Fix policy tests for project_id enforcement

Current policy tests override rule with string
"project:non_fake" and try to tests whether policy
is failed on project_id enforcement or not.

But with that string as rule, policy will always fail
irrespective of same project_id or different.
Because rule for project_id should be string like
"project_id:non_fake" or "project_id:%(project_id)s"

This patch fix those tests for only those APIs where instance's
user_id and project_id are being passed as policy target.
Other tests will be taken care while doing project_id
enforcement at API layer.

Below tests are being fixed-

- test_lock_server
- test_pause_server
- test_rescue
- test_suspend_server
- test_serversV21: rebuild tests

Other tests are already taken care with user_id enforcement patch set.

Partially implements blueprint user_id_based_policy_enforcement

Change-Id: I377ef4ef438d5ef7e2c591a8317a02bc99575783

nova/tests/unit/api/openstack/compute/test_lock_server.py

@@ -94,11 +94,14 @@ class LockServerPolicyEnforcementV21(test.NoDBTestCase):
         self.req = fakes.HTTPRequest.blank('')
 
     @mock.patch('nova.api.openstack.common.get_instance')
-    def test_lock_policy_failed(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
+    def test_lock_policy_failed_with_other_project(self, get_instance_mock):
+        get_instance_mock.return_value = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'],
+            project_id=self.req.environ['nova.context'].project_id)
         rule_name = "os_compute_api:os-lock-server:lock"
-        self.policy.set_rules({rule_name: "project:non_fake"})
+        self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
+        # Change the project_id in request context.
+        self.req.environ['nova.context'].project_id = 'other-project'
         exc = self.assertRaises(
                                 exception.PolicyNotAuthorized,
                                 self.controller._lock, self.req,

nova/tests/unit/api/openstack/compute/test_pause_server.py

@@ -75,11 +75,14 @@ class PauseServerPolicyEnforcementV21(test.NoDBTestCase):
         self.req = fakes.HTTPRequest.blank('')
 
     @mock.patch('nova.api.openstack.common.get_instance')
-    def test_pause_policy_failed(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
+    def test_pause_policy_failed_with_other_project(self, get_instance_mock):
+        get_instance_mock.return_value = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'],
+            project_id=self.req.environ['nova.context'].project_id)
         rule_name = "os_compute_api:os-pause-server:pause"
-        self.policy.set_rules({rule_name: "project:non_fake"})
+        self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
+        # Change the project_id in request context.
+        self.req.environ['nova.context'].project_id = 'other-project'
         exc = self.assertRaises(
             exception.PolicyNotAuthorized,
             self.controller._pause, self.req, fakes.FAKE_UUID,

nova/tests/unit/api/openstack/compute/test_rescue.py

@@ -227,12 +227,15 @@ class RescuePolicyEnforcementV21(test.NoDBTestCase):
         self.req = fakes.HTTPRequest.blank('')
 
     @mock.patch('nova.api.openstack.common.get_instance')
-    def test_rescue_policy_failed(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
+    def test_rescue_policy_failed_with_other_project(self, get_instance_mock):
+        get_instance_mock.return_value = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'],
+            project_id=self.req.environ['nova.context'].project_id)
         rule_name = "os_compute_api:os-rescue"
-        self.policy.set_rules({rule_name: "project:non_fake"})
+        self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
         body = {"rescue": {"adminPass": "AABBCC112233"}}
+        # Change the project_id in request context.
+        self.req.environ['nova.context'].project_id = 'other-project'
         exc = self.assertRaises(
             exception.PolicyNotAuthorized,
             self.controller._rescue, self.req, fakes.FAKE_UUID,

nova/tests/unit/api/openstack/compute/test_serversV21.py

@@ -4666,12 +4666,15 @@ class ServersPolicyEnforcementV21(test.NoDBTestCase):
                                             instance, '1')
 
     @mock.patch('nova.api.openstack.common.get_instance')
-    def test_rebuild_policy_failed(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
+    def test_rebuild_policy_failed_with_other_project(self, get_instance_mock):
+        get_instance_mock.return_value = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'],
+            project_id=self.req.environ['nova.context'].project_id)
         rule_name = "os_compute_api:servers:rebuild"
-        rule = {rule_name: "project:non_fake"}
+        rule = {rule_name: "project_id:%(project_id)s"}
         body = {'rebuild': {'imageRef': self.image_uuid}}
+        # Change the project_id in request context.
+        self.req.environ['nova.context'].project_id = 'other-project'
         self._common_policy_check(
             rule, rule_name, self.controller._action_rebuild,
             self.req, FAKE_UUID, body=body)

nova/tests/unit/api/openstack/compute/test_suspend_server.py

@@ -62,11 +62,14 @@ class SuspendServerPolicyEnforcementV21(test.NoDBTestCase):
         self.req = fakes.HTTPRequest.blank('')
 
     @mock.patch('nova.api.openstack.common.get_instance')
-    def test_suspend_policy_failed(self, get_instance_mock):
-        get_instance_mock.return_value = (
-            fake_instance.fake_instance_obj(self.req.environ['nova.context']))
+    def test_suspend_policy_failed_with_other_project(self, get_instance_mock):
+        get_instance_mock.return_value = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'],
+            project_id=self.req.environ['nova.context'].project_id)
         rule_name = "os_compute_api:os-suspend-server:suspend"
-        self.policy.set_rules({rule_name: "project:non_fake"})
+        self.policy.set_rules({rule_name: "project_id:%(project_id)s"})
+        # Change the project_id in request context.
+        self.req.environ['nova.context'].project_id = 'other-project'
         exc = self.assertRaises(
             exception.PolicyNotAuthorized,
             self.controller._suspend, self.req, fakes.FAKE_UUID,