diff --git a/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py b/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py index 669d85f819..da917d4118 100644 --- a/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py +++ b/nova/tests/unit/api/openstack/compute/test_attach_interfaces.py @@ -582,50 +582,3 @@ class InterfaceAttachTestsV270(test.NoDBTestCase): list_ports.assert_called_once_with(ctxt, device_id=FAKE_UUID1) mock_get_by_instance_uuid.assert_called_once_with( self.req.environ['nova.context'], FAKE_UUID1) - - -class AttachInterfacesPolicyEnforcementv21(test.NoDBTestCase): - - def setUp(self): - super(AttachInterfacesPolicyEnforcementv21, self).setUp() - self.controller = \ - attach_interfaces_v21.InterfaceAttachmentController() - self.req = fakes.HTTPRequest.blank('') - self.rule_name = "os_compute_api:os-attach-interfaces" - self.policy.set_rules({self.rule_name: "project:non_fake"}) - - self.stub_out('nova.compute.api.API.get', fake_get_instance) - - def test_index_attach_interfaces_policy_failed(self): - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.index, self.req, fakes.FAKE_UUID) - self.assertEqual( - "Policy doesn't allow %s to be performed." % self.rule_name, - exc.format_message()) - - def test_show_attach_interfaces_policy_failed(self): - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.show, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1) - self.assertEqual( - "Policy doesn't allow %s to be performed." % self.rule_name, - exc.format_message()) - - def test_create_attach_interfaces_policy_failed(self): - rule_name = "os_compute_api:os-attach-interfaces:create" - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.create, self.req, fakes.FAKE_UUID, body={}) - self.assertEqual( - "Policy doesn't allow %s to be performed." % rule_name, - exc.format_message()) - - def test_delete_attach_interfaces_policy_failed(self): - rule_name = "os_compute_api:os-attach-interfaces:delete" - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1) - self.assertEqual( - "Policy doesn't allow %s to be performed." % rule_name, - exc.format_message()) diff --git a/nova/tests/unit/policies/test_attach_interfaces.py b/nova/tests/unit/policies/test_attach_interfaces.py new file mode 100644 index 0000000000..4bfd04017c --- /dev/null +++ b/nova/tests/unit/policies/test_attach_interfaces.py @@ -0,0 +1,122 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import fixtures +import mock +from oslo_utils.fixture import uuidsentinel as uuids +from oslo_utils import timeutils + +from nova.api.openstack.compute import attach_interfaces +from nova.compute import vm_states +from nova.tests.unit.api.openstack import fakes +from nova.tests.unit import fake_instance +from nova.tests.unit.policies import base + + +class AttachInterfacesPolicyTest(base.BasePolicyTest): + """Test Attach Interfaces APIs policies with all possible context. + This class defines the set of context with different roles + which are allowed and not allowed to pass the policy checks. + With those set of context, it will call the API operation and + verify the expected behaviour. + """ + + def setUp(self): + super(AttachInterfacesPolicyTest, self).setUp() + self.controller = attach_interfaces.InterfaceAttachmentController() + self.req = fakes.HTTPRequest.blank('') + self.mock_get = self.useFixture( + fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock + uuid = uuids.fake_id + self.instance = fake_instance.fake_instance_obj( + self.project_member_context, + id=1, uuid=uuid, project_id=self.project_id, + vm_state=vm_states.ACTIVE, + task_state=None, launched_at=timeutils.utcnow()) + self.mock_get.return_value = self.instance + self.admin_authorized_contexts = [ + self.legacy_admin_context, self.system_admin_context, + self.project_admin_context, self.project_foo_context, + self.project_reader_context, self.project_member_context + ] + + self.admin_unauthorized_contexts = [ + self.system_member_context, self.system_reader_context, + self.system_foo_context, + self.other_project_member_context + ] + + @mock.patch('nova.compute.api.API.get') + @mock.patch('nova.network.neutron.API.list_ports') + def test_index_interfaces_policy(self, mock_port, mock_get): + rule_name = "os_compute_api:os-attach-interfaces" + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.index, + self.req, uuids.fake_id) + + @mock.patch('nova.compute.api.API.get') + @mock.patch('nova.network.neutron.API.show_port') + def test_show_interface_policy(self, mock_port, mock_get): + rule_name = "os_compute_api:os-attach-interfaces" + server_id = uuids.fake_id + port_id = uuids.fake_id + mock_port.return_value = {'port': { + "id": port_id, + "network_id": uuids.fake_id, + "admin_state_up": True, + "status": "ACTIVE", + "mac_address": "bb:bb:bb:bb:bb:bb", + "fixed_ips": ["10.0.2.2"], + "device_id": server_id, + }} + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, + self.controller.show, + self.req, server_id, port_id) + + @mock.patch('nova.compute.api.API.get') + @mock.patch('nova.api.openstack.compute.attach_interfaces' + '.InterfaceAttachmentController.show') + @mock.patch('nova.compute.api.API.attach_interface') + def test_attach_interface(self, mock_interface, mock_port, mock_get): + rule_name = "os_compute_api:os-attach-interfaces:create" + body = {'interfaceAttachment': {'net_id': uuids.fake_id}} + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.create, + self.req, uuids.fake_id, body=body) + + @mock.patch('nova.compute.api.API.get') + @mock.patch('nova.compute.api.API.detach_interface') + def test_delete_interface(self, mock_detach, mock_get): + rule_name = "os_compute_api:os-attach-interfaces:delete" + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.delete, + self.req, uuids.fake_id, uuids.fake_id) + + +class AttachInterfacesScopeTypePolicyTest(AttachInterfacesPolicyTest): + """Test Attach Interfaces APIs policies with system scope enabled. + This class set the nova.conf [oslo_policy] enforce_scope to True + so that we can switch on the scope checking on oslo policy side. + It defines the set of context with scoped token + which are allowed and not allowed to pass the policy checks. + With those set of context, it will run the API operation and + verify the expected behaviour. + """ + + def setUp(self): + super(AttachInterfacesScopeTypePolicyTest, self).setUp() + self.flags(enforce_scope=True, group="oslo_policy")