[placement] Add functional test to verify presence of policy
Add a test that traverses all available placement URLs at the latest microversion and tries to access them as non-admin. If something other than a 403 response is given a failed test with a message like method POST on route /resource_providers/{uuid}/inventories is open for user, status: 404 is produced. This works because we do authZ handling early in each handler, before data processing and path parameter handling. The method is pretty straightforward: traverse ROUTE_DECLARATIONS, visit every url with each the declared methods, except the root version document, and confirm a 403 response when the provided auth token is non-admin. This has been created to avoid situations where a route is added without policy like happened on https://review.openstack.org/#/c/576927/ . Until recently we had a failover where any route not defined to have policy would default to admin. That went away so now we need some test automation to catch our forgetful humanness. Change-Id: Id582886ec4b621b97d7cc7237b4670ad7bb12295
This commit is contained in:
parent
5ffc7f3fb8
commit
3a24000514
|
@ -0,0 +1,50 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
from nova.api.openstack.placement import direct
|
||||
from nova.api.openstack.placement import handler
|
||||
from nova.tests.functional.api.openstack.placement import base
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
class TestVerifyPolicy(base.TestCase):
|
||||
"""Verify that all defined placement routes have a policy."""
|
||||
|
||||
# Paths that don't need a policy check
|
||||
EXCEPTIONS = ['/', '']
|
||||
|
||||
def _test_request_403(self, client, method, route):
|
||||
headers = {
|
||||
'x-auth-token': 'user',
|
||||
'content-type': 'application/json'
|
||||
}
|
||||
request_method = getattr(client, method.lower())
|
||||
# We send an empty request body on all requests. Because
|
||||
# policy handling comes before other processing, the value
|
||||
# of the body is irrelevant.
|
||||
response = request_method(route, data='', headers=headers)
|
||||
self.assertEqual(
|
||||
403, response.status_code,
|
||||
'method %s on route %s is open for user, status: %s' %
|
||||
(method, route, response.status_code))
|
||||
|
||||
def test_verify_policy(self):
|
||||
with direct.PlacementDirect(CONF, latest_microversion=True) as client:
|
||||
for route, methods in handler.ROUTE_DECLARATIONS.items():
|
||||
if route in self.EXCEPTIONS:
|
||||
continue
|
||||
for method in methods:
|
||||
self._test_request_403(client, method, route)
|
Loading…
Reference in New Issue