diff options
Diffstat (limited to 'nova/tests/unit/policies/test_remote_consoles.py')
-rw-r--r-- | nova/tests/unit/policies/test_remote_consoles.py | 73 |
1 files changed, 38 insertions, 35 deletions
diff --git a/nova/tests/unit/policies/test_remote_consoles.py b/nova/tests/unit/policies/test_remote_consoles.py index 825f78a938..a441d1c550 100644 --- a/nova/tests/unit/policies/test_remote_consoles.py +++ b/nova/tests/unit/policies/test_remote_consoles.py @@ -10,8 +10,9 @@ # License for the specific language governing permissions and limitations # under the License. +from unittest import mock + import fixtures -import mock from nova.policies import remote_consoles as rc_policies from oslo_utils.fixture import uuidsentinel as uuids from oslo_utils import timeutils @@ -48,31 +49,38 @@ class RemoteConsolesPolicyTest(base.BasePolicyTest): user_id=user_id, vm_state=vm_states.ACTIVE, task_state=None, launched_at=timeutils.utcnow()) self.mock_get.return_value = self.instance - - # Check that admin or and server owner is able to get server - # remote consoles. - self.admin_or_owner_authorized_contexts = [ + # With legacy rule and no scope checks, all admin, project members + # project reader or other project role(because legacy rule allow server + # owner- having same project id and no role check) is able to get + # server remote consoles. + self.project_action_authorized_contexts = [ self.legacy_admin_context, self.system_admin_context, self.project_admin_context, self.project_member_context, self.project_reader_context, self.project_foo_context] - # Check that non-admin/owner is not able to get server - # remote consoles. - self.admin_or_owner_unauthorized_contexts = [ - self.system_member_context, self.system_reader_context, - self.system_foo_context, - self.other_project_member_context, - self.other_project_reader_context, - ] def test_create_console_policy(self): rule_name = rc_policies.BASE_POLICY_NAME body = {'remote_console': {'protocol': 'vnc', 'type': 'novnc'}} - self.common_policy_check(self.admin_or_owner_authorized_contexts, - self.admin_or_owner_unauthorized_contexts, - rule_name, - self.controller.create, - self.req, self.instance.uuid, - body=body) + self.common_policy_auth(self.project_action_authorized_contexts, + rule_name, + self.controller.create, + self.req, self.instance.uuid, + body=body) + + +class RemoteConsolesNoLegacyNoScopePolicyTest(RemoteConsolesPolicyTest): + """Test Remote Consoles APIs policies with no legacy deprecated rules + and no scope checks which means new defaults only. + + """ + without_deprecated_rules = True + + def setUp(self): + super(RemoteConsolesNoLegacyNoScopePolicyTest, self).setUp() + # With no legacy rule, only project admin or member will be + # able get server remote consoles. + self.project_action_authorized_contexts = ( + self.project_member_or_admin_with_no_scope_no_legacy) class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest): @@ -88,9 +96,14 @@ class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest): def setUp(self): super(RemoteConsolesScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + # Scope enable will not allow system admin to get server + # remote console. + self.project_action_authorized_contexts = ( + self.project_m_r_or_admin_with_scope_and_legacy) -class RemoteConsolesNoLegacyPolicyTest(RemoteConsolesScopeTypePolicyTest): +class RemoteConsolesScopeTypeNoLegacyPolicyTest( + RemoteConsolesScopeTypePolicyTest): """Test Remote Consoles APIs policies with system scope enabled, and no more deprecated rules that allow the legacy admin API to access system APIs. @@ -98,18 +111,8 @@ class RemoteConsolesNoLegacyPolicyTest(RemoteConsolesScopeTypePolicyTest): without_deprecated_rules = True def setUp(self): - super(RemoteConsolesNoLegacyPolicyTest, self).setUp() - # Check that system admin or and server owner is able to get server - # remote consoles. - self.admin_or_owner_authorized_contexts = [ - self.system_admin_context, - self.project_admin_context, self.project_member_context] - # Check that non-system/admin/owner is not able to get server - # remote consoles. - self.admin_or_owner_unauthorized_contexts = [ - self.legacy_admin_context, self.system_member_context, - self.system_reader_context, self.system_foo_context, - self.other_project_member_context, self.project_reader_context, - self.project_foo_context, - self.other_project_reader_context, - ] + super(RemoteConsolesScopeTypeNoLegacyPolicyTest, self).setUp() + # With scope enable and no legacy rule, only project admin/member + # will be able to get server remote console. + self.project_action_authorized_contexts = ( + self.project_member_or_admin_with_scope_no_legacy) |