagePolicyTest): super(FlavorManageScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # Check that system admin is able to manage the flavors. + # With scope enabled, only project admin is able to manage + # the flavors. self.admin_authorized_contexts = [ - self.system_admin_context] - # Check that non-system-admin is not able to manage the flavors. - self.admin_unauthorized_contexts = [ - self.legacy_admin_context, self.system_member_context, - self.system_reader_context, self.project_admin_context, - self.system_foo_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] - - -class FlavorManageNoLegacyPolicyTest(FlavorManageScopeTypePolicyTest): + self.legacy_admin_context, + self.project_admin_context] + + +class FlavorManageScopeTypeNoLegacyPolicyTest( + FlavorManageScopeTypePolicyTest): """Test Flavor Manage APIs policies with system scope enabled, - and no more deprecated rules that allow the legacy admin API to - access system_admin_or_owner APIs. + and no more deprecated rules. """ without_deprecated_rules = True |