diff --git a/nova/tests/unit/api/openstack/compute/test_hosts.py b/nova/tests/unit/api/openstack/compute/test_hosts.py index 1f1a5e3193..5f05b60472 100644 --- a/nova/tests/unit/api/openstack/compute/test_hosts.py +++ b/nova/tests/unit/api/openstack/compute/test_hosts.py @@ -132,7 +132,6 @@ class HostTestCaseV21(test.TestCase): """Test Case for hosts.""" validation_ex = exception.ValidationError Controller = os_hosts_v21.HostController - policy_ex = exception.PolicyNotAuthorized def _setup_stubs(self): # Pretend we have fake_hosts.HOST_LIST in the DB @@ -428,34 +427,6 @@ class HostTestCaseV21(test.TestCase): self.assertEqual(fake_hosts.HOST_LIST_NOVA_ZONE, hosts) -class HostsPolicyEnforcementV21(test.NoDBTestCase): - - def setUp(self): - super(HostsPolicyEnforcementV21, self).setUp() - self.controller = os_hosts_v21.HostController() - self.req = fakes.HTTPRequest.blank('') - - def test_index_policy_failed(self): - rule_name = "os_compute_api:os-hosts" - self.policy.set_rules({rule_name: "project_id:non_fake"}) - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.index, self.req) - self.assertEqual( - "Policy doesn't allow %s to be performed." % rule_name, - exc.format_message()) - - def test_show_policy_failed(self): - rule_name = "os_compute_api:os-hosts" - self.policy.set_rules({rule_name: "project_id:non_fake"}) - exc = self.assertRaises( - exception.PolicyNotAuthorized, - self.controller.show, self.req, 1) - self.assertEqual( - "Policy doesn't allow %s to be performed." % rule_name, - exc.format_message()) - - class HostControllerDeprecationTest(test.NoDBTestCase): def setUp(self): diff --git a/nova/tests/unit/policies/test_hosts.py b/nova/tests/unit/policies/test_hosts.py new file mode 100644 index 0000000000..2973588b32 --- /dev/null +++ b/nova/tests/unit/policies/test_hosts.py @@ -0,0 +1,110 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import mock + +from nova.api.openstack.compute import hosts +from nova.policies import hosts as policies +from nova.tests.unit.api.openstack import fakes +from nova.tests.unit.policies import base + + +class HostsPolicyTest(base.BasePolicyTest): + """Test os-hosts APIs policies with all possible context. + This class defines the set of context with different roles + which are allowed and not allowed to pass the policy checks. + With those set of context, it will call the API operation and + verify the expected behaviour. + """ + + def setUp(self): + super(HostsPolicyTest, self).setUp() + self.controller = hosts.HostController() + self.req = fakes.HTTPRequest.blank('') + + # Check that admin is able to perform operations on hosts. + self.admin_authorized_contexts = [ + self.system_admin_context, self.legacy_admin_context, + self.project_admin_context] + # Check that non-admin is not able to perform operations + # on hosts. + self.admin_unauthorized_contexts = [ + self.system_member_context, self.system_reader_context, + self.system_foo_context, self.other_project_member_context, + self.project_foo_context, self.project_member_context, + self.project_reader_context, self.other_project_reader_context] + + @mock.patch('nova.compute.api.HostAPI.service_get_all') + def test_list_hosts_policy(self, mock_get): + rule_name = policies.BASE_POLICY_NAME + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.index, + self.req) + + @mock.patch('nova.context.set_target_cell') + @mock.patch('nova.objects.HostMapping.get_by_host') + @mock.patch('nova.objects.ComputeNode.' + 'get_first_node_by_host_for_old_compat') + @mock.patch('nova.compute.api.HostAPI.instance_get_all_by_host') + def test_show_host_policy(self, mock_get, mock_node, mock_map, mock_set): + rule_name = policies.BASE_POLICY_NAME + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.show, + self.req, 11111) + + def test_update_host_policy(self): + rule_name = policies.BASE_POLICY_NAME + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.update, + self.req, 11111, body={}) + + @mock.patch('nova.compute.api.HostAPI.host_power_action') + def test_reboot_host_policy(self, mock_action): + rule_name = policies.BASE_POLICY_NAME + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.reboot, + self.req, 11111) + + @mock.patch('nova.compute.api.HostAPI.host_power_action') + def test_shutdown_host_policy(self, mock_action): + rule_name = policies.BASE_POLICY_NAME + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.shutdown, + self.req, 11111) + + @mock.patch('nova.compute.api.HostAPI.host_power_action') + def test_startup_host_policy(self, mock_action): + rule_name = policies.BASE_POLICY_NAME + self.common_policy_check(self.admin_authorized_contexts, + self.admin_unauthorized_contexts, + rule_name, self.controller.startup, + self.req, 11111) + + +class HostsScopeTypePolicyTest(HostsPolicyTest): + """Test os-hosts APIs policies with system scope enabled. + This class set the nova.conf [oslo_policy] enforce_scope to True + so that we can switch on the scope checking on oslo policy side. + It defines the set of context with scoped token + which are allowed and not allowed to pass the policy checks. + With those set of context, it will run the API operation and + verify the expected behaviour. + """ + + def setUp(self): + super(HostsScopeTypePolicyTest, self).setUp() + self.flags(enforce_scope=True, group="oslo_policy")