diff --git a/nova/tests/unit/api/openstack/compute/test_limits.py b/nova/tests/unit/api/openstack/compute/test_limits.py index 9405f740645f..123de77d5b38 100644 --- a/nova/tests/unit/api/openstack/compute/test_limits.py +++ b/nova/tests/unit/api/openstack/compute/test_limits.py @@ -374,36 +374,6 @@ class LimitsViewBuilderTest(test.NoDBTestCase): self.assertThat(output, matchers.DictMatches(expected_limits)) -class LimitsPolicyEnforcementV21(test.NoDBTestCase): - - def setUp(self): - super(LimitsPolicyEnforcementV21, self).setUp() - self.controller = limits_v21.LimitsController() - - def test_limits_index_policy_failed(self): - rule_name = "os_compute_api:limits" - self.policy.set_rules({rule_name: "project:non_fake"}) - req = fakes.HTTPRequest.blank('') - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.index, req=req) - self.assertEqual( - "Policy doesn't allow %s to be performed." % rule_name, - exc.format_message()) - - def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self): - project_id = "123456" - user_id = "A1234" - tenant_id = "abcd" - req = fakes.HTTPRequest.blank('/?tenant_id=%s' % tenant_id) - context = nova.context.RequestContext(user_id, project_id) - req.environ["nova.context"] = context - - self.assertRaises(exception.PolicyNotAuthorized, - self.controller.index, - req) - - class LimitsControllerTestV236(BaseLimitTestSuite): def setUp(self): diff --git a/nova/tests/unit/policies/test_limits.py b/nova/tests/unit/policies/test_limits.py new file mode 100644 index 000000000000..8910483b6dd3 --- /dev/null +++ b/nova/tests/unit/policies/test_limits.py @@ -0,0 +1,106 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import mock + +from nova.api.openstack.compute import limits +from nova.policies import limits as limits_policies +from nova import quota +from nova.tests.unit.api.openstack import fakes +from nova.tests.unit.policies import base + + +class LimitsPolicyTest(base.BasePolicyTest): + """Test Limits APIs policies with all possible context. + + This class defines the set of context with different roles + which are allowed and not allowed to pass the policy checks. + With those set of context, it will call the API operation and + verify the expected behaviour. + """ + + def setUp(self): + super(LimitsPolicyTest, self).setUp() + self.controller = limits.LimitsController() + self.req = fakes.HTTPRequest.blank('') + + self.absolute_limits = { + 'ram': 512, + 'instances': 5, + 'cores': 21, + 'key_pairs': 10, + 'floating_ips': 10, + 'security_groups': 10, + 'security_group_rules': 20, + } + + def stub_get_project_quotas(context, project_id, usages=True): + return {k: dict(limit=v, in_use=v // 2) + for k, v in self.absolute_limits.items()} + + mock_get_project_quotas = mock.patch.object( + quota.QUOTAS, + "get_project_quotas", + side_effect = stub_get_project_quotas) + mock_get_project_quotas.start() + + # Check that everyone is able to get their limits + self.everyone_authorized_contexts = [ + self.legacy_admin_context, self.system_admin_context, + self.project_admin_context, self.system_member_context, + self.system_reader_context, self.system_foo_context, + self.project_member_context, self.other_project_member_context, + self.project_foo_context, self.project_reader_context] + self.everyone_unauthorized_contexts = [] + + # Check that admin is able to get other projects limit. + self.admin_authorized_contexts = [ + self.legacy_admin_context, self.system_admin_context, + self.project_admin_context] + # Check that non-admin is not able to get other projects limit. + self.admin_unauthorized_contexts = [ + self.system_member_context, self.system_reader_context, + self.system_foo_context, self.project_member_context, + self.other_project_member_context, + self.project_foo_context, self.project_reader_context + ] + + def test_get_limits_policy(self): + rule_name = limits_policies.BASE_POLICY_NAME + self.common_policy_check(self.everyone_authorized_contexts, + self.everyone_unauthorized_contexts, + rule_name, self.controller.index, + self.req) + + def test_get_other_limits_policy(self): + req = fakes.HTTPRequest.blank('/?tenant_id=faketenant') + rule_name = limits_policies.USED_LIMIT_POLICY_NAME + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.index, + req) + + +class LimitsScopeTypePolicyTest(LimitsPolicyTest): + """Test Limits APIs policies with system scope enabled. + + This class set the nova.conf [oslo_policy] enforce_scope to True + so that we can switch on the scope checking on oslo policy side. + It defines the set of context with scoped token + which are allowed and not allowed to pass the policy checks. + With those set of context, it will run the API operation and + verify the expected behaviour. + """ + + def setUp(self): + super(LimitsScopeTypePolicyTest, self).setUp() + self.flags(enforce_scope=True, group="oslo_policy")