Merge "Introduce scope_types in os-console-auth-tokens"

2020-03-06 11:50:15 +00:00
parent c1eeac897b 8e2d0333d9
commit 4c117c881d
2 changed files with 20 additions and 5 deletions
@@ -23,16 +23,17 @@ BASE_POLICY_NAME = 'os_compute_api:os-console-auth-tokens'

 console_auth_tokens_policies = [
    policy.DocumentedRuleDefault(
-        BASE_POLICY_NAME,
-        base.RULE_ADMIN_API,
-        "Show console connection information for a given console "
+        name=BASE_POLICY_NAME,
+        check_str=base.RULE_ADMIN_API,
+        description="Show console connection information for a given console "
        "authentication token",
-        [
+        operations=[
            {
                'method': 'GET',
                'path': '/os-console-auth-tokens/{console_token}'
            }
-        ])
+        ],
+        scope_types=['system'])
 ]


@@ -67,3 +67,17 @@ class ConsoleAuthTokensScopeTypePolicyTest(ConsoleAuthTokensPolicyTest):
    def setUp(self):
        super(ConsoleAuthTokensScopeTypePolicyTest, self).setUp()
        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system admin is able to get console connection
+        # information.
+        self.admin_authorized_contexts = [
+            self.system_admin_context]
+        # Check that non-system-admin is not able to get console connection
+        # information.
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]