From 3a240005142da25aa49938a15d39ddf68dd7cead Mon Sep 17 00:00:00 2001 From: Chris Dent Date: Thu, 23 Aug 2018 10:27:53 +0100 Subject: [PATCH] [placement] Add functional test to verify presence of policy Add a test that traverses all available placement URLs at the latest microversion and tries to access them as non-admin. If something other than a 403 response is given a failed test with a message like method POST on route /resource_providers/{uuid}/inventories is open for user, status: 404 is produced. This works because we do authZ handling early in each handler, before data processing and path parameter handling. The method is pretty straightforward: traverse ROUTE_DECLARATIONS, visit every url with each the declared methods, except the root version document, and confirm a 403 response when the provided auth token is non-admin. This has been created to avoid situations where a route is added without policy like happened on https://review.openstack.org/#/c/576927/ . Until recently we had a failover where any route not defined to have policy would default to admin. That went away so now we need some test automation to catch our forgetful humanness. Change-Id: Id582886ec4b621b97d7cc7237b4670ad7bb12295 --- .../openstack/placement/test_verify_policy.py | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 nova/tests/functional/api/openstack/placement/test_verify_policy.py diff --git a/nova/tests/functional/api/openstack/placement/test_verify_policy.py b/nova/tests/functional/api/openstack/placement/test_verify_policy.py new file mode 100644 index 000000000000..a6fb602f72d1 --- /dev/null +++ b/nova/tests/functional/api/openstack/placement/test_verify_policy.py @@ -0,0 +1,50 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_config import cfg + +from nova.api.openstack.placement import direct +from nova.api.openstack.placement import handler +from nova.tests.functional.api.openstack.placement import base + + +CONF = cfg.CONF + + +class TestVerifyPolicy(base.TestCase): + """Verify that all defined placement routes have a policy.""" + + # Paths that don't need a policy check + EXCEPTIONS = ['/', ''] + + def _test_request_403(self, client, method, route): + headers = { + 'x-auth-token': 'user', + 'content-type': 'application/json' + } + request_method = getattr(client, method.lower()) + # We send an empty request body on all requests. Because + # policy handling comes before other processing, the value + # of the body is irrelevant. + response = request_method(route, data='', headers=headers) + self.assertEqual( + 403, response.status_code, + 'method %s on route %s is open for user, status: %s' % + (method, route, response.status_code)) + + def test_verify_policy(self): + with direct.PlacementDirect(CONF, latest_microversion=True) as client: + for route, methods in handler.ROUTE_DECLARATIONS.items(): + if route in self.EXCEPTIONS: + continue + for method in methods: + self._test_request_403(client, method, route)