Merge "Add test coverage of existing shelve policies"

2020-04-09 23:29:28 +00:00 · 2020-04-09 23:29:28 +00:00 · 06f43d5fde
parent d695b7dfbc 276775bcb2
commit 06f43d5fde
2 changed files with 137 additions and 125 deletions
--- a/nova/tests/unit/api/openstack/compute/test_shelve.py
+++ b/nova/tests/unit/api/openstack/compute/test_shelve.py
@ -13,7 +13,6 @@
 #    under the License.

 import mock
-from oslo_policy import policy as oslo_policy
 from oslo_serialization import jsonutils
 from oslo_utils.fixture import uuidsentinel
 import six
@ -24,7 +23,6 @@ from nova.api.openstack.compute import shelve as shelve_v21
 from nova.compute import task_states
 from nova.compute import vm_states
 from nova import exception
-from nova import policy
 from nova import test
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
@ -83,129 +81,6 @@ class ShelvePolicyTestV21(test.NoDBTestCase):
                          self.req, uuidsentinel.fake, {})


-class ShelvePolicyEnforcementV21(test.NoDBTestCase):
-
-    def setUp(self):
-        super(ShelvePolicyEnforcementV21, self).setUp()
-        self.controller = shelve_v21.ShelveController()
-        self.req = fakes.HTTPRequest.blank('')
-
-    @mock.patch('nova.api.openstack.common.get_instance')
-    def test_shelve_restricted_by_role(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
-        rules = {'os_compute_api:os-shelve:shelve': 'role:admin'}
-        policy.set_rules(oslo_policy.Rules.from_dict(rules))
-
-        self.assertRaises(exception.Forbidden, self.controller._shelve,
-                self.req, uuidsentinel.fake, {})
-
-    @mock.patch('nova.api.openstack.common.get_instance')
-    def test_shelve_policy_failed_with_other_project(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
-        rule_name = "os_compute_api:os-shelve:shelve"
-        self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
-        # Change the project_id in request context.
-        self.req.environ['nova.context'].project_id = 'other-project'
-        exc = self.assertRaises(
-            exception.PolicyNotAuthorized,
-            self.controller._shelve, self.req, fakes.FAKE_UUID,
-            body={'shelve': {}})
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % rule_name,
-            exc.format_message())
-
-    @mock.patch('nova.compute.api.API.shelve')
-    @mock.patch('nova.api.openstack.common.get_instance')
-    def test_shelve_overridden_policy_pass_with_same_project(self,
-                                                             get_instance_mock,
-                                                             shelve_mock):
-        instance = fake_instance.fake_instance_obj(
-            self.req.environ['nova.context'],
-            project_id=self.req.environ['nova.context'].project_id)
-        get_instance_mock.return_value = instance
-        rule_name = "os_compute_api:os-shelve:shelve"
-        self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
-        self.controller._shelve(self.req, fakes.FAKE_UUID, body={'shelve': {}})
-        shelve_mock.assert_called_once_with(self.req.environ['nova.context'],
-                                          instance)
-
-    @mock.patch('nova.api.openstack.common.get_instance')
-    def test_shelve_overridden_policy_failed_with_other_user_in_same_project(
-        self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
-        rule_name = "os_compute_api:os-shelve:shelve"
-        self.policy.set_rules({rule_name: "user_id:%(user_id)s"})
-        # Change the user_id in request context.
-        self.req.environ['nova.context'].user_id = 'other-user'
-        exc = self.assertRaises(exception.PolicyNotAuthorized,
-                                self.controller._shelve, self.req,
-                                fakes.FAKE_UUID, body={'shelve': {}})
-        self.assertEqual(
-                      "Policy doesn't allow %s to be performed." % rule_name,
-                      exc.format_message())
-
-    @mock.patch('nova.compute.api.API.shelve')
-    @mock.patch('nova.api.openstack.common.get_instance')
-    def test_shelve_overridden_policy_pass_with_same_user(self,
-                                                        get_instance_mock,
-                                                        shelve_mock):
-        instance = fake_instance.fake_instance_obj(
-            self.req.environ['nova.context'],
-            user_id=self.req.environ['nova.context'].user_id)
-        get_instance_mock.return_value = instance
-        rule_name = "os_compute_api:os-shelve:shelve"
-        self.policy.set_rules({rule_name: "user_id:%(user_id)s"})
-        self.controller._shelve(self.req, fakes.FAKE_UUID, body={'shelve': {}})
-        shelve_mock.assert_called_once_with(self.req.environ['nova.context'],
-                                          instance)
-
-    def test_shelve_offload_restricted_by_role(self):
-        rules = {'os_compute_api:os-shelve:shelve_offload': 'role:admin'}
-        policy.set_rules(oslo_policy.Rules.from_dict(rules))
-
-        self.assertRaises(exception.Forbidden,
-                self.controller._shelve_offload, self.req,
-                uuidsentinel.fake, {})
-
-    def test_shelve_offload_policy_failed(self):
-        rule_name = "os_compute_api:os-shelve:shelve_offload"
-        self.policy.set_rules({rule_name: "project:non_fake"})
-        exc = self.assertRaises(
-            exception.PolicyNotAuthorized,
-            self.controller._shelve_offload, self.req, fakes.FAKE_UUID,
-            body={'shelve_offload': {}})
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % rule_name,
-            exc.format_message())
-
-    @mock.patch('nova.api.openstack.common.get_instance')
-    def test_unshelve_restricted_by_role(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
-        rules = {'os_compute_api:os-shelve:unshelve': 'role:admin'}
-        policy.set_rules(oslo_policy.Rules.from_dict(rules))
-
-        self.assertRaises(exception.Forbidden, self.controller._unshelve,
-                self.req, uuidsentinel.fake, body={'unshelve': {}})
-
-    @mock.patch('nova.api.openstack.common.get_instance')
-    def test_unshelve_policy_failed(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
-        rule_name = "os_compute_api:os-shelve:unshelve"
-        self.policy.set_rules({rule_name: "project:non_fake"})
-        exc = self.assertRaises(
-            exception.PolicyNotAuthorized,
-            self.controller._unshelve, self.req, fakes.FAKE_UUID,
-            body={'unshelve': {}})
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % rule_name,
-            exc.format_message())
-
-
 class UnshelveServerControllerTestV277(test.NoDBTestCase):
    """Server controller test for microversion 2.77

--- a/nova/tests/unit/policies/test_shelve.py
+++ b/nova/tests/unit/policies/test_shelve.py
@ -0,0 +1,137 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import fixtures
+import mock
+from oslo_utils.fixture import uuidsentinel as uuids
+
+from nova.api.openstack.compute import shelve
+from nova.compute import vm_states
+from nova import exception
+from nova.policies import shelve as policies
+from nova.tests.unit.api.openstack import fakes
+from nova.tests.unit import fake_instance
+from nova.tests.unit.policies import base
+
+
+class ShelveServerPolicyTest(base.BasePolicyTest):
+    """Test Shelve server APIs policies with all possible context.
+    This class defines the set of context with different roles
+    which are allowed and not allowed to pass the policy checks.
+    With those set of context, it will call the API operation and
+    verify the expected behaviour.
+    """
+
+    def setUp(self):
+        super(ShelveServerPolicyTest, self).setUp()
+        self.controller = shelve.ShelveController()
+        self.req = fakes.HTTPRequest.blank('')
+        user_id = self.req.environ['nova.context'].user_id
+        self.mock_get = self.useFixture(
+            fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock
+        self.instance = fake_instance.fake_instance_obj(
+            self.project_member_context,
+            id=1, uuid=uuids.fake_id, project_id=self.project_id,
+            user_id=user_id, vm_state=vm_states.ACTIVE)
+        self.mock_get.return_value = self.instance
+
+        # Check that admin or and server owner is able to shelve/unshelve
+        # the server
+        self.admin_or_owner_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context]
+        # Check that non-admin/owner is not able to shelve/unshelve
+        # the server
+        self.admin_or_owner_unauthorized_contexts = [
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context
+        ]
+        # Check that admin is able to shelve offload the server.
+        self.admin_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context]
+        # Check that non-admin is not able to shelve offload the server.
+        self.admin_unauthorized_contexts = [
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_member_context
+        ]
+
+    @mock.patch('nova.compute.api.API.shelve')
+    def test_shelve_server_policy(self, mock_shelve):
+        rule_name = policies.POLICY_ROOT % 'shelve'
+        self.common_policy_check(self.admin_or_owner_authorized_contexts,
+                                 self.admin_or_owner_unauthorized_contexts,
+                                 rule_name,
+                                 self.controller._shelve,
+                                 self.req, self.instance.uuid,
+                                 body={'shelve': {}})
+
+    @mock.patch('nova.compute.api.API.unshelve')
+    def test_unshelve_server_policy(self, mock_unshelve):
+        rule_name = policies.POLICY_ROOT % 'unshelve'
+        self.common_policy_check(self.admin_or_owner_authorized_contexts,
+                                 self.admin_or_owner_unauthorized_contexts,
+                                 rule_name,
+                                 self.controller._unshelve,
+                                 self.req, self.instance.uuid,
+                                 body={'unshelve': {}})
+
+    @mock.patch('nova.compute.api.API.shelve_offload')
+    def test_shelve_offload_server_policy(self, mock_offload):
+        rule_name = policies.POLICY_ROOT % 'shelve_offload'
+        self.common_policy_check(self.admin_authorized_contexts,
+                                 self.admin_unauthorized_contexts,
+                                 rule_name,
+                                 self.controller._shelve_offload,
+                                 self.req, self.instance.uuid,
+                                 body={'shelveOffload': {}})
+
+    def test_shelve_server_policy_failed_with_other_user(self):
+        # Change the user_id in request context.
+        req = fakes.HTTPRequest.blank('')
+        req.environ['nova.context'].user_id = 'other-user'
+        rule_name = policies.POLICY_ROOT % 'shelve'
+        self.policy.set_rules({rule_name: "user_id:%(user_id)s"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized, self.controller._shelve,
+            req, fakes.FAKE_UUID, body={'shelve': {}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
+
+    @mock.patch('nova.compute.api.API.shelve')
+    def test_shelve_sevrer_overridden_policy_pass_with_same_user(
+        self, mock_shelve):
+        rule_name = policies.POLICY_ROOT % 'shelve'
+        self.policy.set_rules({rule_name: "user_id:%(user_id)s"})
+        self.controller._shelve(self.req,
+                                fakes.FAKE_UUID,
+                                body={'shelve': {}})
+
+
+class ShelveServerScopeTypePolicyTest(ShelveServerPolicyTest):
+    """Test Shelve Server APIs policies with system scope enabled.
+    This class set the nova.conf [oslo_policy] enforce_scope to True
+    so that we can switch on the scope checking on oslo policy side.
+    It defines the set of context with scoped token
+    which are allowed and not allowed to pass the policy checks.
+    With those set of context, it will run the API operation and
+    verify the expected behaviour.
+    """
+
+    def setUp(self):
+        super(ShelveServerScopeTypePolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")