1 files changed, 65 insertions, 48 deletions

diff --git a/nova/tests/unit/policies/test_limits.py b/nova/tests/unit/policies/test_limits.py
index cab2b5f679..aba647caec 100644
--- a/nova/tests/unit/policies/test_limits.py
+++ b/nova/tests/unit/policies/test_limits.py
@@ -10,15 +10,19 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import mock
+import functools
+from unittest import mock
 
 from nova.api.openstack.compute import limits
+import nova.conf
 from nova.policies import base as base_policy
 from nova.policies import limits as limits_policies
 from nova import quota
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit.policies import base
 
+CONF = nova.conf.CONF
+
 
 class LimitsPolicyTest(base.BasePolicyTest):
     """Test Limits APIs policies with all possible context.
@@ -55,48 +59,52 @@ class LimitsPolicyTest(base.BasePolicyTest):
         mock_get_project_quotas.start()
 
         # Check that everyone is able to get their limits
-        self.everyone_authorized_contexts = [
-            self.legacy_admin_context, self.system_admin_context,
-            self.project_admin_context, self.system_member_context,
-            self.system_reader_context, self.system_foo_context,
-            self.project_member_context, self.other_project_member_context,
-            self.project_foo_context, self.project_reader_context,
-            self.other_project_reader_context,
-        ]
-        self.everyone_unauthorized_contexts = []
-
-        # Check that system reader is able to get other projects limit.
-        # NOTE(gmann): Until old default rule which is admin_api is
-        # deprecated and not removed, project admin and legacy admin
-        # will be able to get limit. This make sure that existing
-        # tokens will keep working even we have changed this policy defaults
-        # to reader role.
-        self.reader_authorized_contexts = [
+        self.everyone_authorized_contexts = self.all_contexts
+
+        # With legacy rule, any admin is able to get other projects limit.
+        self.project_admin_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
-            self.project_admin_context, self.system_member_context,
-            self.system_reader_context]
-        # Check that non-admin is not able to get other projects limit.
-        self.reader_unauthorized_contexts = [
-            self.system_foo_context, self.project_member_context,
-            self.other_project_member_context,
-            self.other_project_reader_context,
-            self.project_foo_context, self.project_reader_context
-        ]
+            self.project_admin_context]
 
     def test_get_limits_policy(self):
         rule_name = limits_policies.BASE_POLICY_NAME
-        self.common_policy_check(self.everyone_authorized_contexts,
-                                 self.everyone_unauthorized_contexts,
-                                 rule_name, self.controller.index,
-                                 self.req)
+        self.common_policy_auth(self.everyone_authorized_contexts,
+                                rule_name, self.controller.index,
+                                self.req)
 
     def test_get_other_limits_policy(self):
+        rule = limits_policies.BASE_POLICY_NAME
+        self.policy.set_rules({rule: "@"}, overwrite=False)
         req = fakes.HTTPRequest.blank('/?tenant_id=faketenant')
         rule_name = limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME
-        self.common_policy_check(self.reader_authorized_contexts,
-                                 self.reader_unauthorized_contexts,
-                                 rule_name, self.controller.index,
-                                 req)
+        if not CONF.oslo_policy.enforce_scope:
+            check_rule = rule_name
+        else:
+            check_rule = functools.partial(base.rule_if_system,
+                rule, rule_name)
+        self.common_policy_auth(self.project_admin_authorized_contexts,
+                                check_rule, self.controller.index,
+                                req)
+
+
+class LimitsNoLegacyNoScopeTest(LimitsPolicyTest):
+    """Test Flavor Access API policies with deprecated rules
+    disabled, but scope checking still disabled.
+    """
+
+    without_deprecated_rules = True
+    rules_without_deprecation = {
+        limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME:
+            base_policy.ADMIN}
+
+    def setUp(self):
+        super(LimitsNoLegacyNoScopeTest, self).setUp()
+
+        # Even with no legacy rule, any admin can get other project
+        # limits.
+        self.project_admin_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context]
 
 
 class LimitsScopeTypePolicyTest(LimitsPolicyTest):
@@ -114,22 +122,18 @@ class LimitsScopeTypePolicyTest(LimitsPolicyTest):
         super(LimitsScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
 
-        # Check that system reader is able to get other projects limit.
-        self.reader_authorized_contexts = [
-            self.system_admin_context, self.system_member_context,
-            self.system_reader_context]
-        # Check that non-system reader is not able toget other
-        # projects limit.
-        self.reader_unauthorized_contexts = [
-            self.legacy_admin_context, self.system_foo_context,
-            self.project_admin_context, self.project_member_context,
+        # With Scope enable, system users no longer allowed.
+        self.project_admin_authorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context]
+        self.everyone_authorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context,
+            self.project_member_context, self.project_reader_context,
             self.other_project_member_context,
-            self.other_project_reader_context,
-            self.project_foo_context, self.project_reader_context
+            self.project_foo_context, self.other_project_reader_context
         ]
 
 
-class LimitsNoLegacyPolicyTest(LimitsScopeTypePolicyTest):
+class LimitsScopeTypeNoLegacyPolicyTest(LimitsScopeTypePolicyTest):
     """Test Limits APIs policies with system scope enabled,
     and no more deprecated rules that allow the legacy admin API to
     access system APIs.
@@ -137,4 +141,17 @@ class LimitsNoLegacyPolicyTest(LimitsScopeTypePolicyTest):
     without_deprecated_rules = True
     rules_without_deprecation = {
         limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME:
-            base_policy.SYSTEM_READER}
+            base_policy.ADMIN}
+
+    def setUp(self):
+        super(LimitsScopeTypeNoLegacyPolicyTest, self).setUp()
+        # With no legacy and scope enable, only project level admin
+        # will get other projects limit.
+        self.project_admin_authorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context]
+        self.everyone_authorized_contexts = [
+            self.legacy_admin_context, self.project_admin_context,
+            self.project_member_context, self.project_reader_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.other_project_reader_context
+        ]