Make API fixture pass roles

This makes our API fixture pass roles in line with the user that is being used. For admin_api, the admin role is included, and two other clients are added for "reader" and "other". Change-Id: I4aa985072103aeab50a1a3db4784081a492dcb7b
2021-11-30 11:12:02 -08:00 · 2021-11-30 11:12:02 -08:00 · a21c4678c5
parent 69b0d31d20
commit a21c4678c5
2 changed files with 23 additions and 4 deletions
--- a/nova/tests/fixtures/nova.py
+++ b/nova/tests/fixtures/nova.py
@ -1007,6 +1007,11 @@ class OSAPIFixture(fixtures.Fixture):
    - resp.content - the body of the response
    - resp.headers - dictionary of HTTP headers returned

+    This fixture also has the following clients with various differences:
+
+        self.admin_api - Project user with is_admin=True and the "admin" role
+        self.reader_api - Project user with only the "reader" role
+        self.other_api - Project user with only the "other" role
    """

    def __init__(
@ -1070,9 +1075,17 @@ class OSAPIFixture(fixtures.Fixture):
            base_url += '/' + self.project_id

        self.api = client.TestOpenStackClient(
-            'fake', base_url, project_id=self.project_id)
+            'fake', base_url, project_id=self.project_id,
+            roles=['reader', 'member'])
        self.admin_api = client.TestOpenStackClient(
-            'admin', base_url, project_id=self.project_id)
+            'admin', base_url, project_id=self.project_id,
+            roles=['reader', 'member', 'admin'])
+        self.reader_api = client.TestOpenStackClient(
+            'reader', base_url, project_id=self.project_id,
+            roles=['reader'])
+        self.other_api = client.TestOpenStackClient(
+            'other', base_url, project_id=self.project_id,
+            roles=['other'])
        # Provide a way to access the wsgi application to tests using
        # the fixture.
        self.app = app
@ -1089,8 +1102,9 @@ class OSAPIFixture(fixtures.Fixture):
            user_id = env['HTTP_X_AUTH_USER']
            project_id = env['HTTP_X_AUTH_PROJECT_ID']
            is_admin = user_id == 'admin'
+            roles = env['HTTP_X_ROLES'].split(',')
            return context.RequestContext(
-                user_id, project_id, is_admin=is_admin, **kwargs)
+                user_id, project_id, is_admin=is_admin, roles=roles, **kwargs)

        self.useFixture(fixtures.MonkeyPatch(
            'nova.api.auth.NovaKeystoneContext._create_context', fake_ctx))
--- a/nova/tests/functional/api/client.py
+++ b/nova/tests/functional/api/client.py
@ -123,9 +123,12 @@ class TestOpenStackClient(object):
    This is a really basic OpenStack API client that is under our control,
    so we can make changes / insert hooks for testing

+    By default, no roles are implied and must be passed like
+    roles=['reader', 'member'] in order for the user to have
+    privileges on the project, just like in a real deployment.
    """

-    def __init__(self, auth_user, base_url, project_id=None):
+    def __init__(self, auth_user, base_url, project_id=None, roles=None):
        super(TestOpenStackClient, self).__init__()
        self.auth_user = auth_user
        self.base_url = base_url
@ -134,6 +137,7 @@ class TestOpenStackClient(object):
        else:
            self.project_id = project_id
        self.microversion = None
+        self.roles = roles or []

    def request(self, url, method='GET', body=None, headers=None):
        _headers = {'Content-Type': 'application/json'}
@ -169,6 +173,7 @@ class TestOpenStackClient(object):
        headers.setdefault('X-Auth-User', self.auth_user)
        headers.setdefault('X-User-Id', self.auth_user)
        headers.setdefault('X-Auth-Project-Id', self.project_id)
+        headers.setdefault('X-Roles', ','.join(self.roles))

        response = self.request(full_uri, **kwargs)