summaryrefslogtreecommitdiff
path: root/nova/tests/unit/policies/test_server_metadata.py
diff options
context:
space:
mode:
Diffstat (limited to 'nova/tests/unit/policies/test_server_metadata.py')
-rw-r--r--nova/tests/unit/policies/test_server_metadata.py155
1 files changed, 68 insertions, 87 deletions
diff --git a/nova/tests/unit/policies/test_server_metadata.py b/nova/tests/unit/policies/test_server_metadata.py
index 89c6480adc..cf4fb19e7b 100644
--- a/nova/tests/unit/policies/test_server_metadata.py
+++ b/nova/tests/unit/policies/test_server_metadata.py
@@ -10,8 +10,9 @@
# License for the specific language governing permissions and limitations
# under the License.
+from unittest import mock
+
import fixtures
-import mock
from oslo_utils.fixture import uuidsentinel as uuids
from nova.api.openstack.compute import server_metadata
@@ -40,92 +41,88 @@ class ServerMetadataPolicyTest(base.BasePolicyTest):
id=1, uuid=uuids.fake_id, project_id=self.project_id)
self.mock_get.return_value = self.instance
- # Check that admin or and server owner is able to CRUD
- # the server metadata.
- self.admin_or_owner_authorized_contexts = [
- self.legacy_admin_context, self.system_admin_context,
- self.project_admin_context, self.project_member_context,
- self.project_reader_context, self.project_foo_context]
- # Check that non-admin/owner is not able to CRUD
- # the server metadata
- self.admin_or_owner_unauthorized_contexts = [
- self.system_member_context, self.system_reader_context,
- self.system_foo_context, self.other_project_member_context,
- self.other_project_reader_context
- ]
- # Check that admin or and server owner is able to get
- # the server metadata.
- self.reader_authorized_contexts = [
+ # With legacy rule and no scope checks, all admin, project members
+ # project reader or other project role(because legacy rule allow server
+ # owner- having same project id and no role check) is able to create,
+ # update, and delete the server metadata.
+ self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
- self.system_member_context, self.system_reader_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
- # Check that non-admin/owner is not able to get
- # the server metadata.
- self.reader_unauthorized_contexts = [
- self.system_foo_context, self.other_project_member_context,
- self.other_project_reader_context
- ]
+ # and they can get their own server metadata.
+ self.project_reader_authorized_contexts = (
+ self.project_member_authorized_contexts)
@mock.patch('nova.compute.api.API.get_instance_metadata')
def test_index_server_Metadata_policy(self, mock_get):
rule_name = policies.POLICY_ROOT % 'index'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name,
- self.controller.index,
- self.req, self.instance.uuid)
+ self.common_policy_auth(self.project_reader_authorized_contexts,
+ rule_name,
+ self.controller.index,
+ self.req, self.instance.uuid)
@mock.patch('nova.compute.api.API.get_instance_metadata')
def test_show_server_Metadata_policy(self, mock_get):
rule_name = policies.POLICY_ROOT % 'show'
mock_get.return_value = {'key9': 'value'}
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name,
- self.controller.show,
- self.req, self.instance.uuid, 'key9')
+ self.common_policy_auth(self.project_reader_authorized_contexts,
+ rule_name,
+ self.controller.show,
+ self.req, self.instance.uuid, 'key9')
@mock.patch('nova.compute.api.API.update_instance_metadata')
def test_create_server_Metadata_policy(self, mock_quota):
rule_name = policies.POLICY_ROOT % 'create'
- self.common_policy_check(self.admin_or_owner_authorized_contexts,
- self.admin_or_owner_unauthorized_contexts,
- rule_name,
- self.controller.create,
- self.req, self.instance.uuid,
- body={"metadata": {"key9": "value9"}})
+ self.common_policy_auth(self.project_member_authorized_contexts,
+ rule_name,
+ self.controller.create,
+ self.req, self.instance.uuid,
+ body={"metadata": {"key9": "value9"}})
@mock.patch('nova.compute.api.API.update_instance_metadata')
def test_update_server_Metadata_policy(self, mock_quota):
rule_name = policies.POLICY_ROOT % 'update'
- self.common_policy_check(self.admin_or_owner_authorized_contexts,
- self.admin_or_owner_unauthorized_contexts,
- rule_name,
- self.controller.update,
- self.req, self.instance.uuid, 'key9',
- body={"meta": {"key9": "value9"}})
+ self.common_policy_auth(self.project_member_authorized_contexts,
+ rule_name,
+ self.controller.update,
+ self.req, self.instance.uuid, 'key9',
+ body={"meta": {"key9": "value9"}})
@mock.patch('nova.compute.api.API.update_instance_metadata')
def test_update_all_server_Metadata_policy(self, mock_quota):
rule_name = policies.POLICY_ROOT % 'update_all'
- self.common_policy_check(self.admin_or_owner_authorized_contexts,
- self.admin_or_owner_unauthorized_contexts,
- rule_name,
- self.controller.update_all,
- self.req, self.instance.uuid,
- body={"metadata": {"key9": "value9"}})
+ self.common_policy_auth(self.project_member_authorized_contexts,
+ rule_name,
+ self.controller.update_all,
+ self.req, self.instance.uuid,
+ body={"metadata": {"key9": "value9"}})
@mock.patch('nova.compute.api.API.get_instance_metadata')
@mock.patch('nova.compute.api.API.delete_instance_metadata')
def test_delete_server_Metadata_policy(self, mock_delete, mock_get):
rule_name = policies.POLICY_ROOT % 'delete'
mock_get.return_value = {'key9': 'value'}
- self.common_policy_check(self.admin_or_owner_authorized_contexts,
- self.admin_or_owner_unauthorized_contexts,
- rule_name,
- self.controller.delete,
- self.req, self.instance.uuid, 'key9')
+ self.common_policy_auth(self.project_member_authorized_contexts,
+ rule_name,
+ self.controller.delete,
+ self.req, self.instance.uuid, 'key9')
+
+
+class ServerMetadataNoLegacyNoScopePolicyTest(ServerMetadataPolicyTest):
+ """Test Server Metadata APIs policies with no legacy deprecated rules
+ and no scope checks which means new defaults only.
+
+ """
+
+ without_deprecated_rules = True
+
+ def setUp(self):
+ super(ServerMetadataNoLegacyNoScopePolicyTest, self).setUp()
+ # With no legacy rule, legacy admin loose power.
+ self.project_member_authorized_contexts = (
+ self.project_member_or_admin_with_no_scope_no_legacy)
+ self.project_reader_authorized_contexts = (
+ self.project_reader_or_admin_with_no_scope_no_legacy)
class ServerMetadataScopeTypePolicyTest(ServerMetadataPolicyTest):
@@ -141,9 +138,15 @@ class ServerMetadataScopeTypePolicyTest(ServerMetadataPolicyTest):
def setUp(self):
super(ServerMetadataScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
+ # With Scope enable, system users no longer allowed.
+ self.project_member_authorized_contexts = (
+ self.project_m_r_or_admin_with_scope_and_legacy)
+ self.project_reader_authorized_contexts = (
+ self.project_m_r_or_admin_with_scope_and_legacy)
-class ServerMetadataNoLegacyPolicyTest(ServerMetadataScopeTypePolicyTest):
+class ServerMetadataScopeTypeNoLegacyPolicyTest(
+ ServerMetadataScopeTypePolicyTest):
"""Test Server Metadata APIs policies with system scope enabled,
and no more deprecated rules that allow the legacy admin API to
access system APIs.
@@ -151,32 +154,10 @@ class ServerMetadataNoLegacyPolicyTest(ServerMetadataScopeTypePolicyTest):
without_deprecated_rules = True
def setUp(self):
- super(ServerMetadataNoLegacyPolicyTest, self).setUp()
- # Check that system admin or project member is able to create, update
- # and delete the server metadata.
- self.admin_or_owner_authorized_contexts = [
- self.system_admin_context, self.project_admin_context,
- self.project_member_context]
- # Check that non-system/admin/member is not able to create, update
- # and delete the server metadata.
- self.admin_or_owner_unauthorized_contexts = [
- self.legacy_admin_context, self.system_reader_context,
- self.system_foo_context, self.system_member_context,
- self.project_reader_context, self.project_foo_context,
- self.other_project_member_context,
- self.other_project_reader_context
- ]
- # Check that system admin or project member is able to
- # get the server metadata.
- self.reader_authorized_contexts = [
- self.system_admin_context,
- self.system_member_context, self.system_reader_context,
- self.project_admin_context, self.project_member_context,
- self.project_reader_context]
- # Check that non-system/admin/member is not able to
- # get the server metadata.
- self.reader_unauthorized_contexts = [
- self.legacy_admin_context, self.system_foo_context,
- self.project_foo_context, self.other_project_member_context,
- self.other_project_reader_context
- ]
+ super(ServerMetadataScopeTypeNoLegacyPolicyTest, self).setUp()
+ # With no legacy and scope enable, only project admin, member,
+ # and reader will be able to allowed operation on server metadata.
+ self.project_member_authorized_contexts = (
+ self.project_member_or_admin_with_scope_no_legacy)
+ self.project_reader_authorized_contexts = (
+ self.project_reader_or_admin_with_scope_no_legacy)
View Lorry Controller Status