Merge "Add test coverage of existing remote console policies"

2020-04-01 17:12:07 +00:00 · 2020-04-01 17:12:07 +00:00 · 67f278ab04
parent 493bf817dd fb1dd345a9
commit 67f278ab04
3 changed files with 113 additions and 70 deletions
--- a/nova/api/openstack/compute/remote_consoles.py
+++ b/nova/api/openstack/compute/remote_consoles.py
@ -155,8 +155,9 @@ class RemoteConsolesController(wsgi.Controller):
    @validation.schema(remote_consoles.create_v28, "2.8")
    def create(self, req, server_id, body):
        context = req.environ['nova.context']
-        context.can(rc_policies.BASE_POLICY_NAME)
        instance = common.get_instance(self.compute_api, context, server_id)
+        context.can(rc_policies.BASE_POLICY_NAME,
+                    target={'project_id': instance.project_id})
        protocol = body['remote_console']['protocol']
        console_type = body['remote_console']['type']
        try:
--- a/nova/tests/unit/api/openstack/compute/test_remote_consoles.py
+++ b/nova/tests/unit/api/openstack/compute/test_remote_consoles.py
@ -24,6 +24,7 @@ from nova import exception
 from nova import objects
 from nova import test
 from nova.tests.unit.api.openstack import fakes
+from nova.tests.unit import fake_instance


 class ConsolesExtensionTestV21(test.NoDBTestCase):
@ -366,10 +367,12 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.context = self.req.environ['nova.context']
        self.req.api_version_request = api_version_request.APIVersionRequest(
            '2.6')
+        self.instance = fake_instance.fake_instance_obj(self.context)
+        self.stub_out('nova.compute.api.API.get',
+                      lambda *a, **kw: self.instance)
        self.controller = console_v21.RemoteConsolesController()

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_vnc_console(self, mock_get):
+    def test_create_vnc_console(self):
        mock_handler = mock.MagicMock()
        mock_handler.return_value = {'url': "http://fake"}
        self.controller.handlers['vnc'] = mock_handler
@ -379,11 +382,10 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertEqual({'remote_console': {'protocol': 'vnc',
                                             'type': 'novnc',
                                             'url': 'http://fake'}}, output)
-        mock_handler.assert_called_once_with(self.context, 'fake_instance',
+        mock_handler.assert_called_once_with(self.context, self.instance,
                                             'novnc')

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_spice_console(self, mock_get):
+    def test_create_spice_console(self):
        mock_handler = mock.MagicMock()
        mock_handler.return_value = {'url': "http://fake"}
        self.controller.handlers['spice'] = mock_handler
@ -394,11 +396,10 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertEqual({'remote_console': {'protocol': 'spice',
                                             'type': 'spice-html5',
                                             'url': 'http://fake'}}, output)
-        mock_handler.assert_called_once_with(self.context, 'fake_instance',
+        mock_handler.assert_called_once_with(self.context, self.instance,
                                             'spice-html5')

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_rdp_console(self, mock_get):
+    def test_create_rdp_console(self):
        mock_handler = mock.MagicMock()
        mock_handler.return_value = {'url': "http://fake"}
        self.controller.handlers['rdp'] = mock_handler
@ -408,11 +409,10 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertEqual({'remote_console': {'protocol': 'rdp',
                                             'type': 'rdp-html5',
                                             'url': 'http://fake'}}, output)
-        mock_handler.assert_called_once_with(self.context, 'fake_instance',
+        mock_handler.assert_called_once_with(self.context, self.instance,
                                             'rdp-html5')

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_serial_console(self, mock_get):
+    def test_create_serial_console(self):
        mock_handler = mock.MagicMock()
        mock_handler.return_value = {'url': "ws://fake"}
        self.controller.handlers['serial'] = mock_handler
@ -422,11 +422,10 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertEqual({'remote_console': {'protocol': 'serial',
                                             'type': 'serial',
                                             'url': 'ws://fake'}}, output)
-        mock_handler.assert_called_once_with(self.context, 'fake_instance',
+        mock_handler.assert_called_once_with(self.context, self.instance,
                                             'serial')

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_console_instance_not_ready(self, mock_get):
+    def test_create_console_instance_not_ready(self):
        mock_handler = mock.MagicMock()
        mock_handler.side_effect = exception.InstanceNotReady(
            instance_id='xxx')
@ -436,8 +435,7 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertRaises(webob.exc.HTTPConflict, self.controller.create,
                          self.req, fakes.FAKE_UUID, body=body)

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_console_unavailable(self, mock_get):
+    def test_create_console_unavailable(self):
        mock_handler = mock.MagicMock()
        mock_handler.side_effect = exception.ConsoleTypeUnavailable(
            console_type='vnc')
@ -448,8 +446,7 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
                          self.req, fakes.FAKE_UUID, body=body)
        self.assertTrue(mock_handler.called)

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_console_not_found(self, mock_get):
+    def test_create_console_not_found(self,):
        mock_handler = mock.MagicMock()
        mock_handler.side_effect = exception.InstanceNotFound(
            instance_id='xxx')
@ -459,8 +456,7 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertRaises(webob.exc.HTTPNotFound, self.controller.create,
                          self.req, fakes.FAKE_UUID, body=body)

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_console_not_implemented(self, mock_get):
+    def test_create_console_not_implemented(self):
        mock_handler = mock.MagicMock()
        mock_handler.side_effect = NotImplementedError()
        self.controller.handlers['vnc'] = mock_handler
@ -469,8 +465,7 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertRaises(webob.exc.HTTPNotImplemented, self.controller.create,
                          self.req, fakes.FAKE_UUID, body=body)

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_console_nport_invalid(self, mock_get):
+    def test_create_console_nport_invalid(self):
        mock_handler = mock.MagicMock()
        mock_handler.side_effect = exception.ImageSerialPortNumberInvalid(
            num_ports='x', property="hw_serial_port_count")
@ -480,8 +475,7 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
                          self.req, fakes.FAKE_UUID, body=body)

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_console_nport_exceed(self, mock_get):
+    def test_create_console_nport_exceed(self):
        mock_handler = mock.MagicMock()
        mock_handler.side_effect = (
            exception.ImageSerialPortNumberExceedFlavorValue())
@ -491,8 +485,7 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
                          self.req, fakes.FAKE_UUID, body=body)

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_console_socket_exhausted(self, mock_get):
+    def test_create_console_socket_exhausted(self):
        mock_handler = mock.MagicMock()
        mock_handler.side_effect = (
            exception.SocketPortRangeExhaustedException(host='127.0.0.1'))
@ -502,8 +495,7 @@ class ConsolesExtensionTestV26(test.NoDBTestCase):
        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
                          self.req, fakes.FAKE_UUID, body=body)

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_console_invalid_type(self, mock_get):
+    def test_create_console_invalid_type(self):
        mock_handler = mock.MagicMock()
        mock_handler.side_effect = (
            exception.ConsoleTypeInvalid(console_type='invalid_type'))
@ -522,8 +514,7 @@ class ConsolesExtensionTestV28(ConsolesExtensionTestV26):
            '2.8')
        self.controller = console_v21.RemoteConsolesController()

-    @mock.patch.object(compute_api.API, 'get', return_value='fake_instance')
-    def test_create_mks_console(self, mock_get):
+    def test_create_mks_console(self):
        mock_handler = mock.MagicMock()
        mock_handler.return_value = {'url': "http://fake"}
        self.controller.handlers['mks'] = mock_handler
@ -533,43 +524,5 @@ class ConsolesExtensionTestV28(ConsolesExtensionTestV26):
        self.assertEqual({'remote_console': {'protocol': 'mks',
                                             'type': 'webmks',
                                             'url': 'http://fake'}}, output)
-        mock_handler.assert_called_once_with(self.context, 'fake_instance',
+        mock_handler.assert_called_once_with(self.context, self.instance,
                                             'webmks')
-
-
-class TestRemoteConsolePolicyEnforcementV21(test.NoDBTestCase):
-
-    def setUp(self):
-        super(TestRemoteConsolePolicyEnforcementV21, self).setUp()
-        self.controller = console_v21.RemoteConsolesController()
-        self.req = fakes.HTTPRequest.blank('')
-
-    def _common_policy_check(self, func, *arg, **kwarg):
-        rule_name = "os_compute_api:os-remote-consoles"
-        rule = {rule_name: "project:non_fake"}
-        self.policy.set_rules(rule)
-        exc = self.assertRaises(
-            exception.PolicyNotAuthorized, func, *arg, **kwarg)
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % rule_name,
-            exc.format_message())
-
-    def test_remote_vnc_console_policy_failed(self):
-        body = {'os-getVNCConsole': {'type': 'novnc'}}
-        self._common_policy_check(self.controller.get_vnc_console, self.req,
-                                  fakes.FAKE_UUID, body=body)
-
-    def test_remote_splice_console_policy_failed(self):
-        body = {'os-getSPICEConsole': {'type': 'spice-html5'}}
-        self._common_policy_check(self.controller.get_spice_console, self.req,
-                                  fakes.FAKE_UUID, body=body)
-
-    def test_remote_rdp_console_policy_failed(self):
-        body = {'os-getRDPConsole': {'type': 'rdp-html5'}}
-        self._common_policy_check(self.controller.get_rdp_console, self.req,
-                                  fakes.FAKE_UUID, body=body)
-
-    def test_remote_serial_console_policy_failed(self):
-        body = {'os-getSerialConsole': {'type': 'serial'}}
-        self._common_policy_check(self.controller.get_serial_console, self.req,
-                                  fakes.FAKE_UUID, body=body)
--- a/nova/tests/unit/policies/test_remote_consoles.py
+++ b/nova/tests/unit/policies/test_remote_consoles.py
@ -0,0 +1,89 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import fixtures
+import mock
+from nova.policies import remote_consoles as rc_policies
+from oslo_utils.fixture import uuidsentinel as uuids
+from oslo_utils import timeutils
+
+from nova.api.openstack.compute import remote_consoles
+from nova.compute import vm_states
+from nova.tests.unit.api.openstack import fakes
+from nova.tests.unit import fake_instance
+from nova.tests.unit.policies import base
+
+
+class RemoteConsolesPolicyTest(base.BasePolicyTest):
+    """Test Remote Consoles APIs policies with all possible context.
+    This class defines the set of context with different roles
+    which are allowed and not allowed to pass the policy checks.
+    With those set of context, it will call the API operation and
+    verify the expected behaviour.
+    """
+
+    def setUp(self):
+        super(RemoteConsolesPolicyTest, self).setUp()
+        self.controller = remote_consoles.RemoteConsolesController()
+        mock_handler = mock.MagicMock()
+        mock_handler.return_value = {'url': "http://fake"}
+        self.controller.handlers['vnc'] = mock_handler
+        self.req = fakes.HTTPRequest.blank('', version='2.6')
+        user_id = self.req.environ['nova.context'].user_id
+        self.mock_get = self.useFixture(
+            fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock
+        uuid = uuids.fake_id
+        self.instance = fake_instance.fake_instance_obj(
+                self.project_member_context,
+                id=1, uuid=uuid, project_id=self.project_id,
+                user_id=user_id, vm_state=vm_states.ACTIVE,
+                task_state=None, launched_at=timeutils.utcnow())
+        self.mock_get.return_value = self.instance
+
+        # Check that admin or and server owner is able to get server
+        # remote consoles.
+        self.admin_or_owner_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context]
+        # Check that non-admin/owner is not able to get server
+        # remote consoles.
+        self.admin_or_owner_unauthorized_contexts = [
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context
+        ]
+
+    def test_create_console_policy(self):
+        rule_name = rc_policies.BASE_POLICY_NAME
+        body = {'remote_console': {'protocol': 'vnc', 'type': 'novnc'}}
+        self.common_policy_check(self.admin_or_owner_authorized_contexts,
+                                 self.admin_or_owner_unauthorized_contexts,
+                                 rule_name,
+                                 self.controller.create,
+                                 self.req, self.instance.uuid,
+                                 body=body)
+
+
+class RemoteConsolesScopeTypePolicyTest(RemoteConsolesPolicyTest):
+    """Test Remote Consoles APIs policies with system scope enabled.
+    This class set the nova.conf [oslo_policy] enforce_scope to True
+    so that we can switch on the scope checking on oslo policy side.
+    It defines the set of context with scoped token
+    which are allowed and not allowed to pass the policy checks.
+    With those set of context, it will run the API operation and
+    verify the expected behaviour.
+    """
+
+    def setUp(self):
+        super(RemoteConsolesScopeTypePolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")