[placement] Add functional test to verify presence of policy

Add a test that traverses all available placement URLs at the latest microversion and tries to access them as non-admin. If something other than a 403 response is given a failed test with a message like method POST on route /resource_providers/{uuid}/inventories is open for user, status: 404 is produced. This works because we do authZ handling early in each handler, before data processing and path parameter handling. The method is pretty straightforward: traverse ROUTE_DECLARATIONS, visit every url with each the declared methods, except the root version document, and confirm a 403 response when the provided auth token is non-admin. This has been created to avoid situations where a route is added without policy like happened on https://review.openstack.org/#/c/576927/ . Until recently we had a failover where any route not defined to have policy would default to admin. That went away so now we need some test automation to catch our forgetful humanness. Change-Id: Id582886ec4b621b97d7cc7237b4670ad7bb12295
2018-08-23 10:27:53 +01:00 · 2018-08-23 10:27:53 +01:00 · 3a24000514
parent 5ffc7f3fb8
commit 3a24000514
1 changed files with 50 additions and 0 deletions
--- a/nova/tests/functional/api/openstack/placement/test_verify_policy.py
+++ b/nova/tests/functional/api/openstack/placement/test_verify_policy.py
@ -0,0 +1,50 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_config import cfg
+
+from nova.api.openstack.placement import direct
+from nova.api.openstack.placement import handler
+from nova.tests.functional.api.openstack.placement import base
+
+
+CONF = cfg.CONF
+
+
+class TestVerifyPolicy(base.TestCase):
+    """Verify that all defined placement routes have a policy."""
+
+    # Paths that don't need a policy check
+    EXCEPTIONS = ['/', '']
+
+    def _test_request_403(self, client, method, route):
+        headers = {
+            'x-auth-token': 'user',
+            'content-type': 'application/json'
+        }
+        request_method = getattr(client, method.lower())
+        # We send an empty request body on all requests. Because
+        # policy handling comes before other processing, the value
+        # of the body is irrelevant.
+        response = request_method(route, data='', headers=headers)
+        self.assertEqual(
+            403, response.status_code,
+            'method %s on route %s is open for user, status: %s' %
+            (method, route, response.status_code))
+
+    def test_verify_policy(self):
+        with direct.PlacementDirect(CONF, latest_microversion=True) as client:
+            for route, methods in handler.ROUTE_DECLARATIONS.items():
+                if route in self.EXCEPTIONS:
+                    continue
+                for method in methods:
+                    self._test_request_403(client, method, route)