Fix policy tests for project_id enforcement
Current policy tests override rule with string "project:non_fake" and try to tests whether policy is failed on project_id enforcement or not. But with that string as rule, policy will always fail irrespective of same project_id or different. Because rule for project_id should be string like "project_id:non_fake" or "project_id:%(project_id)s" This patch fix those tests for only those APIs where instance's user_id and project_id are being passed as policy target. Other tests will be taken care while doing project_id enforcement at API layer. Below tests are being fixed- - test_lock_server - test_pause_server - test_rescue - test_suspend_server - test_serversV21: rebuild tests Other tests are already taken care with user_id enforcement patch set. Partially implements blueprint user_id_based_policy_enforcement Change-Id: I377ef4ef438d5ef7e2c591a8317a02bc99575783
This commit is contained in:
parent
ec2e03f908
commit
110c12b414
|
@ -94,11 +94,14 @@ class LockServerPolicyEnforcementV21(test.NoDBTestCase):
|
|||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
@mock.patch('nova.api.openstack.common.get_instance')
|
||||
def test_lock_policy_failed(self, get_instance_mock):
|
||||
get_instance_mock.return_value = (
|
||||
fake_instance.fake_instance_obj(self.req.environ['nova.context']))
|
||||
def test_lock_policy_failed_with_other_project(self, get_instance_mock):
|
||||
get_instance_mock.return_value = fake_instance.fake_instance_obj(
|
||||
self.req.environ['nova.context'],
|
||||
project_id=self.req.environ['nova.context'].project_id)
|
||||
rule_name = "os_compute_api:os-lock-server:lock"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
|
||||
# Change the project_id in request context.
|
||||
self.req.environ['nova.context'].project_id = 'other-project'
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller._lock, self.req,
|
||||
|
|
|
@ -75,11 +75,14 @@ class PauseServerPolicyEnforcementV21(test.NoDBTestCase):
|
|||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
@mock.patch('nova.api.openstack.common.get_instance')
|
||||
def test_pause_policy_failed(self, get_instance_mock):
|
||||
get_instance_mock.return_value = (
|
||||
fake_instance.fake_instance_obj(self.req.environ['nova.context']))
|
||||
def test_pause_policy_failed_with_other_project(self, get_instance_mock):
|
||||
get_instance_mock.return_value = fake_instance.fake_instance_obj(
|
||||
self.req.environ['nova.context'],
|
||||
project_id=self.req.environ['nova.context'].project_id)
|
||||
rule_name = "os_compute_api:os-pause-server:pause"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
|
||||
# Change the project_id in request context.
|
||||
self.req.environ['nova.context'].project_id = 'other-project'
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller._pause, self.req, fakes.FAKE_UUID,
|
||||
|
|
|
@ -227,12 +227,15 @@ class RescuePolicyEnforcementV21(test.NoDBTestCase):
|
|||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
@mock.patch('nova.api.openstack.common.get_instance')
|
||||
def test_rescue_policy_failed(self, get_instance_mock):
|
||||
get_instance_mock.return_value = (
|
||||
fake_instance.fake_instance_obj(self.req.environ['nova.context']))
|
||||
def test_rescue_policy_failed_with_other_project(self, get_instance_mock):
|
||||
get_instance_mock.return_value = fake_instance.fake_instance_obj(
|
||||
self.req.environ['nova.context'],
|
||||
project_id=self.req.environ['nova.context'].project_id)
|
||||
rule_name = "os_compute_api:os-rescue"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
|
||||
body = {"rescue": {"adminPass": "AABBCC112233"}}
|
||||
# Change the project_id in request context.
|
||||
self.req.environ['nova.context'].project_id = 'other-project'
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller._rescue, self.req, fakes.FAKE_UUID,
|
||||
|
|
|
@ -4666,12 +4666,15 @@ class ServersPolicyEnforcementV21(test.NoDBTestCase):
|
|||
instance, '1')
|
||||
|
||||
@mock.patch('nova.api.openstack.common.get_instance')
|
||||
def test_rebuild_policy_failed(self, get_instance_mock):
|
||||
get_instance_mock.return_value = (
|
||||
fake_instance.fake_instance_obj(self.req.environ['nova.context']))
|
||||
def test_rebuild_policy_failed_with_other_project(self, get_instance_mock):
|
||||
get_instance_mock.return_value = fake_instance.fake_instance_obj(
|
||||
self.req.environ['nova.context'],
|
||||
project_id=self.req.environ['nova.context'].project_id)
|
||||
rule_name = "os_compute_api:servers:rebuild"
|
||||
rule = {rule_name: "project:non_fake"}
|
||||
rule = {rule_name: "project_id:%(project_id)s"}
|
||||
body = {'rebuild': {'imageRef': self.image_uuid}}
|
||||
# Change the project_id in request context.
|
||||
self.req.environ['nova.context'].project_id = 'other-project'
|
||||
self._common_policy_check(
|
||||
rule, rule_name, self.controller._action_rebuild,
|
||||
self.req, FAKE_UUID, body=body)
|
||||
|
|
|
@ -62,11 +62,14 @@ class SuspendServerPolicyEnforcementV21(test.NoDBTestCase):
|
|||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
@mock.patch('nova.api.openstack.common.get_instance')
|
||||
def test_suspend_policy_failed(self, get_instance_mock):
|
||||
get_instance_mock.return_value = (
|
||||
fake_instance.fake_instance_obj(self.req.environ['nova.context']))
|
||||
def test_suspend_policy_failed_with_other_project(self, get_instance_mock):
|
||||
get_instance_mock.return_value = fake_instance.fake_instance_obj(
|
||||
self.req.environ['nova.context'],
|
||||
project_id=self.req.environ['nova.context'].project_id)
|
||||
rule_name = "os_compute_api:os-suspend-server:suspend"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
|
||||
# Change the project_id in request context.
|
||||
self.req.environ['nova.context'].project_id = 'other-project'
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller._suspend, self.req, fakes.FAKE_UUID,
|
||||
|
|
Loading…
Reference in New Issue