From 428f7a8418447e75d6a9245dbaf7ccc165579ec4 Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Thu, 22 Jun 2023 09:34:26 +0200 Subject: [PATCH] [S-RBAC] Add service role in neutron policy RBAC community wide goal phase-2[1] is to add service role for the service APIs policy rule. This patch adds new "service_api" role in policies, deprecates old rule "context_is_advsvc" as this had basically same goal but for consistency reasons we want now to have it named "service_api" as in other policies for other projects. This patch also adds unit tests to ensure what is allowed and what is forbidden for the service role user. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2 Closes-Bug: #2026182 Change-Id: Iaa1a3a491d310c2304f6500c6e5d2b9c31a72fa8 --- neutron/conf/policies/base.py | 14 +- neutron/conf/policies/network.py | 1 + neutron/conf/policies/port.py | 61 ++-- neutron/conf/policies/port_bindings.py | 8 +- .../unit/conf/policies/test_address_group.py | 13 + .../unit/conf/policies/test_address_scope.py | 43 +++ .../tests/unit/conf/policies/test_agent.py | 73 +++++ .../policies/test_auto_allocated_topology.py | 21 ++ .../conf/policies/test_availability_zone.py | 13 + neutron/tests/unit/conf/policies/test_base.py | 7 + .../tests/unit/conf/policies/test_flavor.py | 63 ++++ .../unit/conf/policies/test_floatingip.py | 38 +++ .../conf/policies/test_floatingip_pools.py | 13 + .../test_floatingip_port_forwarding.py | 43 +++ .../conf/policies/test_l3_conntrack_helper.py | 31 ++ .../tests/unit/conf/policies/test_local_ip.py | 27 ++ .../policies/test_local_ip_association.py | 28 ++ .../tests/unit/conf/policies/test_logging.py | 32 ++ .../tests/unit/conf/policies/test_metering.py | 43 +++ .../unit/conf/policies/test_ndp_proxy.py | 31 ++ .../tests/unit/conf/policies/test_network.py | 154 +++++++++ .../policies/test_network_ip_availability.py | 13 + .../policies/test_network_segment_range.py | 31 ++ neutron/tests/unit/conf/policies/test_port.py | 199 ++++++++++++ .../unit/conf/policies/test_port_bindings.py | 61 ++-- neutron/tests/unit/conf/policies/test_qos.py | 304 ++++++++++++++++++ .../tests/unit/conf/policies/test_quotas.py | 25 ++ neutron/tests/unit/conf/policies/test_rbac.py | 39 +++ .../tests/unit/conf/policies/test_router.py | 137 ++++++++ .../unit/conf/policies/test_security_group.py | 56 ++++ .../tests/unit/conf/policies/test_segment.py | 31 ++ .../unit/conf/policies/test_service_type.py | 13 + .../tests/unit/conf/policies/test_subnet.py | 61 ++++ .../unit/conf/policies/test_subnetpool.py | 67 ++++ .../tests/unit/conf/policies/test_trunk.py | 49 +++ .../tests/unit/db/test_db_base_plugin_v2.py | 9 + .../unit/plugins/ml2/test_port_binding.py | 19 +- ...service-role-support-3e28b1bfcfc59c29.yaml | 10 + requirements.txt | 2 +- 39 files changed, 1812 insertions(+), 71 deletions(-) create mode 100644 releasenotes/notes/Add-service-role-support-3e28b1bfcfc59c29.yaml diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py index 6947a3fbcd1..52751f5d6c8 100644 --- a/neutron/conf/policies/base.py +++ b/neutron/conf/policies/base.py @@ -13,6 +13,9 @@ from neutron_lib import policy as neutron_policy from oslo_policy import policy +# This role is used only for communication between services, it shouldn't be +# used by human users +SERVICE = 'rule:service_api' # For completion of the phase 1 # https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1 @@ -33,6 +36,8 @@ PROJECT_READER = 'role:reader and project_id:%(project_id)s' # protecting APIs designed to operate with multiple scopes (e.g., # an administrator should be able to delete any router in the deployment, a # project member should only be able to delete routers in their project). +ADMIN_OR_SERVICE = ( + '(' + ADMIN + ') or (' + SERVICE + ')') ADMIN_OR_PROJECT_MEMBER = ( '(' + ADMIN + ') or (' + PROJECT_MEMBER + ')') ADMIN_OR_PROJECT_READER = ( @@ -75,6 +80,10 @@ rules = [ 'context_is_admin', 'role:admin', description='Rule for cloud admin access'), + policy.RuleDefault( + "service_api", + "role:service", + description="Default rule for the service-to-service APIs."), policy.RuleDefault( 'owner', 'tenant_id:%(tenant_id)s', @@ -87,7 +96,10 @@ rules = [ policy.RuleDefault( 'context_is_advsvc', 'role:advsvc', - description='Rule for advsvc role access'), + description='Rule for advsvc role access', + deprecated_reason=('Neutron now supports service role for ' + 'service to service communication.'), + deprecated_since='2024.1'), policy.RuleDefault( 'admin_or_network_owner', neutron_policy.policy_or('rule:context_is_admin', diff --git a/neutron/conf/policies/network.py b/neutron/conf/policies/network.py index 59955a71b85..79f324656e4 100644 --- a/neutron/conf/policies/network.py +++ b/neutron/conf/policies/network.py @@ -168,6 +168,7 @@ rules = [ name='get_network', check_str=neutron_policy.policy_or( base.ADMIN_OR_PROJECT_READER, + base.SERVICE, 'rule:shared', 'rule:external', neutron_policy.RULE_ADVSVC diff --git a/neutron/conf/policies/port.py b/neutron/conf/policies/port.py index f5ba1085ec9..582e41b369a 100644 --- a/neutron/conf/policies/port.py +++ b/neutron/conf/policies/port.py @@ -66,8 +66,8 @@ rules = [ name='create_port:device_owner', check_str=neutron_policy.policy_or( 'not rule:network_device', - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER ), scope_types=['project'], description='Specify ``device_owner`` attribute when creating a port', @@ -84,8 +84,8 @@ rules = [ policy.DocumentedRuleDefault( name='create_port:mac_address', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER), + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER), scope_types=['project'], description='Specify ``mac_address`` attribute when creating a port', operations=ACTION_POST, @@ -100,8 +100,8 @@ rules = [ policy.DocumentedRuleDefault( name='create_port:fixed_ips', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER, 'rule:shared'), scope_types=['project'], description='Specify ``fixed_ips`` information when creating a port', @@ -118,8 +118,8 @@ rules = [ policy.DocumentedRuleDefault( name='create_port:fixed_ips:ip_address', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER), + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER), scope_types=['project'], description='Specify IP address in ``fixed_ips`` when creating a port', operations=ACTION_POST, @@ -134,8 +134,8 @@ rules = [ policy.DocumentedRuleDefault( name='create_port:fixed_ips:subnet_id', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER, 'rule:shared'), scope_types=['project'], description='Specify subnet ID in ``fixed_ips`` when creating a port', @@ -152,8 +152,8 @@ rules = [ policy.DocumentedRuleDefault( name='create_port:port_security_enabled', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER), + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER), scope_types=['project'], description=( 'Specify ``port_security_enabled`` ' @@ -271,8 +271,8 @@ rules = [ policy.DocumentedRuleDefault( name='get_port', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_READER, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_READER, base.PROJECT_READER ), scope_types=['project'], @@ -359,9 +359,8 @@ rules = [ policy.DocumentedRuleDefault( name='update_port', check_str=neutron_policy.policy_or( - base.ADMIN, + base.ADMIN_OR_SERVICE, base.PROJECT_MEMBER, - neutron_policy.RULE_ADVSVC ), scope_types=['project'], description='Update a port', @@ -378,8 +377,8 @@ rules = [ name='update_port:device_owner', check_str=neutron_policy.policy_or( 'not rule:network_device', - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER, ), scope_types=['project'], description='Update ``device_owner`` attribute of a port', @@ -396,8 +395,7 @@ rules = [ policy.DocumentedRuleDefault( name='update_port:mac_address', check_str=neutron_policy.policy_or( - base.ADMIN, - neutron_policy.RULE_ADVSVC + base.ADMIN_OR_SERVICE, ), scope_types=['project'], description='Update ``mac_address`` attribute of a port', @@ -413,8 +411,8 @@ rules = [ policy.DocumentedRuleDefault( name='update_port:fixed_ips', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER ), scope_types=['project'], description='Specify ``fixed_ips`` information when updating a port', @@ -430,8 +428,8 @@ rules = [ policy.DocumentedRuleDefault( name='update_port:fixed_ips:ip_address', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER ), scope_types=['project'], description=( @@ -450,8 +448,8 @@ rules = [ policy.DocumentedRuleDefault( name='update_port:fixed_ips:subnet_id', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER, 'rule:shared' ), scope_types=['project'], @@ -472,8 +470,8 @@ rules = [ policy.DocumentedRuleDefault( name='update_port:port_security_enabled', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, - base.ADMIN_OR_NET_OWNER_MEMBER, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER ), scope_types=['project'], description='Update ``port_security_enabled`` attribute of a port', @@ -513,9 +511,8 @@ rules = [ policy.DocumentedRuleDefault( name='update_port:binding:vnic_type', check_str=neutron_policy.policy_or( - base.ADMIN, + base.ADMIN_OR_SERVICE, base.PROJECT_MEMBER, - neutron_policy.RULE_ADVSVC ), scope_types=['project'], description='Update ``binding:vnic_type`` attribute of a port', @@ -595,9 +592,9 @@ rules = [ policy.DocumentedRuleDefault( name='delete_port', check_str=neutron_policy.policy_or( - neutron_policy.RULE_ADVSVC, + base.ADMIN_OR_SERVICE, + base.NET_OWNER_MEMBER, base.PROJECT_MEMBER, - base.ADMIN_OR_NET_OWNER_MEMBER ), scope_types=['project'], description='Delete a port', diff --git a/neutron/conf/policies/port_bindings.py b/neutron/conf/policies/port_bindings.py index 63a1f8d1f16..74ae80ea771 100644 --- a/neutron/conf/policies/port_bindings.py +++ b/neutron/conf/policies/port_bindings.py @@ -22,7 +22,7 @@ ACTIVATE_BINDING_PATH = '/ports/{port_id}/bindings/{host}' rules = [ policy.DocumentedRuleDefault( name='get_port_binding', - check_str=base.ADMIN, + check_str=base.ADMIN_OR_SERVICE, scope_types=['project'], description='Get port binding information', operations=[ @@ -34,7 +34,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='create_port_binding', - check_str=base.ADMIN, + check_str=base.SERVICE, scope_types=['project'], description='Create port binding on the host', operations=[ @@ -46,7 +46,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='delete_port_binding', - check_str=base.ADMIN, + check_str=base.SERVICE, scope_types=['project'], description='Delete port binding on the host', operations=[ @@ -58,7 +58,7 @@ rules = [ ), policy.DocumentedRuleDefault( name='activate', - check_str=base.ADMIN, + check_str=base.SERVICE, scope_types=['project'], description='Activate port binding on the host', operations=[ diff --git a/neutron/tests/unit/conf/policies/test_address_group.py b/neutron/tests/unit/conf/policies/test_address_group.py index ac9fc20b514..86fabb19b76 100644 --- a/neutron/tests/unit/conf/policies/test_address_group.py +++ b/neutron/tests/unit/conf/policies/test_address_group.py @@ -91,3 +91,16 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(AddressGroupAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_address_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_address_group", self.target) diff --git a/neutron/tests/unit/conf/policies/test_address_scope.py b/neutron/tests/unit/conf/policies/test_address_scope.py index 627a450b415..c0f9325bd3b 100644 --- a/neutron/tests/unit/conf/policies/test_address_scope.py +++ b/neutron/tests/unit/conf/policies/test_address_scope.py @@ -252,3 +252,46 @@ class ProjectReaderTests(ProjectMemberTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_address_scope', self.alt_target) + + +class ServiceRoleTests(AddressScopeAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_address_scope(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_address_scope', self.target) + + def test_create_address_scope_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_address_scope:shared', self.target) + + def test_get_address_scope(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_address_scope', self.target) + + def test_update_address_scope(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_address_scope', self.target) + + def test_update_address_scope_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_address_scope:shared', self.target) + + def test_delete_address_scope(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_address_scope', self.target) diff --git a/neutron/tests/unit/conf/policies/test_agent.py b/neutron/tests/unit/conf/policies/test_agent.py index e7ea3c22141..aa9f560a596 100644 --- a/neutron/tests/unit/conf/policies/test_agent.py +++ b/neutron/tests/unit/conf/policies/test_agent.py @@ -254,3 +254,76 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(AgentAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_agent", self.target) + + def test_update_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "update_agent", self.target) + + def test_delete_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "delete_agent", self.target) + + def test_add_network_to_dhcp_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "create_dhcp-network", self.target) + + def test_networks_on_dhcp_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_dhcp-networks", self.target) + + def test_delete_network_from_dhcp_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "delete_dhcp-network", self.target) + + def test_add_router_to_l3_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "create_l3-router", self.target) + + def test_get_routers_on_l3_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_l3-routers", self.target) + + def test_delete_router_from_l3_agent(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "delete_l3-router", self.target) + + def test_get_dhcp_agents_hosting_network(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_dhcp-agents", self.target) + + def test_get_l3_agents_hosting_router(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_l3-agents", self.target) diff --git a/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py b/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py index ced74dcc703..2eb1826375a 100644 --- a/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py +++ b/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py @@ -153,3 +153,24 @@ class ProjectReaderTests(ProjectMemberTests): policy.enforce, self.context, DELETE_POLICY, self.alt_target ) + + +class ServiceRoleTests(AutoAllocatedTopologyAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_topology(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, GET_POLICY, self.target + ) + + def test_delete_topology(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, DELETE_POLICY, self.target + ) diff --git a/neutron/tests/unit/conf/policies/test_availability_zone.py b/neutron/tests/unit/conf/policies/test_availability_zone.py index 85d96791214..bf6295c5dae 100644 --- a/neutron/tests/unit/conf/policies/test_availability_zone.py +++ b/neutron/tests/unit/conf/policies/test_availability_zone.py @@ -76,3 +76,16 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(AvailabilityZoneAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_availability_zone(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_availability_zone", self.target) diff --git a/neutron/tests/unit/conf/policies/test_base.py b/neutron/tests/unit/conf/policies/test_base.py index 7eece59cc80..f2d16cdd8c1 100644 --- a/neutron/tests/unit/conf/policies/test_base.py +++ b/neutron/tests/unit/conf/policies/test_base.py @@ -68,6 +68,7 @@ class PolicyBaseTestCase(tests_base.BaseTestCase): self.user_id = uuidutils.generate_uuid() self._prepare_system_scope_personas() self._prepare_project_scope_personas() + self._prepare_service_persona() self.alt_project_id = uuidutils.generate_uuid() def _prepare_system_scope_personas(self): @@ -98,6 +99,12 @@ class PolicyBaseTestCase(tests_base.BaseTestCase): roles=['reader'], project_id=self.project_id) + def _prepare_service_persona(self): + self.service_ctx = context.Context( + user_id='service', + roles=['service'], + project_id='service') + class RuleScopesTestCase(PolicyBaseTestCase): diff --git a/neutron/tests/unit/conf/policies/test_flavor.py b/neutron/tests/unit/conf/policies/test_flavor.py index 1d7138af309..71a309045a5 100644 --- a/neutron/tests/unit/conf/policies/test_flavor.py +++ b/neutron/tests/unit/conf/policies/test_flavor.py @@ -220,3 +220,66 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(FlavorAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_flavor(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_flavor', self.target) + + def test_update_flavor(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_flavor', self.target) + + def test_delete_flavor(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_flavor', self.target) + + def test_create_service_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_service_profile', self.target) + + def test_get_service_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_service_profile', self.target) + + def test_update_service_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_service_profile', self.target) + + def test_delete_service_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_service_profile', self.target) + + def test_create_flavor_service_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_flavor_service_profile', + self.target) + + def test_delete_flavor_service_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_flavor_service_profile', + self.target) diff --git a/neutron/tests/unit/conf/policies/test_floatingip.py b/neutron/tests/unit/conf/policies/test_floatingip.py index 0adfc01f2d8..5d1b539a82f 100644 --- a/neutron/tests/unit/conf/policies/test_floatingip.py +++ b/neutron/tests/unit/conf/policies/test_floatingip.py @@ -228,3 +228,41 @@ class ProjectReaderTests(ProjectMemberTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, "delete_floatingip", self.alt_target) + + +class ServiceRoleTests(FloatingIPAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_floatingip(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "create_floatingip", self.target) + + def test_create_floatingip_with_ip_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "create_floatingip:floating_ip_address", + self.target) + + def test_get_floatingip(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_floatingip", self.target) + + def test_update_floatingip(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "update_floatingip", self.target) + + def test_delete_floatingip(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "delete_floatingip", self.target) diff --git a/neutron/tests/unit/conf/policies/test_floatingip_pools.py b/neutron/tests/unit/conf/policies/test_floatingip_pools.py index 0f32df2a193..9f3e2986f35 100644 --- a/neutron/tests/unit/conf/policies/test_floatingip_pools.py +++ b/neutron/tests/unit/conf/policies/test_floatingip_pools.py @@ -90,3 +90,16 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(FloatingipPoolsAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_floatingip_pool(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_floatingip_pool', self.target) diff --git a/neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py b/neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py index ab1446e98de..325dad1eb89 100644 --- a/neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py +++ b/neutron/tests/unit/conf/policies/test_floatingip_port_forwarding.py @@ -317,3 +317,46 @@ class ProjectReaderTests(ProjectMemberTests): policy.enforce, self.context, 'delete_floatingip_port_forwarding', self.alt_target) + + +class ServiceRoleTests(FloatingipPortForwardingAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_fip_pf(self): + with mock.patch.object(self.plugin_mock, 'get_floatingip', + return_value=self.fip): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_floatingip_port_forwarding', + self.target) + + def test_get_fip_pf(self): + with mock.patch.object(self.plugin_mock, 'get_floatingip', + return_value=self.fip): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_floatingip_port_forwarding', + self.target) + + def test_update_fip_pf(self): + with mock.patch.object(self.plugin_mock, 'get_floatingip', + return_value=self.fip): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_floatingip_port_forwarding', + self.target) + + def test_delete_fip_pf(self): + with mock.patch.object(self.plugin_mock, 'get_floatingip', + return_value=self.fip): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_floatingip_port_forwarding', + self.target) diff --git a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py index b28d7e54249..f3d78cec1eb 100644 --- a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py +++ b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py @@ -224,3 +224,34 @@ class ProjectReaderTests(ProjectMemberTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_router_conntrack_helper', self.alt_target) + + +class ServiceRoleTests(L3ConntrackHelperAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_router_conntrack_helper(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_router_conntrack_helper', self.target) + + def test_get_router_conntrack_helper(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_router_conntrack_helper', self.target) + + def test_update_router_conntrack_helper(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_router_conntrack_helper', self.target) + + def test_delete_router_conntrack_helper(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_router_conntrack_helper', self.target) diff --git a/neutron/tests/unit/conf/policies/test_local_ip.py b/neutron/tests/unit/conf/policies/test_local_ip.py index c349890f665..08e3ec34e7d 100644 --- a/neutron/tests/unit/conf/policies/test_local_ip.py +++ b/neutron/tests/unit/conf/policies/test_local_ip.py @@ -182,3 +182,30 @@ class ProjectReaderTests(LocalIPAPITestCase): self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, "delete_local_ip", self.alt_target) + + +class ServiceRoleTests(LocalIPAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_local_ip(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, "create_local_ip", self.target) + + def test_get_local_ip(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, "get_local_ip", self.target) + + def test_update_local_ip(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, "update_local_ip", self.target) + + def test_delete_local_ip(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, "delete_local_ip", self.target) diff --git a/neutron/tests/unit/conf/policies/test_local_ip_association.py b/neutron/tests/unit/conf/policies/test_local_ip_association.py index ae4b4c0005d..e146c33615d 100644 --- a/neutron/tests/unit/conf/policies/test_local_ip_association.py +++ b/neutron/tests/unit/conf/policies/test_local_ip_association.py @@ -209,3 +209,31 @@ class ProjectReaderTests(ProjectMemberTests): policy.enforce, self.context, 'delete_local_ip_port_association', self.alt_target) + + +class ServiceRoleTests(LocalIPAssociationAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_local_ip_port_association(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_local_ip_port_association', + self.target) + + def test_get_local_ip_port_association(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_local_ip_port_association', + self.target) + + def test_delete_local_ip_port_association(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_local_ip_port_association', + self.target) diff --git a/neutron/tests/unit/conf/policies/test_logging.py b/neutron/tests/unit/conf/policies/test_logging.py index 5760a0c293e..facd6257e86 100644 --- a/neutron/tests/unit/conf/policies/test_logging.py +++ b/neutron/tests/unit/conf/policies/test_logging.py @@ -136,3 +136,35 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(LoggingAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_loggable_resource(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_loggable_resource', self.target) + + def test_create_log(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_log', self.target) + + def test_get_log(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_log', self.target) + + def test_update_log(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_log', self.target) + + def test_delete_log(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_log', self.target) diff --git a/neutron/tests/unit/conf/policies/test_metering.py b/neutron/tests/unit/conf/policies/test_metering.py index c7853aad13a..d43507e34b9 100644 --- a/neutron/tests/unit/conf/policies/test_metering.py +++ b/neutron/tests/unit/conf/policies/test_metering.py @@ -229,3 +229,46 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(MeteringAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_metering_label(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_metering_label', self.target) + + def test_get_metering_label(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_metering_label', self.target) + + def test_delete_metering_label(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_metering_label', self.target) + + def test_create_metering_label_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_metering_label_rule', self.target) + + def test_get_metering_label_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_metering_label_rule', self.target) + + def test_delete_metering_label_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_metering_label_rule', self.target) diff --git a/neutron/tests/unit/conf/policies/test_ndp_proxy.py b/neutron/tests/unit/conf/policies/test_ndp_proxy.py index e056d6539d3..528d3c185bc 100644 --- a/neutron/tests/unit/conf/policies/test_ndp_proxy.py +++ b/neutron/tests/unit/conf/policies/test_ndp_proxy.py @@ -190,3 +190,34 @@ class ProjectReaderTests(ProjectMemberTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, "delete_ndp_proxy", self.alt_target) + + +class ServiceRoleTests(NDPProxyAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_ndp_proxy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "create_ndp_proxy", self.target) + + def test_get_ndp_proxy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_ndp_proxy", self.target) + + def test_update_ndp_proxy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "update_ndp_proxy", self.target) + + def test_delete_ndp_proxy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "delete_ndp_proxy", self.target) diff --git a/neutron/tests/unit/conf/policies/test_network.py b/neutron/tests/unit/conf/policies/test_network.py index caeb784c0d9..d7e79d34570 100644 --- a/neutron/tests/unit/conf/policies/test_network.py +++ b/neutron/tests/unit/conf/policies/test_network.py @@ -813,3 +813,157 @@ class ProjectReaderTests(ProjectMemberTests): self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_network', self.alt_target) + + +class ServiceRoleTests(NetworkAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_network(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_network', self.target) + + def test_create_network_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network:shared', self.target) + + def test_create_network_external(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network:router:external', self.target) + + def test_create_network_default(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network:is_default', self.target) + + def test_create_network_port_security_enabled(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network:port_security_enabled', + self.target) + + def test_create_network_segments(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network:segments', self.target) + + def test_create_network_provider_network_type(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network:provider:network_type', self.target) + + def test_create_network_provider_physical_network(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network:provider:physical_network', + self.target) + + def test_create_network_provider_segmentation_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network:provider:segmentation_id', + self.target) + + def test_get_network(self): + self.assertTrue( + policy.enforce(self.context, 'get_network', self.target)) + + def test_get_network_segments(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_network:segments', self.target) + + def test_get_network_provider_network_type(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_network:provider:network_type', self.target) + + def test_get_network_provider_physical_network(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_network:provider:physical_network', + self.target) + + def test_get_network_provider_segmentation_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_network:provider:segmentation_id', + self.target) + + def test_update_network(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_network', self.target) + + def test_update_network_segments(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network:segments', self.target) + + def test_update_network_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network:shared', self.target) + + def test_update_network_provider_network_type(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network:provider:network_type', self.target) + + def test_update_network_provider_physical_network(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network:provider:physical_network', + self.target) + + def test_update_network_provider_segmentation_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network:provider:segmentation_id', + self.target) + + def test_update_network_external(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network:router:external', self.target) + + def test_update_network_default(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network:is_default', self.target) + + def test_update_network_port_security_enabled(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network:port_security_enabled', + self.target) + + def test_delete_network(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_network', self.target) diff --git a/neutron/tests/unit/conf/policies/test_network_ip_availability.py b/neutron/tests/unit/conf/policies/test_network_ip_availability.py index 7887050a98d..61a78afbc77 100644 --- a/neutron/tests/unit/conf/policies/test_network_ip_availability.py +++ b/neutron/tests/unit/conf/policies/test_network_ip_availability.py @@ -83,3 +83,16 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(NetworkIPAvailabilityAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_network_ip_availability(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_network_ip_availability', self.target) diff --git a/neutron/tests/unit/conf/policies/test_network_segment_range.py b/neutron/tests/unit/conf/policies/test_network_segment_range.py index 3fcc8016686..0ea391c0784 100644 --- a/neutron/tests/unit/conf/policies/test_network_segment_range.py +++ b/neutron/tests/unit/conf/policies/test_network_segment_range.py @@ -134,3 +134,34 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(NetworkSegmentRangeAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_network_segment_range(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_network_segment_range', self.target) + + def test_get_network_segment_range(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_network_segment_range', self.target) + + def test_update_network_segment_range(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_network_segment_range', self.target) + + def test_delete_network_segment_range(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_network_segment_range', self.target) diff --git a/neutron/tests/unit/conf/policies/test_port.py b/neutron/tests/unit/conf/policies/test_port.py index 8248960abbf..5c232fe4b82 100644 --- a/neutron/tests/unit/conf/policies/test_port.py +++ b/neutron/tests/unit/conf/policies/test_port.py @@ -1170,3 +1170,202 @@ class ProjectReaderTests(ProjectMemberTests): self.assertRaises( base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_port', self.alt_target) + + +class ServiceRoleTests(PortAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_port(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port', self.target) + + def test_create_port_with_device_owner(self): + self.assertTrue( + policy.enforce( + self.context, 'create_port:device_owner', self.target)) + + def test_create_port_with_mac_address(self): + self.assertTrue( + policy.enforce( + self.context, 'create_port:mac_address', self.target)) + + def test_create_port_with_fixed_ips(self): + self.assertTrue( + policy.enforce( + self.context, 'create_port:fixed_ips', self.target)) + + def test_create_port_with_fixed_ips_and_ip_address(self): + self.assertTrue( + policy.enforce( + self.context, 'create_port:fixed_ips:ip_address', self.target)) + + def test_create_port_with_fixed_ips_and_subnet_id(self): + self.assertTrue( + policy.enforce( + self.context, 'create_port:fixed_ips:subnet_id', self.target)) + + def test_create_port_with_port_security_enabled(self): + self.assertTrue( + policy.enforce( + self.context, 'create_port:port_security_enabled', + self.target)) + + def test_create_port_with_binding_host_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:binding:host_id', + self.target) + + def test_create_port_with_binding_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:binding:profile', + self.target) + + def test_create_port_with_binding_vnic_type(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_port:binding:vnic_type', + self.target) + + def test_create_port_with_allowed_address_pairs(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs', + self.target) + + def test_create_port_with_allowed_address_pairs_and_mac_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs:mac_address', + self.alt_target) + + def test_create_port_with_allowed_address_pairs_and_ip_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_port:allowed_address_pairs:ip_address', + self.target) + + def test_get_port(self): + self.assertTrue( + policy.enforce(self.context, 'get_port', self.target)) + + def test_get_port_binding_vif_type(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_port:binding:vif_type', + self.target) + + def test_get_port_binding_vif_details(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_port:binding:vif_details', + self.target) + + def test_get_port_binding_host_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_port:binding:host_id', + self.target) + + def test_get_port_binding_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_port:binding:profile', + self.target) + + def test_get_port_resource_request(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_port:resource_request', + self.target) + + def test_update_port(self): + self.assertTrue( + policy.enforce(self.context, 'update_port', self.target)) + + def test_update_port_with_device_owner(self): + self.assertTrue( + policy.enforce( + self.context, 'update_port:device_owner', self.target)) + + def test_update_port_with_mac_address(self): + self.assertTrue( + policy.enforce( + self.context, 'update_port:mac_address', self.target)) + + def test_update_port_with_fixed_ips(self): + self.assertTrue( + policy.enforce( + self.context, 'update_port:fixed_ips', self.target)) + + def test_update_port_with_fixed_ips_and_ip_address(self): + self.assertTrue( + policy.enforce( + self.context, 'update_port:fixed_ips:ip_address', self.target)) + + def test_update_port_with_fixed_ips_and_subnet_id(self): + self.assertTrue( + policy.enforce( + self.context, 'update_port:fixed_ips:subnet_id', self.target)) + + def test_update_port_with_port_security_enabled(self): + self.assertTrue( + policy.enforce( + self.context, 'update_port:port_security_enabled', + self.target)) + + def test_update_port_with_binding_host_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:binding:host_id', + self.target) + + def test_update_port_with_binding_profile(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_port:binding:profile', + self.target) + + def test_update_port_with_binding_vnic_type(self): + self.assertTrue( + policy.enforce( + self.context, 'update_port:binding:vnic_type', self.target)) + + def test_update_port_with_allowed_address_pairs(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:allowed_address_pairs', + self.target) + + def test_update_port_with_allowed_address_pairs_and_mac_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:allowed_address_pairs:mac_address', + self.target) + + def test_update_port_with_allowed_address_pairs_and_ip_address(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:allowed_address_pairs:ip_address', + self.target) + + def test_update_port_data_plane_status(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_port:data_plane_status', self.target) + + def test_delete_port(self): + self.assertTrue( + policy.enforce(self.context, 'delete_port', self.target)) diff --git a/neutron/tests/unit/conf/policies/test_port_bindings.py b/neutron/tests/unit/conf/policies/test_port_bindings.py index c2ac336e102..722ebd5bdba 100644 --- a/neutron/tests/unit/conf/policies/test_port_bindings.py +++ b/neutron/tests/unit/conf/policies/test_port_bindings.py @@ -81,31 +81,6 @@ class AdminTests(PortBindingsAPITestCase): self.assertTrue( policy.enforce(self.context, "get_port_binding", self.target)) - def test_create_port_binding(self): - self.assertTrue( - policy.enforce(self.context, "create_port_binding", self.target)) - - def test_delete_port_binding(self): - self.assertTrue( - policy.enforce(self.context, "delete_port_binding", self.target)) - - def test_activate_port_binding(self): - self.assertTrue( - policy.enforce(self.context, "activate", self.target)) - - -class ProjectMemberTests(AdminTests): - - def setUp(self): - super(ProjectMemberTests, self).setUp() - self.context = self.project_member_ctx - - def test_get_port_binding(self): - self.assertRaises( - base_policy.PolicyNotAuthorized, - policy.enforce, - self.context, "get_port_binding", self.target) - def test_create_port_binding(self): self.assertRaises( base_policy.PolicyNotAuthorized, @@ -125,8 +100,44 @@ class ProjectMemberTests(AdminTests): self.context, "activate", self.target) +class ProjectMemberTests(AdminTests): + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.context = self.project_member_ctx + + def test_get_port_binding(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, "get_port_binding", self.target) + + class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(PortBindingsAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_port_binding(self): + self.assertTrue( + policy.enforce(self.context, "get_port_binding", self.target)) + + def test_create_port_binding(self): + self.assertTrue( + policy.enforce(self.context, "create_port_binding", self.target)) + + def test_delete_port_binding(self): + self.assertTrue( + policy.enforce(self.context, "delete_port_binding", self.target)) + + def test_activate_port_binding(self): + self.assertTrue( + policy.enforce(self.context, "activate", self.target)) diff --git a/neutron/tests/unit/conf/policies/test_qos.py b/neutron/tests/unit/conf/policies/test_qos.py index ff655b298e9..b5ee683c981 100644 --- a/neutron/tests/unit/conf/policies/test_qos.py +++ b/neutron/tests/unit/conf/policies/test_qos.py @@ -159,6 +159,33 @@ class ProjectReaderQosPolicyTests(ProjectMemberQosPolicyTests): self.context = self.project_reader_ctx +class ServiceRoleQosPolicyTests(QosPolicyAPITestCase): + + def setUp(self): + super(ServiceRoleQosPolicyTests, self).setUp() + self.context = self.service_ctx + + def test_get_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_policy', self.target) + + def test_create_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_policy', self.target) + + def test_update_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_policy', self.target) + + def test_delete_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_policy', self.target) + + class QosRuleTypeAPITestCase(base.PolicyBaseTestCase): def setUp(self): @@ -218,6 +245,19 @@ class ProjectReaderQosRuleTypeTests(ProjectMemberQosRuleTypeTests): self.context = self.project_reader_ctx +class ServiceRoleQosRuleTypeTests(QosRuleTypeAPITestCase): + + def setUp(self): + super(ServiceRoleQosRuleTypeTests, self).setUp() + self.context = self.service_ctx + + def test_get_rule_type(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_rule_type', self.target) + + class QosRulesAPITestCase(base.PolicyBaseTestCase): def setUp(self): @@ -541,6 +581,63 @@ class ProjectReaderQosBandwidthLimitRuleTests( self.context = self.project_reader_ctx +class ServiceRoleQosBandwidthLimitRuleTests(QosRulesAPITestCase): + + def setUp(self): + super(ServiceRoleQosBandwidthLimitRuleTests, self).setUp() + self.context = self.service_ctx + + def test_get_policy_bandwidth_limit_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_policy_bandwidth_limit_rule', + self.target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_alias_bandwidth_limit_rule', + self.target) + + def test_create_policy_bandwidth_limit_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_bandwidth_limit_rule', + self.target) + + def test_update_policy_bandwidth_limit_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_bandwidth_limit_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_alias_bandwidth_limit_rule', + self.target) + + def test_delete_policy_bandwidth_limit_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_bandwidth_limit_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_alias_bandwidth_limit_rule', + self.target) + + class SystemAdminQosPacketRateLimitRuleTests(QosRulesAPITestCase): def setUp(self): @@ -716,6 +813,41 @@ class ProjectReaderQosPacketRateLimitRuleTests( self.context = self.project_reader_ctx +class ServiceRoleQosPacketRateLimitRuleTests(QosRulesAPITestCase): + + def setUp(self): + super(ServiceRoleQosPacketRateLimitRuleTests, self).setUp() + self.context = self.service_ctx + + def test_get_policy_packet_rate_limit_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_policy_packet_rate_limit_rule', + self.target) + + def test_create_policy_packet_rate_limit_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_packet_rate_limit_rule', + self.target) + + def test_update_policy_packet_rate_limit_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_packet_rate_limit_rule', + self.target) + + def test_delete_policy_packet_rate_limit_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_packet_rate_limit_rule', + self.target) + + class SystemAdminQosDSCPMarkingRuleTests(QosRulesAPITestCase): def setUp(self): @@ -1013,6 +1145,64 @@ class ProjectReaderQosDSCPMarkingRuleTests( self.context = self.project_reader_ctx +class ServiceRoleQosDSCPMarkingRuleTests(QosRulesAPITestCase): + + def setUp(self): + super(ServiceRoleQosDSCPMarkingRuleTests, self).setUp() + self.context = self.service_ctx + + def test_get_policy_dscp_marking_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_policy_dscp_marking_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_alias_dscp_marking_rule', + self.target) + + def test_create_policy_dscp_marking_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_dscp_marking_rule', + self.target) + + def test_update_policy_dscp_marking_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_dscp_marking_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_alias_dscp_marking_rule', + self.target) + + def test_delete_policy_dscp_marking_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_dscp_marking_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_alias_dscp_marking_rule', + self.target) + + class SystemAdminQosMinimumBandwidthRuleTests(QosRulesAPITestCase): def setUp(self): @@ -1310,6 +1500,63 @@ class ProjectReaderQosMinimumBandwidthRuleTests( self.context = self.project_reader_ctx +class ServiceRoleQosMinimumBandwidthRuleTests(QosRulesAPITestCase): + + def setUp(self): + super(ServiceRoleQosMinimumBandwidthRuleTests, self).setUp() + self.context = self.service_ctx + + def test_get_policy_minimum_bandwidth_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_policy_minimum_bandwidth_rule', + self.target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_alias_minimum_bandwidth_rule', + self.target) + + def test_create_policy_minimum_bandwidth_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_minimum_bandwidth_rule', + self.target) + + def test_update_policy_minimum_bandwidth_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_minimum_bandwidth_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_alias_minimum_bandwidth_rule', + self.target) + + def test_delete_policy_minimum_bandwidth_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_minimum_bandwidth_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_alias_minimum_bandwidth_rule', + self.target) + + class SystemAdminQosMinimumPacketRateRuleTests(QosRulesAPITestCase): def setUp(self): @@ -1595,3 +1842,60 @@ class ProjectReaderQosMinimumPacketRateRuleTests( def setUp(self): super(ProjectReaderQosMinimumPacketRateRuleTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleQosMinimumPacketRateRuleTests(QosRulesAPITestCase): + + def setUp(self): + super(ServiceRoleQosMinimumPacketRateRuleTests, self).setUp() + self.context = self.service_ctx + + def test_get_policy_minimum_packet_rate_rule(self): + with mock.patch.object(self.plugin_mock, "get_policy", + return_value=self.qos_policy): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_policy_minimum_packet_rate_rule', + self.target) + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_alias_minimum_packet_rate_rule', + self.target) + + def test_create_policy_minimum_packet_rate_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_policy_minimum_packet_rate_rule', + self.target) + + def test_update_policy_minimum_packet_rate_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_policy_minimum_packet_rate_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_alias_minimum_packet_rate_rule', + self.target) + + def test_delete_policy_minimum_packet_rate_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_policy_minimum_packet_rate_rule', + self.target) + + # And the same for aliases + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_alias_minimum_packet_rate_rule', + self.target) diff --git a/neutron/tests/unit/conf/policies/test_quotas.py b/neutron/tests/unit/conf/policies/test_quotas.py index ff34c303b80..4a1a8ddb499 100644 --- a/neutron/tests/unit/conf/policies/test_quotas.py +++ b/neutron/tests/unit/conf/policies/test_quotas.py @@ -145,3 +145,28 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(QuoatsAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_quota(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_quota', self.target) + + def test_update_quota(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_quota', self.target) + + def test_delete_quota(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_quota', self.target) diff --git a/neutron/tests/unit/conf/policies/test_rbac.py b/neutron/tests/unit/conf/policies/test_rbac.py index 2b32dfebc15..e1913485478 100644 --- a/neutron/tests/unit/conf/policies/test_rbac.py +++ b/neutron/tests/unit/conf/policies/test_rbac.py @@ -268,3 +268,42 @@ class ProjectReaderTests(ProjectMemberTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_rbac_policy', self.alt_target) + + +class ServiceRoleTests(RbacAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_rbac_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_rbac_policy', self.target) + + def test_create_rbac_policy_target_tenant(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_rbac_policy:target_tenant', + self.wildcard_target) + + def test_update_rbac_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_rbac_policy', self.target) + + def test_update_rbac_policy_target_tenant(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_rbac_policy:target_tenant', + self.wildcard_target) + + def test_get_rbac_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_rbac_policy', self.target) diff --git a/neutron/tests/unit/conf/policies/test_router.py b/neutron/tests/unit/conf/policies/test_router.py index 4ebd2ea1460..963f79fc4d6 100644 --- a/neutron/tests/unit/conf/policies/test_router.py +++ b/neutron/tests/unit/conf/policies/test_router.py @@ -987,3 +987,140 @@ class ProjectReaderExtrarouteTests(ProjectMemberExtrarouteTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'remove_extraroutes', self.alt_target) + + +class ServiceRoleTests(RouterAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_router(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_router', self.target) + + def test_create_router_distributed(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_router:distributed', self.target) + + def test_create_router_ha(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_router:ha', self.target) + + def test_create_router_external_gateway_info(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_router:external_gateway_info', + self.target) + + def test_create_router_external_gateway_info_network_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_router:external_gateway_info:network_id', + self.target) + + def test_create_router_external_gateway_info_enable_snat(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_router:external_gateway_info:enable_snat', + self.target) + + def test_create_router_external_gateway_info_external_fixed_ips(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, + 'create_router:external_gateway_info:external_fixed_ips', + self.target) + + def test_get_router(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_router', self.target) + + def test_get_router_distributed(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_router:distributed', self.target) + + def test_get_router_ha(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_router:ha', self.target) + + def test_update_router(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_router', self.target) + + def test_update_router_distributed(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_router:distributed', self.target) + + def test_update_router_ha(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_router:ha', self.target) + + def test_update_router_external_gateway_info(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_router:external_gateway_info', + self.target) + + def test_update_router_external_gateway_info_network_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_router:external_gateway_info:network_id', + self.target) + + def test_update_router_external_gateway_info_enable_snat(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_router:external_gateway_info:enable_snat', + self.target) + + def test_update_router_external_gateway_info_external_fixed_ips(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, + 'update_router:external_gateway_info:external_fixed_ips', + self.target) + + def test_delete_router(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_router', self.target) + + def test_add_router_interface(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'add_router_interface', self.target) + + def test_remove_router_interface(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'remove_router_interface', self.target) diff --git a/neutron/tests/unit/conf/policies/test_security_group.py b/neutron/tests/unit/conf/policies/test_security_group.py index c0f2cbec87b..160a22acde3 100644 --- a/neutron/tests/unit/conf/policies/test_security_group.py +++ b/neutron/tests/unit/conf/policies/test_security_group.py @@ -202,6 +202,37 @@ class ProjectReaderSecurityGroupTests(ProjectMemberSecurityGroupTests): self.context, 'delete_security_group', self.alt_target) +class ServiceRoleSecurityGroupTests(SecurityGroupAPITestCase): + + def setUp(self): + super(ServiceRoleSecurityGroupTests, self).setUp() + self.context = self.service_ctx + + def test_create_security_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_security_group', self.target) + + def test_get_security_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_security_group', self.target) + + def test_update_security_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_security_group', self.target) + + def test_delete_security_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_security_group', self.target) + + class SecurityGroupRuleAPITestCase(base.PolicyBaseTestCase): def setUp(self): @@ -378,3 +409,28 @@ class ProjectReaderSecurityGroupRuleTests(ProjectMemberSecurityGroupRuleTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_security_group_rule', self.alt_target) + + +class ServiceRoleSecurityGroupRuleTests(SecurityGroupRuleAPITestCase): + + def setUp(self): + super(ServiceRoleSecurityGroupRuleTests, self).setUp() + self.context = self.service_ctx + + def test_create_security_group_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_security_group_rule', self.target) + + def test_get_security_group_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_security_group_rule', self.target) + + def test_delete_security_group_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_security_group_rule', self.target) diff --git a/neutron/tests/unit/conf/policies/test_segment.py b/neutron/tests/unit/conf/policies/test_segment.py index 010ca447807..3c9fa8b08a1 100644 --- a/neutron/tests/unit/conf/policies/test_segment.py +++ b/neutron/tests/unit/conf/policies/test_segment.py @@ -130,3 +130,34 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(SegmentAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_segment(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_segment', self.target) + + def test_get_segment(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_segment', self.target) + + def test_update_segment(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_segment', self.target) + + def test_delete_segment(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_segment', self.target) diff --git a/neutron/tests/unit/conf/policies/test_service_type.py b/neutron/tests/unit/conf/policies/test_service_type.py index 98e33b39e5a..67ba3a7e925 100644 --- a/neutron/tests/unit/conf/policies/test_service_type.py +++ b/neutron/tests/unit/conf/policies/test_service_type.py @@ -76,3 +76,16 @@ class ProjectReaderTests(ProjectMemberTests): def setUp(self): super(ProjectReaderTests, self).setUp() self.context = self.project_reader_ctx + + +class ServiceRoleTests(ServiceTypeAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_get_service_provider(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_service_provider', self.target) diff --git a/neutron/tests/unit/conf/policies/test_subnet.py b/neutron/tests/unit/conf/policies/test_subnet.py index 6c3d8ef9eb2..7559e150787 100644 --- a/neutron/tests/unit/conf/policies/test_subnet.py +++ b/neutron/tests/unit/conf/policies/test_subnet.py @@ -366,3 +366,64 @@ class ProjectReaderTests(ProjectMemberTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'delete_subnet', self.alt_target) + + +class ServiceRoleTests(SubnetAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_subnet(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_subnet', self.target) + + def test_create_subnet_segment_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_subnet:segment_id', self.target) + + def test_create_subnet_service_types(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_subnet:service_types', self.target) + + def test_get_subnet(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_subnet', self.target) + + def test_get_subnet_segment_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_subnet:segment_id', self.target) + + def test_update_subnet(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_subnet', self.target) + + def test_update_subnet_segment_id(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_subnet:segment_id', self.target) + + def test_update_subnet_service_types(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_subnet:service_types', self.target) + + def test_delete_subnet(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_subnet', self.target) diff --git a/neutron/tests/unit/conf/policies/test_subnetpool.py b/neutron/tests/unit/conf/policies/test_subnetpool.py index 0abc4fb8aff..6105875124a 100644 --- a/neutron/tests/unit/conf/policies/test_subnetpool.py +++ b/neutron/tests/unit/conf/policies/test_subnetpool.py @@ -382,3 +382,70 @@ class ProjectReaderTests(ProjectMemberTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'remove_prefixes', self.alt_target) + + +class ServiceRoleTests(SubnetpoolAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_subnetpool(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_subnetpool', self.target) + + def test_create_subnetpool_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_subnetpool:shared', self.target) + + def test_create_subnetpool_default(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_subnetpool:is_default', self.target) + + def test_get_subnetpool(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_subnetpool', self.target) + + def test_update_subnetpool(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_subnetpool', self.target) + + def test_update_subnetpool_default(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_subnetpool:is_default', self.target) + + def test_delete_subnetpool(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_subnetpool', self.target) + + def test_onboard_network_subnets(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'onboard_network_subnets', self.target) + + def test_add_prefixes(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'add_prefixes', self.target) + + def test_remove_prefixes(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'remove_prefixes', self.target) diff --git a/neutron/tests/unit/conf/policies/test_trunk.py b/neutron/tests/unit/conf/policies/test_trunk.py index a301ba78187..7a0cb416631 100644 --- a/neutron/tests/unit/conf/policies/test_trunk.py +++ b/neutron/tests/unit/conf/policies/test_trunk.py @@ -285,3 +285,52 @@ class ProjectReaderTests(ProjectMemberTests): base_policy.PolicyNotAuthorized, policy.enforce, self.context, 'remove_subports', self.alt_target) + + +class ServiceRoleTests(TrunkAPITestCase): + + def setUp(self): + super(ServiceRoleTests, self).setUp() + self.context = self.service_ctx + + def test_create_trunk(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'create_trunk', self.target) + + def test_get_trunk(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_trunk', self.target) + + def test_update_trunk(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'update_trunk', self.target) + + def test_delete_trunk(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'delete_trunk', self.target) + + def test_get_subports(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'get_subports', self.target) + + def test_add_subports(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'add_subports', self.target) + + def test_remove_subports(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, + self.context, 'remove_subports', self.target) diff --git a/neutron/tests/unit/db/test_db_base_plugin_v2.py b/neutron/tests/unit/db/test_db_base_plugin_v2.py index 99ccc1ad3d9..4e16545d827 100644 --- a/neutron/tests/unit/db/test_db_base_plugin_v2.py +++ b/neutron/tests/unit/db/test_db_base_plugin_v2.py @@ -260,6 +260,15 @@ class NeutronDbPluginV2TestCase(testlib_api.WebTestCase): roles=['admin', 'member', 'reader']) return req + def _service_req(self, method, resource, data=None, fmt=None, id=None, + params=None, action=None, subresource=None, sub_id=None, + ctx=None, headers=None): + req = self._req(method, resource, data, fmt, id, params, action, + subresource, sub_id, ctx, headers) + req.environ['neutron.context'] = context.Context( + 'service-user', 'service-project', roles=['service']) + return req + def _member_req(self, method, resource, data=None, fmt=None, id=None, params=None, action=None, subresource=None, sub_id=None, ctx=None, headers=None, tenant_id=None): diff --git a/neutron/tests/unit/plugins/ml2/test_port_binding.py b/neutron/tests/unit/plugins/ml2/test_port_binding.py index b4a1807ad2f..6bdc14705b2 100644 --- a/neutron/tests/unit/plugins/ml2/test_port_binding.py +++ b/neutron/tests/unit/plugins/ml2/test_port_binding.py @@ -372,7 +372,9 @@ class ExtendedPortBindingTestCase(test_plugin.NeutronDbPluginV2TestCase): data['binding'].update(kwargs) binding_resource = 'ports/%s/bindings' % port_id binding_req = self.new_create_request( - binding_resource, data, fmt, as_admin=True) + binding_resource, data, fmt) + binding_req.environ['neutron.context'] = context.Context( + 'service', 'service', roles=['service']) return binding_req.get_response(self.api) def _make_port_binding(self, fmt, port_id, host, **kwargs): @@ -396,10 +398,11 @@ class ExtendedPortBindingTestCase(test_plugin.NeutronDbPluginV2TestCase): return self.deserialize(fmt, res) def _activate_port_binding(self, port_id, host, raw_response=True): - response = self._req('PUT', 'ports', id=port_id, - data={'port_id': port_id}, - subresource='bindings', sub_id=host, - action='activate').get_response(self.api) + response = self._service_req( + 'PUT', 'ports', id=port_id, + data={'port_id': port_id}, + subresource='bindings', sub_id=host, + action='activate').get_response(self.api) return self._check_code_and_serialize(response, raw_response) def _check_code_and_serialize(self, response, raw_response): @@ -410,20 +413,20 @@ class ExtendedPortBindingTestCase(test_plugin.NeutronDbPluginV2TestCase): return self.deserialize(self.fmt, response) def _list_port_bindings(self, port_id, params=None, raw_response=True): - response = self._req( + response = self._service_req( 'GET', 'ports', fmt=self.fmt, id=port_id, subresource='bindings', params=params).get_response(self.api) return self._check_code_and_serialize(response, raw_response) def _show_port_binding(self, port_id, host, params=None, raw_response=True): - response = self._req( + response = self._service_req( 'GET', 'ports', fmt=self.fmt, id=port_id, subresource='bindings', sub_id=host, params=params).get_response(self.api) return self._check_code_and_serialize(response, raw_response) def _delete_port_binding(self, port_id, host): - response = self._req( + response = self._service_req( 'DELETE', 'ports', fmt=self.fmt, id=port_id, subresource='bindings', sub_id=host).get_response(self.api) return response diff --git a/releasenotes/notes/Add-service-role-support-3e28b1bfcfc59c29.yaml b/releasenotes/notes/Add-service-role-support-3e28b1bfcfc59c29.yaml new file mode 100644 index 00000000000..609105a5e17 --- /dev/null +++ b/releasenotes/notes/Add-service-role-support-3e28b1bfcfc59c29.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Support for new ``service`` role is added to the Neutron API policies as + part of the Secure-RBAC initiative. This new role is designed to be used for + the service-to-service communication. +deprecations: + - | + Old role ``advsvc`` used in the Neutron API policies is now deprecated. New + ``service`` role should be used for service-to-service communication. diff --git a/requirements.txt b/requirements.txt index cb72debe32d..2ae992678b5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -20,7 +20,7 @@ Jinja2>=2.10 # BSD License (3 clause) keystonemiddleware>=5.1.0 # Apache-2.0 netaddr>=0.7.18 # BSD netifaces>=0.10.4 # MIT -neutron-lib>=3.7.0 # Apache-2.0 +neutron-lib>=3.8.0 # Apache-2.0 python-neutronclient>=7.8.0 # Apache-2.0 tenacity>=6.0.0 # Apache-2.0 SQLAlchemy>=1.4.23 # MIT