diff options
Diffstat (limited to 'nova/tests/unit/policies/test_limits.py')
-rw-r--r-- | nova/tests/unit/policies/test_limits.py | 113 |
1 files changed, 65 insertions, 48 deletions
diff --git a/nova/tests/unit/policies/test_limits.py b/nova/tests/unit/policies/test_limits.py index cab2b5f679..aba647caec 100644 --- a/nova/tests/unit/policies/test_limits.py +++ b/nova/tests/unit/policies/test_limits.py @@ -10,15 +10,19 @@ # License for the specific language governing permissions and limitations # under the License. -import mock +import functools +from unittest import mock from nova.api.openstack.compute import limits +import nova.conf from nova.policies import base as base_policy from nova.policies import limits as limits_policies from nova import quota from nova.tests.unit.api.openstack import fakes from nova.tests.unit.policies import base +CONF = nova.conf.CONF + class LimitsPolicyTest(base.BasePolicyTest): """Test Limits APIs policies with all possible context. @@ -55,48 +59,52 @@ class LimitsPolicyTest(base.BasePolicyTest): mock_get_project_quotas.start() # Check that everyone is able to get their limits - self.everyone_authorized_contexts = [ - self.legacy_admin_context, self.system_admin_context, - self.project_admin_context, self.system_member_context, - self.system_reader_context, self.system_foo_context, - self.project_member_context, self.other_project_member_context, - self.project_foo_context, self.project_reader_context, - self.other_project_reader_context, - ] - self.everyone_unauthorized_contexts = [] - - # Check that system reader is able to get other projects limit. - # NOTE(gmann): Until old default rule which is admin_api is - # deprecated and not removed, project admin and legacy admin - # will be able to get limit. This make sure that existing - # tokens will keep working even we have changed this policy defaults - # to reader role. - self.reader_authorized_contexts = [ + self.everyone_authorized_contexts = self.all_contexts + + # With legacy rule, any admin is able to get other projects limit. + self.project_admin_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, - self.project_admin_context, self.system_member_context, - self.system_reader_context] - # Check that non-admin is not able to get other projects limit. - self.reader_unauthorized_contexts = [ - self.system_foo_context, self.project_member_context, - self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context - ] + self.project_admin_context] def test_get_limits_policy(self): rule_name = limits_policies.BASE_POLICY_NAME - self.common_policy_check(self.everyone_authorized_contexts, - self.everyone_unauthorized_contexts, - rule_name, self.controller.index, - self.req) + self.common_policy_auth(self.everyone_authorized_contexts, + rule_name, self.controller.index, + self.req) def test_get_other_limits_policy(self): + rule = limits_policies.BASE_POLICY_NAME + self.policy.set_rules({rule: "@"}, overwrite=False) req = fakes.HTTPRequest.blank('/?tenant_id=faketenant') rule_name = limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME - self.common_policy_check(self.reader_authorized_contexts, - self.reader_unauthorized_contexts, - rule_name, self.controller.index, - req) + if not CONF.oslo_policy.enforce_scope: + check_rule = rule_name + else: + check_rule = functools.partial(base.rule_if_system, + rule, rule_name) + self.common_policy_auth(self.project_admin_authorized_contexts, + check_rule, self.controller.index, + req) + + +class LimitsNoLegacyNoScopeTest(LimitsPolicyTest): + """Test Flavor Access API policies with deprecated rules + disabled, but scope checking still disabled. + """ + + without_deprecated_rules = True + rules_without_deprecation = { + limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME: + base_policy.ADMIN} + + def setUp(self): + super(LimitsNoLegacyNoScopeTest, self).setUp() + + # Even with no legacy rule, any admin can get other project + # limits. + self.project_admin_authorized_contexts = [ + self.legacy_admin_context, self.system_admin_context, + self.project_admin_context] class LimitsScopeTypePolicyTest(LimitsPolicyTest): @@ -114,22 +122,18 @@ class LimitsScopeTypePolicyTest(LimitsPolicyTest): super(LimitsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # Check that system reader is able to get other projects limit. - self.reader_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context] - # Check that non-system reader is not able toget other - # projects limit. - self.reader_unauthorized_contexts = [ - self.legacy_admin_context, self.system_foo_context, - self.project_admin_context, self.project_member_context, + # With Scope enable, system users no longer allowed. + self.project_admin_authorized_contexts = [ + self.legacy_admin_context, self.project_admin_context] + self.everyone_authorized_contexts = [ + self.legacy_admin_context, self.project_admin_context, + self.project_member_context, self.project_reader_context, self.other_project_member_context, - self.other_project_reader_context, - self.project_foo_context, self.project_reader_context + self.project_foo_context, self.other_project_reader_context ] -class LimitsNoLegacyPolicyTest(LimitsScopeTypePolicyTest): +class LimitsScopeTypeNoLegacyPolicyTest(LimitsScopeTypePolicyTest): """Test Limits APIs policies with system scope enabled, and no more deprecated rules that allow the legacy admin API to access system APIs. @@ -137,4 +141,17 @@ class LimitsNoLegacyPolicyTest(LimitsScopeTypePolicyTest): without_deprecated_rules = True rules_without_deprecation = { limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME: - base_policy.SYSTEM_READER} + base_policy.ADMIN} + + def setUp(self): + super(LimitsScopeTypeNoLegacyPolicyTest, self).setUp() + # With no legacy and scope enable, only project level admin + # will get other projects limit. + self.project_admin_authorized_contexts = [ + self.legacy_admin_context, self.project_admin_context] + self.everyone_authorized_contexts = [ + self.legacy_admin_context, self.project_admin_context, + self.project_member_context, self.project_reader_context, + self.other_project_member_context, + self.project_foo_context, self.other_project_reader_context + ] |