diff --git a/nova/tests/unit/policies/base.py b/nova/tests/unit/policies/base.py index 32eae7da03..19679fe8eb 100644 --- a/nova/tests/unit/policies/base.py +++ b/nova/tests/unit/policies/base.py @@ -24,6 +24,19 @@ LOG = logging.getLogger(__name__) class BasePolicyTest(test.TestCase): + # NOTE(gmann): Set this flag to True if you would like to tests the + # new behaviour of policy without deprecated rules. + # This means you can simulate the phase when policies completely + # switch to new behaviour by removing the support of old rules. + without_deprecated_rules = False + + # Add rules here other than base rules which need to override + # to remove the deprecated rules. + # For Example: + # rules_without_deprecation{ + # "os_compute_api:os-deferred-delete:restore": + # "rule:system_admin_or_owner"} + rules_without_deprecation = {} def setUp(self): super(BasePolicyTest, self).setUp() @@ -84,6 +97,20 @@ class BasePolicyTest(test.TestCase): self.project_foo_context, ] + if self.without_deprecated_rules: + # To simulate the new world, remove deprecations by overriding + # rules which has the deprecated rules. + self.rules_without_deprecation.update({ + "system_admin_or_owner": + "rule:system_admin_api or rule:project_member_api", + "system_admin_api": + "role:admin and system_scope:all", + "system_reader_api": + "role:reader and system_scope:all", + }) + self.policy.set_rules(self.rules_without_deprecation, + overwrite=False) + def common_policy_check(self, authorized_contexts, unauthorized_contexts, rule_name, func, req, *arg, **kwarg): diff --git a/nova/tests/unit/policies/test_admin_password.py b/nova/tests/unit/policies/test_admin_password.py index 507c18252c..39547764fc 100644 --- a/nova/tests/unit/policies/test_admin_password.py +++ b/nova/tests/unit/policies/test_admin_password.py @@ -18,6 +18,7 @@ from oslo_utils import timeutils from nova.api.openstack.compute import admin_password from nova.compute import vm_states from nova import exception +from nova.policies import admin_password as ap_policies from nova.tests.unit.api.openstack import fakes from nova.tests.unit import fake_instance from nova.tests.unit.policies import base @@ -36,7 +37,7 @@ class AdminPasswordPolicyTest(base.BasePolicyTest): self.controller = admin_password.AdminPasswordController() self.req = fakes.HTTPRequest.blank('') user_id = self.req.environ['nova.context'].user_id - self.rule_name = "os_compute_api:os-admin-password" + self.rule_name = ap_policies.BASE_POLICY_NAME self.mock_get = self.useFixture( fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock uuid = uuids.fake_id @@ -104,3 +105,28 @@ class AdminPasswordScopeTypePolicyTest(AdminPasswordPolicyTest): def setUp(self): super(AdminPasswordScopeTypePolicyTest, self).setUp() self.flags(enforce_scope=True, group="oslo_policy") + + +class AdminPasswordNoLegacyPolicyTest(AdminPasswordPolicyTest): + """Test Admin Password APIs policies with system scope enabled, + and no more deprecated rules that allow the legacy admin API to + access system_admin_or_owner APIs. + """ + without_deprecated_rules = True + + def setUp(self): + super(AdminPasswordNoLegacyPolicyTest, self).setUp() + self.flags(enforce_scope=True, group="oslo_policy") + + # Check that system or projct admin or owner is able to change + # the password. + self.admin_authorized_contexts = [ + self.system_admin_context, + self.project_admin_context, self.project_member_context] + # Check that non-system and non-admin/owner is not able to change the + self.admin_unauthorized_contexts = [ + self.legacy_admin_context, self.project_reader_context, + self.project_foo_context, + self.system_member_context, self.system_reader_context, + self.system_foo_context, + self.other_project_member_context]