1 files changed, 38 insertions, 35 deletions

diff --git a/nova/tests/unit/policies/test_remote_consoles.py b/nova/tests/unit/policies/test_remote_consoles.py
index 825f78a938..a441d1c550 100644
--- a/nova/tests/unit/policies/test_remote_consoles.py
+++ b/nova/tests/unit/policies/test_remote_consoles.py
@@ -10,8 +10,9 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from unittest import mock
+
 import fixtures
-import mock
 from nova.policies import remote_consoles as rc_policies
 from oslo_utils.fixture import uuidsentinel as uuids
 from oslo_utils import timeutils
@@ -48,31 +49,38 @@ class RemoteConsolesPolicyTest(base.BasePolicyTest):
                 user_id=user_id, vm_state=vm_states.ACTIVE,
                 task_state=None, launched_at=timeutils.utcnow())
         self.mock_get.return_value = self.instance
-
-        # Check that admin or and server owner is able to get server
-        # remote consoles.
-        self.admin_or_owner_authorized_contexts = [
+        # With legacy rule and no scope checks, all admin, project members
+        # project reader or other project role(because legacy rule allow server
+        # owner- having same project id and no role check) is able to get
+        # server remote consoles.
+        self.project_action_authorized_contexts = [
             self.legacy_admin_context, self.system_admin_context,
             self.project_admin_context, self.project_member_context,
             self.project_reader_context, self.project_foo_context]
-        # Check that non-admin/owner is not able to get server
-        # remote consoles.
-        self.admin_or_owner_unauthorized_contexts = [
-            self.system_member_context, self.system_reader_context,
-            self.system_foo_context,
-            self.other_project_member_context,
-            self.other_project_reader_context,
-        ]
 
     def test_create_console_policy(self):
         rule_name = rc_policies.BASE_POLICY_NAME
         body = {'remote_console': {'protocol': 'vnc', 'type': 'novnc'}}
-        self.common_policy_check(self.admin_or_owner_authorized_contexts,
-                                 self.admin_or_owner_unauthorized_contexts,
-                                 rule_name,
-                                 self.controller.create,
-                                 self.req, self.instance.uuid,
-                                 body=body)
+        self.common_policy_auth(self.project_action_authorized_contexts,
+                                rule_name,
+                                self.controller.create,
+                                self.req, self.instance.uuid,
+                                body=body)
+
+
+class RemoteConsolesNoLegacyNoScopePolicyTest(RemoteConsolesPolicyTest):
+    """Test Remote Consoles APIs policies with no legacy deprecated rules
+    and no scope checks which means new defaults only.
+
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(RemoteConsolesNoLegacyNoScopePolicyTest, self).setUp()
+        # With no legacy rule, only project admin or member will be
+        # able get server remote consoles.
+        self.project_action_authorized_contexts = (
+            self.project_member_or_admin_with_no_scope_no_legacy)
 
 
 class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest):
@@ -88,9 +96,14 @@ class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest):
     def setUp(self):
         super(RemoteConsolesScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+        # Scope enable will not allow system admin to get server
+        # remote console.
+        self.project_action_authorized_contexts = (
+            self.project_m_r_or_admin_with_scope_and_legacy)
 
 
-class RemoteConsolesNoLegacyPolicyTest(RemoteConsolesScopeTypePolicyTest):
+class RemoteConsolesScopeTypeNoLegacyPolicyTest(
+        RemoteConsolesScopeTypePolicyTest):
     """Test Remote Consoles APIs policies with system scope enabled,
     and no more deprecated rules that allow the legacy admin API to
     access system APIs.
@@ -98,18 +111,8 @@ class RemoteConsolesNoLegacyPolicyTest(RemoteConsolesScopeTypePolicyTest):
     without_deprecated_rules = True
 
     def setUp(self):
-        super(RemoteConsolesNoLegacyPolicyTest, self).setUp()
-        # Check that system admin or and server owner is able to get server
-        # remote consoles.
-        self.admin_or_owner_authorized_contexts = [
-            self.system_admin_context,
-            self.project_admin_context, self.project_member_context]
-        # Check that non-system/admin/owner is not able to get server
-        # remote consoles.
-        self.admin_or_owner_unauthorized_contexts = [
-            self.legacy_admin_context, self.system_member_context,
-            self.system_reader_context, self.system_foo_context,
-            self.other_project_member_context, self.project_reader_context,
-            self.project_foo_context,
-            self.other_project_reader_context,
-        ]
+        super(RemoteConsolesScopeTypeNoLegacyPolicyTest, self).setUp()
+        # With scope enable and no legacy rule, only project admin/member
+        # will be able to get server remote console.
+        self.project_action_authorized_contexts = (
+            self.project_member_or_admin_with_scope_no_legacy)