From 3288743827a4bead16d945fac2e08a882c7e1cd2 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Tue, 12 Dec 2017 10:10:17 +0900 Subject: [PATCH] Convert policy.json into policy-in-code This commit converts the existing neutron-fwaas policy.json into policy-in-code. policy.json for testing is also removed. As a result, setup_config() in neutron_fwaas.tests.base.NeutronDbPluginV2TestCase is no longer required now (as the content of setup_config() is now same as that in neutron). Partially Implements: blueprint neutron-policy-in-code Change-Id: I67be3a21f19e3f793312d64d358452ee4531c080 --- devstack/plugin.sh | 4 - etc/neutron/policy.d/neutron-fwaas.json | 52 ------- etc/oslo-policy-generator/policy.conf | 3 + neutron_fwaas/policies/__init__.py | 27 ++++ neutron_fwaas/policies/base.py | 17 +++ neutron_fwaas/policies/firewall.py | 113 +++++++++++++++ neutron_fwaas/policies/firewall_group.py | 113 +++++++++++++++ neutron_fwaas/policies/firewall_policy.py | 113 +++++++++++++++ neutron_fwaas/policies/firewall_rule.py | 136 ++++++++++++++++++ neutron_fwaas/tests/base.py | 23 --- .../etc/neutron/policy.d/neutron-fwaas.json | 52 ------- .../unit/db/firewall/test_firewall_db.py | 4 +- .../services/firewall/test_fwaas_plugin_v2.py | 4 +- setup.cfg | 4 + tox.ini | 4 + 15 files changed, 534 insertions(+), 135 deletions(-) delete mode 100644 etc/neutron/policy.d/neutron-fwaas.json create mode 100644 etc/oslo-policy-generator/policy.conf create mode 100644 neutron_fwaas/policies/__init__.py create mode 100644 neutron_fwaas/policies/base.py create mode 100644 neutron_fwaas/policies/firewall.py create mode 100644 neutron_fwaas/policies/firewall_group.py create mode 100644 neutron_fwaas/policies/firewall_policy.py create mode 100644 neutron_fwaas/policies/firewall_rule.py delete mode 100644 neutron_fwaas/tests/etc/neutron/policy.d/neutron-fwaas.json diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 68077c0c7..727c78ecf 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -72,10 +72,6 @@ function neutron_fwaas_generate_config_files { function init_fwaas() { # Initialize and start the service. : - if [ ! -d /etc/neutron/policy.d ]; then - mkdir /etc/neutron/policy.d - fi - cp $DEST/neutron-fwaas/etc/neutron/policy.d/neutron-fwaas.json /etc/neutron/policy.d/neutron-fwaas.json # Using sudo to gain the root privilege to be able to copy file to rootwrap.d sudo cp $DEST/neutron-fwaas/etc/neutron/rootwrap.d/fwaas-privsep.filters /etc/neutron/rootwrap.d/fwaas-privsep.filters } diff --git a/etc/neutron/policy.d/neutron-fwaas.json b/etc/neutron/policy.d/neutron-fwaas.json deleted file mode 100644 index 7a9a9e53f..000000000 --- a/etc/neutron/policy.d/neutron-fwaas.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "shared_firewalls": "field:firewalls:shared=True", - "shared_firewall_policies": "field:firewall_policies:shared=True", - "shared_firewall_rules": "field:firewall_rules:shared=True", - - "create_firewall": "", - "update_firewall": "rule:admin_or_owner", - "delete_firewall": "rule:admin_or_owner", - - "create_firewall:shared": "rule:admin_only", - "update_firewall:shared": "rule:admin_only", - "delete_firewall:shared": "rule:admin_only", - - "get_firewall": "rule:admin_or_owner or rule:shared_firewalls", - - "shared_firewall_groups": "field:firewall_groups:shared=True", - "shared_firewall_policies": "field:firewall_policies:shared=True", - "shared_firewall_rules": "field:firewall_rules:shared=True", - - "create_firewall_group": "", - "update_firewall_group": "rule:admin_or_owner", - "delete_firewall_group": "rule:admin_or_owner", - - "create_firewall_group:shared": "rule:admin_only", - "update_firewall_group:shared": "rule:admin_only", - "delete_firewall_group:shared": "rule:admin_only", - - "get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups", - - "create_firewall_policy": "", - "update_firewall_policy": "rule:admin_or_owner", - "delete_firewall_policy": "rule:admin_or_owner", - - "create_firewall_policy:shared": "rule:admin_only", - "update_firewall_policy:shared": "rule:admin_only", - "delete_firewall_policy:shared": "rule:admin_only", - - "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies", - - "insert_rule": "rule:admin_or_owner", - "remove_rule": "rule:admin_or_owner", - - "create_firewall_rule": "", - "update_firewall_rule": "rule:admin_or_owner", - "delete_firewall_rule": "rule:admin_or_owner", - - "create_firewall_rule:shared": "rule:admin_only", - "update_firewall_rule:shared": "rule:admin_only", - "delete_firewall_rule:shared": "rule:admin_only", - - "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules" -} diff --git a/etc/oslo-policy-generator/policy.conf b/etc/oslo-policy-generator/policy.conf new file mode 100644 index 000000000..8e4aef649 --- /dev/null +++ b/etc/oslo-policy-generator/policy.conf @@ -0,0 +1,3 @@ +[DEFAULT] +output_file = etc/policy.yaml.sample +namespace = neutron-fwaas diff --git a/neutron_fwaas/policies/__init__.py b/neutron_fwaas/policies/__init__.py new file mode 100644 index 000000000..62edfe7b8 --- /dev/null +++ b/neutron_fwaas/policies/__init__.py @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import itertools + +from neutron_fwaas.policies import firewall +from neutron_fwaas.policies import firewall_group +from neutron_fwaas.policies import firewall_policy +from neutron_fwaas.policies import firewall_rule + + +def list_rules(): + return itertools.chain( + firewall.list_rules(), + firewall_group.list_rules(), + firewall_policy.list_rules(), + firewall_rule.list_rules(), + ) diff --git a/neutron_fwaas/policies/base.py b/neutron_fwaas/policies/base.py new file mode 100644 index 000000000..463ec829b --- /dev/null +++ b/neutron_fwaas/policies/base.py @@ -0,0 +1,17 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# TODO(amotoki): Define these in neutron or neutron-lib +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +RULE_ADMIN_ONLY = 'rule:admin_only' +RULE_ANY = 'rule:regular_user' diff --git a/neutron_fwaas/policies/firewall.py b/neutron_fwaas/policies/firewall.py new file mode 100644 index 000000000..ac528a43b --- /dev/null +++ b/neutron_fwaas/policies/firewall.py @@ -0,0 +1,113 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_fwaas.policies import base + + +rules = [ + policy.RuleDefault( + 'shared_firewalls', + 'field:firewalls:shared=True', + '(FWaaS v1) Definition of shared firewalls' + ), + + policy.DocumentedRuleDefault( + 'create_firewall', + base.RULE_ANY, + '(FWaaS v1) Create a firewall', + [ + { + 'method': 'POST', + 'path': '/fw/firewalls', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_firewall', + base.RULE_ADMIN_OR_OWNER, + '(FWaaS v1) Update a firewall', + [ + { + 'method': 'PUT', + 'path': '/fw/firewalls/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_firewall', + base.RULE_ADMIN_OR_OWNER, + '(FWaaS v1) Delete a firewall', + [ + { + 'method': 'DELETE', + 'path': '/fw/firewalls/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_firewall:shared', + base.RULE_ADMIN_ONLY, + '(FWaaS v1) Create a shared firewall', + [ + { + 'method': 'POST', + 'path': '/fw/firewalls', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_firewall:shared', + base.RULE_ADMIN_ONLY, + '(FWaaS v1) Update ``shared`` attribute of a firewall', + [ + { + 'method': 'PUT', + 'path': '/fw/firewalls/{id}', + }, + ] + ), + # TODO(amotoki): Drop this rule as it has no effect. + policy.DocumentedRuleDefault( + 'delete_firewall:shared', + base.RULE_ADMIN_ONLY, + '(FWaaS v1) Delete a shared firewall', + [ + { + 'method': 'DELETE', + 'path': '/fw/firewalls/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'get_firewall', + 'rule:admin_or_owner or rule:shared_firewalls', + '(FWaaS v1) Get firewalls', + [ + { + 'method': 'GET', + 'path': '/fw/firewalls', + }, + { + 'method': 'GET', + 'path': '/fw/firewalls/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_fwaas/policies/firewall_group.py b/neutron_fwaas/policies/firewall_group.py new file mode 100644 index 000000000..6e3a42b9a --- /dev/null +++ b/neutron_fwaas/policies/firewall_group.py @@ -0,0 +1,113 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_fwaas.policies import base + + +rules = [ + policy.RuleDefault( + 'shared_firewall_groups', + 'field:firewall_groups:shared=True', + 'Definition of shared firewall groups' + ), + + policy.DocumentedRuleDefault( + 'create_firewall_group', + base.RULE_ANY, + 'Create a firewall group', + [ + { + 'method': 'POST', + 'path': '/fwaas/firewall_groups', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_firewall_group', + base.RULE_ADMIN_OR_OWNER, + 'Update a firewall group', + [ + { + 'method': 'PUT', + 'path': '/fwaas/firewall_groups/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_firewall_group', + base.RULE_ADMIN_OR_OWNER, + 'Delete a firewall group', + [ + { + 'method': 'DELETE', + 'path': '/fwaas/firewall_groups/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_firewall_group:shared', + base.RULE_ADMIN_ONLY, + 'Create a shared firewall group', + [ + { + 'method': 'POST', + 'path': '/fwaas/firewall_groups', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_firewall_group:shared', + base.RULE_ADMIN_ONLY, + 'Update ``shared`` attribute of a firewall group', + [ + { + 'method': 'PUT', + 'path': '/fwaas/firewall_groups/{id}', + }, + ] + ), + # TODO(amotoki): Drop this rule as it has no effect. + policy.DocumentedRuleDefault( + 'delete_firewall_group:shared', + base.RULE_ADMIN_ONLY, + 'Delete a shared firewall group', + [ + { + 'method': 'DELETE', + 'path': '/fwaas/firewall_groups/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'get_firewall_group', + 'rule:admin_or_owner or rule:shared_firewall_groups', + 'Get firewall groups', + [ + { + 'method': 'GET', + 'path': '/fwaas/firewall_groups', + }, + { + 'method': 'GET', + 'path': '/fwaas/firewall_groups/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_fwaas/policies/firewall_policy.py b/neutron_fwaas/policies/firewall_policy.py new file mode 100644 index 000000000..03e37952d --- /dev/null +++ b/neutron_fwaas/policies/firewall_policy.py @@ -0,0 +1,113 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_fwaas.policies import base + + +rules = [ + policy.RuleDefault( + 'shared_firewall_policies', + 'field:firewall_policies:shared=True', + 'Definition of shared firewall policies' + ), + + policy.DocumentedRuleDefault( + 'create_firewall_policy', + base.RULE_ANY, + 'Create a firewall policy', + [ + { + 'method': 'POST', + 'path': '/fwaas/firewall_policies', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_firewall_policy', + base.RULE_ADMIN_OR_OWNER, + 'Update a firewall policy', + [ + { + 'method': 'PUT', + 'path': '/fwaas/firewall_policies/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_firewall_policy', + base.RULE_ADMIN_OR_OWNER, + 'Delete a firewall policy', + [ + { + 'method': 'DELETE', + 'path': '/fwaas/firewall_policies/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_firewall_policy:shared', + base.RULE_ADMIN_ONLY, + 'Create a shared firewall policy', + [ + { + 'method': 'POST', + 'path': '/fwaas/firewall_policies', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_firewall_policy:shared', + base.RULE_ADMIN_ONLY, + 'Update ``shared`` attribute of a firewall policy', + [ + { + 'method': 'PUT', + 'path': '/fwaas/firewall_policies/{id}', + }, + ] + ), + # TODO(amotoki): Drop this rule as it has no effect. + policy.DocumentedRuleDefault( + 'delete_firewall_policy:shared', + base.RULE_ADMIN_ONLY, + 'Delete a shread firewall policy', + [ + { + 'method': 'DELETE', + 'path': '/fwaas/firewall_policies/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'get_firewall_policy', + 'rule:admin_or_owner or rule:shared_firewall_policies', + 'Get firewall policies', + [ + { + 'method': 'GET', + 'path': '/fwaas/firewall_policies', + }, + { + 'method': 'GET', + 'path': '/fwaas/firewall_policies/{id}', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_fwaas/policies/firewall_rule.py b/neutron_fwaas/policies/firewall_rule.py new file mode 100644 index 000000000..eb0ce950e --- /dev/null +++ b/neutron_fwaas/policies/firewall_rule.py @@ -0,0 +1,136 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from oslo_policy import policy + +from neutron_fwaas.policies import base + + +rules = [ + policy.RuleDefault( + 'shared_firewall_rules', + 'field:firewall_rules:shared=True', + 'Definition of shared firewall rules' + ), + + policy.DocumentedRuleDefault( + 'create_firewall_rule', + base.RULE_ANY, + 'Create a firewall rule', + [ + { + 'method': 'POST', + 'path': '/fwaas/firewall_rules', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_firewall_rule', + base.RULE_ADMIN_OR_OWNER, + 'Update a firewall rule', + [ + { + 'method': 'PUT', + 'path': '/fwaas/firewall_rules/{id}', + }, + ] + ), + policy.DocumentedRuleDefault( + 'delete_firewall_rule', + base.RULE_ADMIN_OR_OWNER, + 'Delete a firewall rule', + [ + { + 'method': 'DELETE', + 'path': '/fwaas/firewall_rules/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'create_firewall_rule:shared', + base.RULE_ADMIN_ONLY, + 'Create a shared firewall rule', + [ + { + 'method': 'POST', + 'path': '/fwaas/firewall_rules', + }, + ] + ), + policy.DocumentedRuleDefault( + 'update_firewall_rule:shared', + base.RULE_ADMIN_ONLY, + 'Update ``shared`` attribute of a firewall rule', + [ + { + 'method': 'PUT', + 'path': '/fwaas/firewall_rules/{id}', + }, + ] + ), + # TODO(amotoki): Drop this rule as it has no effect. + policy.DocumentedRuleDefault( + 'delete_firewall_rule:shared', + base.RULE_ADMIN_ONLY, + 'Delete a shread firewall rule', + [ + { + 'method': 'DELETE', + 'path': '/fwaas/firewall_rules/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'get_firewall_rule', + 'rule:admin_or_owner or rule:shared_firewall_rules', + 'Get firewall rules', + [ + { + 'method': 'GET', + 'path': '/fwaas/firewall_rules', + }, + { + 'method': 'GET', + 'path': '/fwaas/firewall_rules/{id}', + }, + ] + ), + + policy.DocumentedRuleDefault( + 'insert_rule', + base.RULE_ADMIN_OR_OWNER, + 'Insert rule into a firewall policy', + [ + { + 'method': 'PUT', + 'path': '/fwaas/firewall_policies/{id}/insert_rule', + }, + ] + ), + policy.DocumentedRuleDefault( + 'remove_rule', + base.RULE_ADMIN_OR_OWNER, + 'Remove rule from a firewall policy', + [ + { + 'method': 'PUT', + 'path': '/fwaas/firewall_policies/{id}/remove_rule', + }, + ] + ), +] + + +def list_rules(): + return rules diff --git a/neutron_fwaas/tests/base.py b/neutron_fwaas/tests/base.py index a51e3ceed..10b2490b9 100644 --- a/neutron_fwaas/tests/base.py +++ b/neutron_fwaas/tests/base.py @@ -14,31 +14,8 @@ # under the License. # -import os - -from neutron.common import test_lib from neutron.tests import base as n_base -from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin class BaseTestCase(n_base.BaseTestCase): pass - - -class NeutronDbPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase): - - def setup_config(self): - # Copied from neutron's test_db_base_plugin_v2 because they - # don't allow to specify args - - # Create the default configurations - args = ['--config-file', n_base.etcdir('neutron.conf')] - # If test_config specifies some config-file, use it, as well - for config_file in test_lib.test_config.get('config_files', []): - args.extend(['--config-file', config_file]) - - # our own stuff - dirpath = os.path.join(os.path.dirname(__file__), - 'etc/neutron/policy.d') - args.extend(['--config-dir', dirpath]) - self.config_parse(args=args) diff --git a/neutron_fwaas/tests/etc/neutron/policy.d/neutron-fwaas.json b/neutron_fwaas/tests/etc/neutron/policy.d/neutron-fwaas.json deleted file mode 100644 index 7a9a9e53f..000000000 --- a/neutron_fwaas/tests/etc/neutron/policy.d/neutron-fwaas.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "shared_firewalls": "field:firewalls:shared=True", - "shared_firewall_policies": "field:firewall_policies:shared=True", - "shared_firewall_rules": "field:firewall_rules:shared=True", - - "create_firewall": "", - "update_firewall": "rule:admin_or_owner", - "delete_firewall": "rule:admin_or_owner", - - "create_firewall:shared": "rule:admin_only", - "update_firewall:shared": "rule:admin_only", - "delete_firewall:shared": "rule:admin_only", - - "get_firewall": "rule:admin_or_owner or rule:shared_firewalls", - - "shared_firewall_groups": "field:firewall_groups:shared=True", - "shared_firewall_policies": "field:firewall_policies:shared=True", - "shared_firewall_rules": "field:firewall_rules:shared=True", - - "create_firewall_group": "", - "update_firewall_group": "rule:admin_or_owner", - "delete_firewall_group": "rule:admin_or_owner", - - "create_firewall_group:shared": "rule:admin_only", - "update_firewall_group:shared": "rule:admin_only", - "delete_firewall_group:shared": "rule:admin_only", - - "get_firewall_group": "rule:admin_or_owner or rule:shared_firewall_groups", - - "create_firewall_policy": "", - "update_firewall_policy": "rule:admin_or_owner", - "delete_firewall_policy": "rule:admin_or_owner", - - "create_firewall_policy:shared": "rule:admin_only", - "update_firewall_policy:shared": "rule:admin_only", - "delete_firewall_policy:shared": "rule:admin_only", - - "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies", - - "insert_rule": "rule:admin_or_owner", - "remove_rule": "rule:admin_or_owner", - - "create_firewall_rule": "", - "update_firewall_rule": "rule:admin_or_owner", - "delete_firewall_rule": "rule:admin_or_owner", - - "create_firewall_rule:shared": "rule:admin_only", - "update_firewall_rule:shared": "rule:admin_only", - "delete_firewall_rule:shared": "rule:admin_only", - - "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewall_rules" -} diff --git a/neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py b/neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py index e659805fa..31ab174d9 100644 --- a/neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py +++ b/neutron_fwaas/tests/unit/db/firewall/test_firewall_db.py @@ -18,6 +18,7 @@ import contextlib import mock from neutron.api import extensions as api_ext from neutron.common import config +from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin from neutron_lib.api.definitions import firewall from neutron_lib import constants as nl_constants from neutron_lib import context @@ -33,7 +34,6 @@ import webob.exc from neutron_fwaas.db.firewall import firewall_db as fdb from neutron_fwaas import extensions from neutron_fwaas.services.firewall import fwaas_plugin -from neutron_fwaas.tests import base DB_FW_PLUGIN_KLASS = ( @@ -73,7 +73,7 @@ class FakeAgentApi(fwaas_plugin.FirewallCallbacks): self.firewall_deleted(context, firewall['id'], **kwargs) -class FirewallPluginDbTestCase(base.NeutronDbPluginV2TestCase): +class FirewallPluginDbTestCase(test_db_plugin.NeutronDbPluginV2TestCase): resource_prefix_map = dict( (k, firewall.API_PREFIX) for k in firewall.RESOURCE_ATTRIBUTE_MAP.keys() diff --git a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py index 3939c1090..2793f7795 100644 --- a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py +++ b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py @@ -21,6 +21,7 @@ import webob.exc from neutron.api import extensions as api_ext from neutron.db import servicetype_db as sdb +from neutron.tests.unit.db import test_db_base_plugin_v2 as test_db_plugin from neutron_lib.api.definitions import firewall_v2 from neutron_lib import constants as nl_constants from neutron_lib import context @@ -33,7 +34,6 @@ from neutron_fwaas import extensions from neutron_fwaas.services.firewall import fwaas_plugin_v2 from neutron_fwaas.services.firewall.service_drivers.driver_api import \ FirewallDriverDB -from neutron_fwaas.tests import base def http_client_error(req, res): @@ -51,7 +51,7 @@ class DummyDriverDB(FirewallDriverDB): return True -class FirewallPluginV2TestCase(base.NeutronDbPluginV2TestCase): +class FirewallPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase): DESCRIPTION = 'default description' PROTOCOL = 'tcp' IP_VERSION = 4 diff --git a/setup.cfg b/setup.cfg index 4e563ada2..117adc07f 100644 --- a/setup.cfg +++ b/setup.cfg @@ -49,6 +49,10 @@ tempest.test_plugins = oslo.config.opts = neutron.fwaas = neutron_fwaas.opts:list_opts firewall.agent = neutron_fwaas.opts:list_agent_opts +oslo.policy.policies = + neutron-fwaas = neutron_fwaas.policies:list_rules +neutron.policies = + neutron-fwaas = neutron_fwaas.policies:list_rules neutron.agent.l2.extensions = fwaas_v2 = neutron_fwaas.services.firewall.service_drivers.agents.l2.fwaas_v2:FWaaSV2AgentExtension neutron.agent.l2.firewall_drivers = diff --git a/tox.ini b/tox.ini index 30144044a..beeea2e03 100644 --- a/tox.ini +++ b/tox.ini @@ -99,6 +99,7 @@ commands = {toxinidir}/tools/check_unit_test_structure.sh neutron-db-manage --subproject neutron-fwaas --database-connection sqlite:// check_migration {[testenv:genconfig]commands} + {[testenv:genpolicy]commands} whitelist_externals = sh [testenv:cover] @@ -158,6 +159,9 @@ local-check-factory = neutron_lib.hacking.checks.factory [testenv:genconfig] commands = {toxinidir}/tools/generate_config_file_samples.sh +[testenv:genpolicy] +commands = oslopolicy-sample-generator --config-file=etc/oslo-policy-generator/policy.conf + [testenv:lower-constraints] basepython = python3 deps =