summaryrefslogtreecommitdiff
path: root/nova/tests/unit/policies/test_server_password.py
diff options
context:
space:
mode:
Diffstat (limited to 'nova/tests/unit/policies/test_server_password.py')
-rw-r--r--nova/tests/unit/policies/test_server_password.py129
1 files changed, 57 insertions, 72 deletions
diff --git a/nova/tests/unit/policies/test_server_password.py b/nova/tests/unit/policies/test_server_password.py
index 1a28cf9f20..b163c6c562 100644
--- a/nova/tests/unit/policies/test_server_password.py
+++ b/nova/tests/unit/policies/test_server_password.py
@@ -10,8 +10,9 @@
# License for the specific language governing permissions and limitations
# under the License.
+from unittest import mock
+
import fixtures
-import mock
from oslo_utils.fixture import uuidsentinel as uuids
from nova.api.openstack.compute import server_password
@@ -41,51 +42,55 @@ class ServerPasswordPolicyTest(base.BasePolicyTest):
id=1, uuid=uuids.fake_id, project_id=self.project_id,
system_metadata={}, expected_attrs=['system_metadata'])
self.mock_get.return_value = self.instance
-
- # Check that admin or and server owner is able to
- # delete the server password.
- self.admin_or_owner_authorized_contexts = [
- self.legacy_admin_context, self.system_admin_context,
- self.project_admin_context, self.project_member_context,
- self.project_reader_context, self.project_foo_context]
- # Check that non-admin/owner is not able to delete
- # the server password.
- self.admin_or_owner_unauthorized_contexts = [
- self.system_member_context, self.system_reader_context,
- self.system_foo_context, self.other_project_member_context,
- self.other_project_reader_context
- ]
- # Check that admin or and server owner is able to get
- # the server password.
- self.reader_authorized_contexts = [
+ # With legacy rule and no scope checks, all admin, project members
+ # project reader or other project role(because legacy rule allow server
+ # owner- having same project id and no role check) is able to delete,
+ # the server Password.
+ self.project_member_authorized_contexts = [
self.legacy_admin_context, self.system_admin_context,
- self.system_member_context, self.system_reader_context,
self.project_admin_context, self.project_member_context,
self.project_reader_context, self.project_foo_context]
- # Check that non-admin/owner is not able to get
- # the server password.
- self.reader_unauthorized_contexts = [
- self.system_foo_context, self.other_project_member_context,
- self.other_project_reader_context
- ]
+ # and they can get their own server password.
+ self.project_reader_authorized_contexts = (
+ self.project_member_authorized_contexts)
@mock.patch('nova.api.metadata.password.extract_password')
def test_index_server_password_policy(self, mock_pass):
rule_name = policies.BASE_POLICY_NAME % 'show'
- self.common_policy_check(self.reader_authorized_contexts,
- self.reader_unauthorized_contexts,
- rule_name,
- self.controller.index,
- self.req, self.instance.uuid)
+ self.common_policy_auth(self.project_reader_authorized_contexts,
+ rule_name,
+ self.controller.index,
+ self.req, self.instance.uuid)
@mock.patch('nova.api.metadata.password.convert_password')
def test_clear_server_password_policy(self, mock_pass):
rule_name = policies.BASE_POLICY_NAME % 'clear'
- self.common_policy_check(self.admin_or_owner_authorized_contexts,
- self.admin_or_owner_unauthorized_contexts,
- rule_name,
- self.controller.clear,
- self.req, self.instance.uuid)
+ self.common_policy_auth(self.project_member_authorized_contexts,
+ rule_name,
+ self.controller.clear,
+ self.req, self.instance.uuid)
+
+
+class ServerPasswordNoLegacyNoScopePolicyTest(ServerPasswordPolicyTest):
+ """Test Server Password APIs policies with no legacy deprecated rules
+ and no scope checks.
+
+ """
+
+ without_deprecated_rules = True
+ rules_without_deprecation = {
+ policies.BASE_POLICY_NAME % 'show':
+ base_policy.PROJECT_READER_OR_ADMIN,
+ policies.BASE_POLICY_NAME % 'clear':
+ base_policy.PROJECT_MEMBER_OR_ADMIN}
+
+ def setUp(self):
+ super(ServerPasswordNoLegacyNoScopePolicyTest, self).setUp()
+ # With no legacy rule, legacy admin loose power.
+ self.project_member_authorized_contexts = (
+ self.project_member_or_admin_with_no_scope_no_legacy)
+ self.project_reader_authorized_contexts = (
+ self.project_reader_or_admin_with_no_scope_no_legacy)
class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest):
@@ -101,50 +106,30 @@ class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest):
def setUp(self):
super(ServerPasswordScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
+ # With Scope enable, system users no longer allowed.
+ self.project_member_authorized_contexts = (
+ self.project_m_r_or_admin_with_scope_and_legacy)
+ self.project_reader_authorized_contexts = (
+ self.project_m_r_or_admin_with_scope_and_legacy)
-class ServerPasswordNoLegacyPolicyTest(ServerPasswordScopeTypePolicyTest):
+class ServerPasswordScopeTypeNoLegacyPolicyTest(
+ ServerPasswordScopeTypePolicyTest):
"""Test Server Password APIs policies with system scope enabled,
- and no more deprecated rules that allow the legacy admin API to
- access system_admin_or_owner APIs.
+ and no more deprecated rules.
"""
without_deprecated_rules = True
rules_without_deprecation = {
policies.BASE_POLICY_NAME % 'show':
- base_policy.PROJECT_READER_OR_SYSTEM_READER,
+ base_policy.PROJECT_READER_OR_ADMIN,
policies.BASE_POLICY_NAME % 'clear':
- base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN}
+ base_policy.PROJECT_MEMBER_OR_ADMIN}
def setUp(self):
- super(ServerPasswordNoLegacyPolicyTest, self).setUp()
-
- # Check that system or projct admin or owner is able to clear
- # server password.
- self.admin_or_owner_authorized_contexts = [
- self.system_admin_context,
- self.project_admin_context, self.project_member_context]
- # Check that non-system and non-admin/owner is not able to clear
- # server password.
- self.admin_or_owner_unauthorized_contexts = [
- self.legacy_admin_context, self.project_reader_context,
- self.project_foo_context,
- self.system_member_context, self.system_reader_context,
- self.system_foo_context, self.other_project_member_context,
- self.other_project_reader_context]
-
- # Check that system reader or projct owner is able to get
- # server password.
- self.reader_authorized_contexts = [
- self.system_admin_context,
- self.project_admin_context, self.system_member_context,
- self.system_reader_context, self.project_reader_context,
- self.project_member_context,
- ]
-
- # Check that non-system reader nd non-admin/owner is not able to get
- # server password.
- self.reader_unauthorized_contexts = [
- self.legacy_admin_context, self.project_foo_context,
- self.system_foo_context, self.other_project_member_context,
- self.other_project_reader_context
- ]
+ super(ServerPasswordScopeTypeNoLegacyPolicyTest, self).setUp()
+ # With no legacy and scope enable, only project admin, member,
+ # and reader will be able to allowed operation on server password.
+ self.project_member_authorized_contexts = (
+ self.project_member_or_admin_with_scope_no_legacy)
+ self.project_reader_authorized_contexts = (
+ self.project_reader_or_admin_with_scope_no_legacy)
View Lorry Controller Status