Use default policies in our tests

Made changes to use default policies in our unit and functional tests rather than referring it from glance/tests/etc/policy.yaml file. Existing function 'set_policy_rules' can be used to test custom policy rules in functional testing. Improvements needed in followup patch: 1. Property protection related unit tests still reads the special policy from the policy.yaml file, need to make provision to override it instead. 2. Need to remove 'set_policy' function which actually responsible for above behavior. Related to blueprint policy-refactor Change-Id: I0de9b9f9a7de499574101e3366ced730b0cb5fd1
2021-06-28 19:49:13 +00:00 · 2021-06-28 19:49:13 +00:00 · 21257615e7
parent 7c1cd438a0
commit 21257615e7
5 changed files with 30 additions and 172 deletions
--- a/glance/tests/etc/policy.yaml
+++ b/glance/tests/etc/policy.yaml
@ -1,164 +1,4 @@
-# Defines the default rule used for policies that historically had an
-# empty policy in the supplied policy.yaml file.
-#"default": ""
-
-# Defines the rule for the is_admin:True check.
-#"context_is_admin": "role:admin"
-
-# Default for admin-only metadef rules
-"metadef_admin": "role:admin"
-
-# add_image
-"add_image": ""
-
-# delete_image
-"delete_image": ""
-
-# get_image
-"get_image": ""
-
-# get_images
-"get_images": ""
-
-# modify_image
-"modify_image": ""
-
-# publicize_image
-"publicize_image": ""
-
-# communitize_image
-"communitize_image": ""
-
-# download_image
-"download_image": ""
-
-# upload_image
-"upload_image": ""
-
-# delete_image_location
-"delete_image_location": ""
-
-# get_image_location
-"get_image_location": ""
-
-# set_image_location
-"set_image_location": ""
-
-# add_member
-"add_member": ""
-
-# delete_member
-"delete_member": ""
-
-# get_member
-"get_member": ""
-
-# get_members
-"get_members": ""
-
-# modify_member
-"modify_member": ""
-
-# manage_image_cache
-"manage_image_cache": ""
-
-# deactivate
-"deactivate": ""
-
-# reactivate
-"reactivate": ""
-
-# get_task
-"get_task": "role:admin"
-
-# get_tasks
-"get_tasks": "role:admin"
-
-# add_task
-"add_task": "role:admin"
-
-# modify_task
-"modify_task": "role:admin"
-
-# get_metadef_namespace
-"get_metadef_namespace": ""
-
-# get_metadef_namespaces
-"get_metadef_namespaces": ""
-
-# modify_metadef_namespace
-"modify_metadef_namespace": "rule:metadef_admin"
-
-# add_metadef_namespace
-"add_metadef_namespace": "rule:metadef_admin"
-
-# delete_metadef_namespace
-"delete_metadef_namespace": "rule:metadef_admin"
-
-# get_metadef_object
-"get_metadef_object": ""
-
-# get_metadef_objects
-"get_metadef_objects": ""
-
-# modify_metadef_object
-"modify_metadef_object": "rule:metadef_admin"
-
-# add_metadef_object
-"add_metadef_object": "rule:metadef_admin"
-
-# delete_metadef_object
-"delete_metadef_object": "rule:metadef_admin"
-
-# list_metadef_resource_types
-"list_metadef_resource_types": ""
-
-# get_metadef_resource_type
-"get_metadef_resource_type": ""
-
-# add_metadef_resource_type_association
-"add_metadef_resource_type_association": "rule:metadef_admin"
-
-# remove_metadef_resource_type_association
-"remove_metadef_resource_type_association": "rule:metadef_admin"
-
-# get_metadef_property
-"get_metadef_property": ""
-
-# get_metadef_properties
-"get_metadef_properties": ""
-
-# modify_metadef_property
-"modify_metadef_property": "rule:metadef_admin"
-
-# add_metadef_property
-"add_metadef_property": "rule:metadef_admin"
-
-# remove_metadef_property
-"remove_metadef_property": "rule:metadef_admin"
-
-# get_metadef_tag
-"get_metadef_tag": ""
-
-# get_metadef_tags
-"get_metadef_tags": ""
-
-# modify_metadef_tag
-"modify_metadef_tag": "rule:metadef_admin"
-
-# add_metadef_tag
-"add_metadef_tag": "rule:metadef_admin"
-
-# add_metadef_tags
-"add_metadef_tags": "rule:metadef_admin"
-
-# delete_metadef_tag
-"delete_metadef_tag": "rule:metadef_admin"
-
-# delete_metadef_tags
-"delete_metadef_tags": "rule:metadef_admin"
-
-# WARNING: Below rules are either deprecated rules
-# or extra rules in policy file, it is strongly
-# recommended to switch to new rules.
+# FIXME (abhishekk): This special rule is required in unit tests
+# to test property protection using policies. Need to make provision
+# to set such rules on the fly.
 "glance_creator": "role:admin or role:spl_role"
--- a/glance/tests/functional/init.py
+++ b/glance/tests/functional/init.py
@ -804,7 +804,6 @@ class FunctionalTest(test_utils.BaseTestCase):
        conf_dir = os.path.join(self.test_dir, 'etc')
        utils.safe_mkdirs(conf_dir)
        self.copy_data_file('schema-image.json', conf_dir)
-        self.copy_data_file('policy.yaml', conf_dir)
        self.copy_data_file('property-protections.conf', conf_dir)
        self.copy_data_file('property-protections-policies.conf', conf_dir)
        self.property_file_roles = os.path.join(conf_dir,
@ -1153,7 +1152,6 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase):
        conf_dir = os.path.join(self.test_dir, 'etc')
        utils.safe_mkdirs(conf_dir)
        self.copy_data_file('schema-image.json', conf_dir)
-        self.copy_data_file('policy.yaml', conf_dir)
        self.copy_data_file('property-protections.conf', conf_dir)
        self.copy_data_file('property-protections-policies.conf', conf_dir)
        self.property_file_roles = os.path.join(conf_dir,
--- a/glance/tests/functional/serial/test_scrubber.py
+++ b/glance/tests/functional/serial/test_scrubber.py
@ -57,7 +57,8 @@ class TestScrubber(functional.FunctionalTest):

    def _send_create_image_http_request(self, path, body=None):
        headers = {
-            "Content-Type": "application/json"
+            "Content-Type": "application/json",
+            "X-Roles": "admin",
        }
        body = body or {'container_format': 'ovf',
                        'disk_format': 'raw',
--- a/glance/tests/functional/test_cache_middleware.py
+++ b/glance/tests/functional/test_cache_middleware.py
@ -59,7 +59,8 @@ class BaseCacheMiddlewareTest(object):
        # Add an image and verify success
        path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
        http = httplib2.Http()
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
        image_entity = {
            'name': 'Image1',
            'visibility': 'public',
@ -121,7 +122,8 @@ class BaseCacheMiddlewareTest(object):
        # Add an image and verify success
        path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
        http = httplib2.Http()
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
        image_entity = {
            'name': 'Image1',
            'visibility': 'public',
@ -187,7 +189,8 @@ class BaseCacheMiddlewareTest(object):
        # Add an image and verify success
        path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
        http = httplib2.Http()
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
        image_entity = {
            'name': 'Image1',
            'visibility': 'public',
@ -269,7 +272,8 @@ class BaseCacheMiddlewareTest(object):
        # Add an image and verify success
        path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
        http = httplib2.Http()
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
        image_entity = {
            'name': 'Image1',
            'visibility': 'public',
--- a/glance/tests/functional/v2/test_images.py
+++ b/glance/tests/functional/v2/test_images.py
@ -783,7 +783,8 @@ class TestImages(functional.FunctionalTest):
        # Change the image to public so TENANT2 can see it
        path = self._url('/v2/images/%s' % image_id)
        media_type = 'application/openstack-images-v2.0-json-patch'
-        headers = self._headers({'content-type': media_type})
+        headers = self._headers({'content-type': media_type,
+                                 'X-Roles': 'admin'})
        data = jsonutils.dumps([{"replace": "/visibility", "value": "public"}])
        response = requests.patch(path, headers=headers, data=data)
        self.assertEqual(http.OK, response.status_code, response.text)
@ -2421,6 +2422,10 @@ class TestImages(functional.FunctionalTest):

    def test_property_protections_with_policies(self):
        # Enable property protection
+        rules = {
+            "glance_creator": "role:admin or role:spl_role"
+        }
+        self.set_policy_rules(rules)
        self.api_server.property_protection_file = self.property_file_policies
        self.api_server.property_protection_rule_format = 'policies'
        self.start_servers(**self.__dict__.copy())
@ -3787,7 +3792,8 @@ class TestImageDirectURLVisibility(functional.FunctionalTest):

        # Create an image
        path = self._url('/v2/images')
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
        data = jsonutils.dumps({'name': 'image-1', 'type': 'kernel',
                                'foo': 'bar', 'disk_format': 'aki',
                                'container_format': 'aki',
@ -4071,9 +4077,13 @@ class TestImageMembers(functional.FunctionalTest):
        for owner in owners:
            for visibility in visibilities:
                path = self._url('/v2/images')
+                role = 'member'
+                if visibility == 'public':
+                    role = 'admin'
                headers = self._headers({
                    'content-type': 'application/json',
                    'X-Auth-Token': 'createuser:%s:admin' % owner,
+                    'X-Roles': role,
                })
                data = jsonutils.dumps({
                    'name': '%s-%s' % (owner, visibility),
@ -6383,9 +6393,14 @@ class TestMultiStoreImageMembers(functional.MultipleBackendFunctionalTest):
            for owner in owners:
                for visibility in visibilities:
                    path = self._url('/v2/images')
+                    role = 'member'
+                    if visibility == 'public':
+                        role = 'admin'
+
                    headers = self._headers(custom_headers={
                        'content-type': 'application/json',
                        'X-Auth-Token': 'createuser:%s:admin' % owner,
+                        'X-Roles': role,
                    })
                    data = jsonutils.dumps({
                        'name': '%s-%s' % (owner, visibility),