diff options
Diffstat (limited to 'nova/tests/unit/policies/test_hosts.py')
-rw-r--r-- | nova/tests/unit/policies/test_hosts.py | 160 |
1 files changed, 53 insertions, 107 deletions
diff --git a/nova/tests/unit/policies/test_hosts.py b/nova/tests/unit/policies/test_hosts.py index cdce7d2b1c..e07c907cf8 100644 --- a/nova/tests/unit/policies/test_hosts.py +++ b/nova/tests/unit/policies/test_hosts.py @@ -10,7 +10,7 @@ # License for the specific language governing permissions and limitations # under the License. -import mock +from unittest import mock from nova.api.openstack.compute import hosts from nova.policies import base as base_policy @@ -32,37 +32,19 @@ class HostsPolicyTest(base.BasePolicyTest): self.controller = hosts.HostController() self.req = fakes.HTTPRequest.blank('') - # Check that admin is able to perform operations on hosts. - self.system_admin_authorized_contexts = [ - self.system_admin_context, self.legacy_admin_context, + # With legacy rule and scope check disabled by default, system admin, + # legacy admin, and project admin will be able to perform hosts + # Operations. + self.project_admin_authorized_contexts = [ + self.legacy_admin_context, self.system_admin_context, self.project_admin_context] - # Check that non-admin is not able to perform operations - # on hosts. - self.system_admin_unauthorized_contexts = [ - self.system_member_context, self.system_reader_context, - self.system_foo_context, self.other_project_member_context, - self.project_foo_context, self.project_member_context, - self.project_reader_context, self.other_project_reader_context - ] - self.system_reader_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context, self.legacy_admin_context, - self.project_admin_context - ] - self.system_reader_unauthorized_contexts = [ - self.project_foo_context, self.system_foo_context, - self.project_member_context, self.project_reader_context, - self.other_project_member_context, - self.other_project_reader_context - ] @mock.patch('nova.compute.api.HostAPI.service_get_all') def test_list_hosts_policy(self, mock_get): rule_name = policies.POLICY_NAME % 'list' - self.common_policy_check(self.system_reader_authorized_contexts, - self.system_reader_unauthorized_contexts, - rule_name, self.controller.index, - self.req) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.index, + self.req) @mock.patch('nova.context.set_target_cell') @mock.patch('nova.objects.HostMapping.get_by_host') @@ -71,41 +53,48 @@ class HostsPolicyTest(base.BasePolicyTest): @mock.patch('nova.compute.api.HostAPI.instance_get_all_by_host') def test_show_host_policy(self, mock_get, mock_node, mock_map, mock_set): rule_name = policies.POLICY_NAME % 'show' - self.common_policy_check(self.system_reader_authorized_contexts, - self.system_reader_unauthorized_contexts, - rule_name, self.controller.show, - self.req, 11111) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.show, + self.req, 11111) def test_update_host_policy(self): rule_name = policies.POLICY_NAME % 'update' - self.common_policy_check(self.system_admin_authorized_contexts, - self.system_admin_unauthorized_contexts, - rule_name, self.controller.update, - self.req, 11111, body={}) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.update, + self.req, 11111, body={}) @mock.patch('nova.compute.api.HostAPI.host_power_action') def test_reboot_host_policy(self, mock_action): rule_name = policies.POLICY_NAME % 'reboot' - self.common_policy_check(self.system_admin_authorized_contexts, - self.system_admin_unauthorized_contexts, - rule_name, self.controller.reboot, - self.req, 11111) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.reboot, + self.req, 11111) @mock.patch('nova.compute.api.HostAPI.host_power_action') def test_shutdown_host_policy(self, mock_action): rule_name = policies.POLICY_NAME % 'shutdown' - self.common_policy_check(self.system_admin_authorized_contexts, - self.system_admin_unauthorized_contexts, - rule_name, self.controller.shutdown, - self.req, 11111) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.shutdown, + self.req, 11111) @mock.patch('nova.compute.api.HostAPI.host_power_action') def test_startup_host_policy(self, mock_action): rule_name = policies.POLICY_NAME % 'start' - self.common_policy_check(self.system_admin_authorized_contexts, - self.system_admin_unauthorized_contexts, - rule_name, self.controller.startup, - self.req, 11111) + self.common_policy_auth(self.project_admin_authorized_contexts, + rule_name, self.controller.startup, + self.req, 11111) + + +class HostsNoLegacyNoScopePolicyTest(HostsPolicyTest): + """Test Hosts APIs policies with no legacy deprecated rules + and no scope checks which means new defaults only. In this case + system admin, legacy admin, and project admin will be able to perform + hosts Operations. Legacy admin will be allowed as policy is just admin + if no scope checks. + + """ + + without_deprecated_rules = True class HostsScopeTypePolicyTest(HostsPolicyTest): @@ -122,72 +111,29 @@ class HostsScopeTypePolicyTest(HostsPolicyTest): super(HostsScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") - # Check that system admin is able to perform operations on hosts. - self.system_admin_authorized_contexts = [ - self.system_admin_context] - # Check that system non-admin is not able to perform operations - # on hosts. - self.system_admin_unauthorized_contexts = [ - self.legacy_admin_context, self.project_admin_context, - self.system_member_context, self.system_reader_context, - self.system_foo_context, self.other_project_member_context, - self.project_foo_context, self.project_member_context, - self.project_reader_context, self.other_project_reader_context - ] - self.system_reader_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context - ] - self.system_reader_unauthorized_contexts = [ - self.legacy_admin_context, self.project_foo_context, - self.system_foo_context, self.project_admin_context, - self.project_member_context, self.project_reader_context, - self.other_project_member_context, - self.other_project_reader_context - ] - - -class HostsNoLegacyPolicyTest(HostsScopeTypePolicyTest): - """Test Hosts APIs policies with system scope enabled, - and no more deprecated rules that allow the legacy admin API to - access system_admin_or_owner APIs. + # With scope checks enable, only system admin is able to perform + # hosts Operations. + self.project_admin_authorized_contexts = [self.legacy_admin_context, + self.project_admin_context] + + +class HostsScopeTypeNoLegacyPolicyTest(HostsScopeTypePolicyTest): + """Test Hosts APIs policies with with no legacy deprecated rules + and scope checks enabled which means scope + new defaults. So + only system admin is able to perform hosts Operations. """ + without_deprecated_rules = True rules_without_deprecation = { policies.POLICY_NAME % 'list': - base_policy.SYSTEM_READER, + base_policy.ADMIN, policies.POLICY_NAME % 'show': - base_policy.SYSTEM_READER, + base_policy.ADMIN, policies.POLICY_NAME % 'update': - base_policy.SYSTEM_ADMIN, + base_policy.ADMIN, policies.POLICY_NAME % 'reboot': - base_policy.SYSTEM_ADMIN, + base_policy.ADMIN, policies.POLICY_NAME % 'shutdown': - base_policy.SYSTEM_ADMIN, + base_policy.ADMIN, policies.POLICY_NAME % 'startup': - base_policy.SYSTEM_ADMIN} - - def setUp(self): - super(HostsNoLegacyPolicyTest, self).setUp() - - self.system_reader_authorized_contexts = [ - self.system_admin_context, self.system_member_context, - self.system_reader_context - ] - self.system_reader_unauthorized_contexts = [ - self.legacy_admin_context, self.project_foo_context, - self.system_foo_context, self.project_admin_context, - self.project_member_context, self.project_reader_context, - self.other_project_member_context, - self.other_project_reader_context - ] - self.system_admin_authorized_contexts = [ - self.system_admin_context - ] - self.system_admin_unauthorized_contexts = [ - self.system_member_context, self.system_reader_context, - self.project_admin_context, self.project_member_context, - self.legacy_admin_context, self.other_project_member_context, - self.project_reader_context, self.project_foo_context, - self.system_foo_context, self.other_project_reader_context - ] + base_policy.ADMIN} |