diff options
Diffstat (limited to 'nova/tests/unit/policies/test_pause_server.py')
-rw-r--r-- | nova/tests/unit/policies/test_pause_server.py | 86 |
1 files changed, 43 insertions, 43 deletions
diff --git a/nova/tests/unit/policies/test_pause_server.py b/nova/tests/unit/policies/test_pause_server.py index 73e78bd55d..86a3e616dd 100644 --- a/nova/tests/unit/policies/test_pause_server.py +++ b/nova/tests/unit/policies/test_pause_server.py @@ -10,8 +10,9 @@ # License for the specific language governing permissions and limitations # under the License. +from unittest import mock + import fixtures -import mock from oslo_utils.fixture import uuidsentinel as uuids from oslo_utils import timeutils @@ -46,41 +47,32 @@ class PauseServerPolicyTest(base.BasePolicyTest): user_id=user_id, vm_state=vm_states.ACTIVE, task_state=None, launched_at=timeutils.utcnow()) self.mock_get.return_value = self.instance - - # Check that admin or and server owner is able to pause/unpause - # the server - self.admin_or_owner_authorized_contexts = [ + # With legacy rule and no scope checks, all admin, project members + # project reader or other project role(because legacy rule allow server + # owner- having same project id and no role check) is able to pause, + # unpause the server. + self.project_action_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context] - # Check that non-admin/owner is not able to pause/unpause - # the server - self.admin_or_owner_unauthorized_contexts = [ - self.system_member_context, self.system_reader_context, - self.system_foo_context, - self.other_project_member_context, - self.other_project_reader_context, - ] @mock.patch('nova.compute.api.API.pause') def test_pause_server_policy(self, mock_pause): rule_name = ps_policies.POLICY_ROOT % 'pause' - self.common_policy_check(self.admin_or_owner_authorized_contexts, - self.admin_or_owner_unauthorized_contexts, - rule_name, - self.controller._pause, - self.req, self.instance.uuid, - body={'pause': {}}) + self.common_policy_auth(self.project_action_authorized_contexts, + rule_name, + self.controller._pause, + self.req, self.instance.uuid, + body={'pause': {}}) @mock.patch('nova.compute.api.API.unpause') def test_unpause_server_policy(self, mock_unpause): rule_name = ps_policies.POLICY_ROOT % 'unpause' - self.common_policy_check(self.admin_or_owner_authorized_contexts, - self.admin_or_owner_unauthorized_contexts, - rule_name, - self.controller._unpause, - self.req, self.instance.uuid, - body={'unpause': {}}) + self.common_policy_auth(self.project_action_authorized_contexts, + rule_name, + self.controller._unpause, + self.req, self.instance.uuid, + body={'unpause': {}}) def test_pause_server_policy_failed_with_other_user(self): # Change the user_id in request context. @@ -105,6 +97,22 @@ class PauseServerPolicyTest(base.BasePolicyTest): body={'pause': {}}) +class PauseServerNoLegacyNoScopePolicyTest(PauseServerPolicyTest): + """Test Pause/unpause server APIs policies with no legacy deprecated rules + and no scope checks which means new defaults only. + + """ + + without_deprecated_rules = True + + def setUp(self): + super(PauseServerNoLegacyNoScopePolicyTest, self).setUp() + # With no legacy rule, only project admin or member will be + # able to pause/unpause the server. + self.project_action_authorized_contexts = ( + self.project_member_or_admin_with_no_scope_no_legacy) + + class PauseServerScopeTypePolicyTest(PauseServerPolicyTest): """Test Pause Server APIs policies with system scope enabled. This class set the nova.conf [oslo_policy] enforce_scope to True @@ -118,28 +126,20 @@ class PauseServerScopeTypePolicyTest(PauseServerPolicyTest): def setUp(self): super(PauseServerScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + # Scope enable will not allow system admin to pause/unpause the server. + self.project_action_authorized_contexts = ( + self.project_m_r_or_admin_with_scope_and_legacy) -class PauseServerNoLegacyPolicyTest(PauseServerScopeTypePolicyTest): +class PauseServerScopeTypeNoLegacyPolicyTest(PauseServerScopeTypePolicyTest): """Test Pause Server APIs policies with system scope enabled, - and no more deprecated rules that allow the legacy admin API to - access system APIs. + and no more deprecated rules. """ without_deprecated_rules = True def setUp(self): - super(PauseServerNoLegacyPolicyTest, self).setUp() - # Check that system admin or server owner is able to pause/unpause - # the server - self.admin_or_owner_authorized_contexts = [ - self.system_admin_context, - self.project_admin_context, self.project_member_context] - # Check that non-system/admin/owner is not able to pause/unpause - # the server - self.admin_or_owner_unauthorized_contexts = [ - self.legacy_admin_context, self.system_member_context, - self.system_reader_context, self.system_foo_context, - self.other_project_member_context, self.project_reader_context, - self.project_foo_context, - self.other_project_reader_context, - ] + super(PauseServerScopeTypeNoLegacyPolicyTest, self).setUp() + # With scope enable and no legacy rule, only project admin/member + # will be able to pause/unpause the server. + self.project_action_authorized_contexts = ( + self.project_member_or_admin_with_scope_no_legacy) |