Merge "Add a tests to check when legacy access is removed"

nova/tests/unit/policies/base.py

@@ -24,6 +24,19 @@ LOG = logging.getLogger(__name__)
 
 
 class BasePolicyTest(test.TestCase):
+    # NOTE(gmann): Set this flag to True if you would like to tests the
+    # new behaviour of policy without deprecated rules.
+    # This means you can simulate the phase when policies completely
+    # switch to new behaviour by removing the support of old rules.
+    without_deprecated_rules = False
+
+    # Add rules here other than base rules which need to override
+    # to remove the deprecated rules.
+    # For Example:
+    # rules_without_deprecation{
+    #    "os_compute_api:os-deferred-delete:restore":
+    #        "rule:system_admin_or_owner"}
+    rules_without_deprecation = {}
 
     def setUp(self):
         super(BasePolicyTest, self).setUp()
@@ -84,6 +97,20 @@ class BasePolicyTest(test.TestCase):
             self.project_foo_context,
         ]
 
+        if self.without_deprecated_rules:
+            # To simulate the new world, remove deprecations by overriding
+            # rules which has the deprecated rules.
+            self.rules_without_deprecation.update({
+                "system_admin_or_owner":
+                    "rule:system_admin_api or rule:project_member_api",
+                "system_admin_api":
+                    "role:admin and system_scope:all",
+                "system_reader_api":
+                    "role:reader and system_scope:all",
+            })
+            self.policy.set_rules(self.rules_without_deprecation,
+                                  overwrite=False)
+
     def common_policy_check(self, authorized_contexts,
                             unauthorized_contexts, rule_name,
                             func, req, *arg, **kwarg):

nova/tests/unit/policies/test_admin_password.py

@@ -18,6 +18,7 @@ from oslo_utils import timeutils
 from nova.api.openstack.compute import admin_password
 from nova.compute import vm_states
 from nova import exception
+from nova.policies import admin_password as ap_policies
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
 from nova.tests.unit.policies import base
@@ -36,7 +37,7 @@ class AdminPasswordPolicyTest(base.BasePolicyTest):
         self.controller = admin_password.AdminPasswordController()
         self.req = fakes.HTTPRequest.blank('')
         user_id = self.req.environ['nova.context'].user_id
-        self.rule_name = "os_compute_api:os-admin-password"
+        self.rule_name = ap_policies.BASE_POLICY_NAME
         self.mock_get = self.useFixture(
             fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock
         uuid = uuids.fake_id
@@ -104,3 +105,28 @@ class AdminPasswordScopeTypePolicyTest(AdminPasswordPolicyTest):
     def setUp(self):
         super(AdminPasswordScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class AdminPasswordNoLegacyPolicyTest(AdminPasswordPolicyTest):
+    """Test Admin Password APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system_admin_or_owner APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(AdminPasswordNoLegacyPolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system or projct admin or owner is able to change
+        # the password.
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system and non-admin/owner is not able to change the
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_reader_context,
+            self.project_foo_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context]