From ef2a58238dd9404d3e3d02f15ee0b52a7be13d2c Mon Sep 17 00:00:00 2001 From: Yikun Jiang Date: Wed, 31 Oct 2018 17:27:00 +0800 Subject: [PATCH] Add policy test for volume:force_delete Add policy test for volume:force_delete, and remove it from test policy file. This is one of the serious patches of policy-in-code test, see more information on [1] and [2]. [1] 530fb9319ce21b7ff99e55f095c04f13f0785842 [2] f207bac80924ffaf6d4c2a500c295d0e2e71966e Change-Id: I5a72e5ac05601cf084a9da00c4fe04b2752fed67 --- .../unit/api/v3/test_volume_protection.py | 38 ++++++++++++++++++- cinder/tests/unit/policy.json | 1 - 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/cinder/tests/unit/api/v3/test_volume_protection.py b/cinder/tests/unit/api/v3/test_volume_protection.py index 19c9f2330cb..c825431dd7f 100644 --- a/cinder/tests/unit/api/v3/test_volume_protection.py +++ b/cinder/tests/unit/api/v3/test_volume_protection.py @@ -15,6 +15,7 @@ import uuid import webob import mock +from oslo_serialization import jsonutils from six.moves import http_client from cinder.api import microversions as mv @@ -43,11 +44,14 @@ class VolumeProtectionTests(test.TestCase): user_id=uuid.uuid4().hex, project_id=self.other_project_id ) - def _get_request_response(self, context, path, method): + def _get_request_response(self, context, path, method, body=None): request = webob.Request.blank(path) request.content_type = 'application/json' request.headers = mv.get_mv_header(mv.BASE_VERSION) request.method = method + if body: + request.headers["content-type"] = "application/json" + request.body = jsonutils.dump_as_bytes(body) return request.get_response( fakes.wsgi_app(fake_auth_context=context) ) @@ -113,3 +117,35 @@ class VolumeProtectionTests(test.TestCase): # project. Does cinder return a 404 in cases like this? Or is a 403 # expected? self.assertEqual(http_client.NOT_FOUND, response.status_int) + + @mock.patch.object(volume_api.API, 'get_volume') + def test_admin_can_force_delete_volumes(self, mock_volume): + # Make sure administrators are authorized to force delete volumes + admin_context = self.admin_context + + volume = self._create_fake_volume(admin_context) + mock_volume.return_value = volume + path = '/v3/%(project_id)s/volumes/%(volume_id)s/action' % { + 'project_id': admin_context.project_id, 'volume_id': volume.id + } + body = {"os-force_delete": {}} + response = self._get_request_response(admin_context, path, 'POST', + body=body) + + self.assertEqual(http_client.ACCEPTED, response.status_int) + + @mock.patch.object(volume_api.API, 'get_volume') + def test_nonadmin_cannot_force_delete_volumes(self, mock_volume): + # Make sure volumes only can be force deleted by admin + user_context = self.user_context + + volume = self._create_fake_volume(user_context) + mock_volume.return_value = volume + path = '/v3/%(project_id)s/volumes/%(volume_id)s/action' % { + 'project_id': user_context.project_id, 'volume_id': volume.id + } + body = {"os-force_delete": {}} + response = self._get_request_response(user_context, path, 'POST', + body=body) + + self.assertEqual(http_client.FORBIDDEN, response.status_int) diff --git a/cinder/tests/unit/policy.json b/cinder/tests/unit/policy.json index 9c93a50a92b..657aefe0bb3 100644 --- a/cinder/tests/unit/policy.json +++ b/cinder/tests/unit/policy.json @@ -11,7 +11,6 @@ "volume:delete_volume_metadata": "", "volume:update_volume_metadata": "", "volume:delete": "", - "volume:force_delete": "rule:admin_api", "volume:update": "", "volume:attach": "", "volume:detach": "",