diff options
Diffstat (limited to 'nova/tests/unit/policies/test_keypairs.py')
-rw-r--r-- | nova/tests/unit/policies/test_keypairs.py | 159 |
1 files changed, 56 insertions, 103 deletions
diff --git a/nova/tests/unit/policies/test_keypairs.py b/nova/tests/unit/policies/test_keypairs.py index 4faefea2ef..ee39133b7a 100644 --- a/nova/tests/unit/policies/test_keypairs.py +++ b/nova/tests/unit/policies/test_keypairs.py @@ -10,7 +10,8 @@ # License for the specific language governing permissions and limitations # under the License. -import mock +from unittest import mock + from nova.policies import keypairs as policies from nova.api.openstack.compute import keypairs @@ -34,7 +35,7 @@ class KeypairsPolicyTest(base.BasePolicyTest): # Check that everyone is able to create, delete and get # their keypairs. - self.everyone_authorized_contexts = [ + self.everyone_authorized_contexts = set([ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.system_member_context, self.system_reader_context, @@ -42,88 +43,58 @@ class KeypairsPolicyTest(base.BasePolicyTest): self.project_reader_context, self.project_foo_context, self.other_project_member_context, self.other_project_reader_context, - ] - self.everyone_unauthorized_contexts = [] + ]) # Check that admin is able to create, delete and get # other users keypairs. - self.admin_authorized_contexts = [ + self.admin_authorized_contexts = set([ self.legacy_admin_context, self.system_admin_context, - self.project_admin_context] - # Check that non-admin is not able to create, delete and get - # other users keypairs. - self.admin_unauthorized_contexts = [ - self.system_member_context, self.system_reader_context, - self.system_foo_context, self.project_member_context, - self.project_reader_context, self.project_foo_context, - self.other_project_member_context, - self.other_project_reader_context, - ] - - # Check that system reader is able to get - # other users keypairs. - self.system_reader_authorized_contexts = [ - self.legacy_admin_context, self.system_admin_context, - self.project_admin_context, self.system_member_context, - self.system_reader_context] - # Check that non-system reader is not able to get - # other users keypairs. - self.system_reader_unauthorized_contexts = [ - self.system_foo_context, self.project_member_context, - self.project_reader_context, self.project_foo_context, - self.other_project_member_context, - self.other_project_reader_context, - ] + self.project_admin_context]) @mock.patch('nova.compute.api.KeypairAPI.get_key_pairs') def test_index_keypairs_policy(self, mock_get): rule_name = policies.POLICY_ROOT % 'index' - self.common_policy_check(self.everyone_authorized_contexts, - self.everyone_unauthorized_contexts, - rule_name, - self.controller.index, - self.req) + self.common_policy_auth(self.everyone_authorized_contexts, + rule_name, + self.controller.index, + self.req) @mock.patch('nova.compute.api.KeypairAPI.get_key_pairs') def test_index_others_keypairs_policy(self, mock_get): req = fakes.HTTPRequest.blank('?user_id=user2', version='2.10') rule_name = policies.POLICY_ROOT % 'index' - self.common_policy_check(self.system_reader_authorized_contexts, - self.system_reader_unauthorized_contexts, - rule_name, - self.controller.index, - req) + self.common_policy_auth(self.admin_authorized_contexts, + rule_name, + self.controller.index, + req) @mock.patch('nova.compute.api.KeypairAPI.get_key_pair') def test_show_keypairs_policy(self, mock_get): rule_name = policies.POLICY_ROOT % 'show' - self.common_policy_check(self.everyone_authorized_contexts, - self.everyone_unauthorized_contexts, - rule_name, - self.controller.show, - self.req, fakes.FAKE_UUID) + self.common_policy_auth(self.everyone_authorized_contexts, + rule_name, + self.controller.show, + self.req, fakes.FAKE_UUID) @mock.patch('nova.compute.api.KeypairAPI.get_key_pair') def test_show_others_keypairs_policy(self, mock_get): # Change the user_id in request context. req = fakes.HTTPRequest.blank('?user_id=user2', version='2.10') rule_name = policies.POLICY_ROOT % 'show' - self.common_policy_check(self.system_reader_authorized_contexts, - self.system_reader_unauthorized_contexts, - rule_name, - self.controller.show, - req, fakes.FAKE_UUID) + self.common_policy_auth(self.admin_authorized_contexts, + rule_name, + self.controller.show, + req, fakes.FAKE_UUID) @mock.patch('nova.compute.api.KeypairAPI.create_key_pair') def test_create_keypairs_policy(self, mock_create): rule_name = policies.POLICY_ROOT % 'create' mock_create.return_value = (test_keypair.fake_keypair, 'FAKE_KEY') - self.common_policy_check(self.everyone_authorized_contexts, - self.everyone_unauthorized_contexts, - rule_name, - self.controller.create, - self.req, - body={'keypair': {'name': 'create_test'}}) + self.common_policy_auth(self.everyone_authorized_contexts, + rule_name, + self.controller.create, + self.req, + body={'keypair': {'name': 'create_test'}}) @mock.patch('nova.compute.api.KeypairAPI.create_key_pair') def test_create_others_keypairs_policy(self, mock_create): @@ -132,31 +103,39 @@ class KeypairsPolicyTest(base.BasePolicyTest): rule_name = policies.POLICY_ROOT % 'create' mock_create.return_value = (test_keypair.fake_keypair, 'FAKE_KEY') body = {'keypair': {'name': 'test2', 'user_id': 'user2'}} - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, - self.controller.create, - req, body=body) + self.common_policy_auth(self.admin_authorized_contexts, + rule_name, + self.controller.create, + req, body=body) @mock.patch('nova.compute.api.KeypairAPI.delete_key_pair') def test_delete_keypairs_policy(self, mock_delete): rule_name = policies.POLICY_ROOT % 'delete' - self.common_policy_check(self.everyone_authorized_contexts, - self.everyone_unauthorized_contexts, - rule_name, - self.controller.delete, - self.req, fakes.FAKE_UUID) + self.common_policy_auth(self.everyone_authorized_contexts, + rule_name, + self.controller.delete, + self.req, fakes.FAKE_UUID) @mock.patch('nova.compute.api.KeypairAPI.delete_key_pair') def test_delete_others_keypairs_policy(self, mock_delete): # Change the user_id in request context. req = fakes.HTTPRequest.blank('?user_id=user2', version='2.10') rule_name = policies.POLICY_ROOT % 'delete' - self.common_policy_check(self.admin_authorized_contexts, - self.admin_unauthorized_contexts, - rule_name, - self.controller.delete, - req, fakes.FAKE_UUID) + self.common_policy_auth(self.admin_authorized_contexts, + rule_name, + self.controller.delete, + req, fakes.FAKE_UUID) + + +class KeypairsNoLegacyNoScopeTest(KeypairsPolicyTest): + """Test Keypairs API policies with deprecated rules + disabled, but scope checking still disabled. + """ + + without_deprecated_rules = True + + def setUp(self): + super(KeypairsNoLegacyNoScopeTest, self).setUp() class KeypairsScopeTypePolicyTest(KeypairsPolicyTest): @@ -173,6 +152,12 @@ class KeypairsScopeTypePolicyTest(KeypairsPolicyTest): super(KeypairsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + # With scope checking, only project-scoped users are allowed + self.reduce_set('everyone_authorized', self.all_project_contexts) + self.admin_authorized_contexts = [ + self.legacy_admin_context, + self.project_admin_context] + class KeypairsNoLegacyPolicyTest(KeypairsScopeTypePolicyTest): """Test Keypairs APIs policies with system scope enabled, @@ -180,35 +165,3 @@ class KeypairsNoLegacyPolicyTest(KeypairsScopeTypePolicyTest): access system APIs. """ without_deprecated_rules = True - - def setUp(self): - super(KeypairsNoLegacyPolicyTest, self).setUp() - - # Check that system admin is able to create, delete and get - # other users keypairs. - self.admin_authorized_contexts = [ - self.system_admin_context] - # Check that system non-admin is not able to create, delete and get - # other users keypairs. - self.admin_unauthorized_contexts = [ - self.legacy_admin_context, self.system_member_context, - self.system_reader_context, self.system_foo_context, - self.project_admin_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] - # Check that system reader is able to get - # other users keypairs. - self.system_reader_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context] - # Check that non-system reader is not able to get - # other users keypairs. - self.system_reader_unauthorized_contexts = [ - self.legacy_admin_context, self.project_admin_context, - self.system_foo_context, self.project_member_context, - self.project_reader_context, self.project_foo_context, - self.other_project_member_context, - self.other_project_reader_context, - ] |