From 608e063c6334ceddb0cc206c33784a1e0b106ac1 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Thu, 5 Mar 2020 11:47:39 -0600
Subject: [PATCH] Add a tests to check when legacy access is removed

This test is trying to check how an operator is able to adopt things
like project_reader. We need project_member APIs to not be available
to the project_reader.

This basically simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.

Partial implement blueprint policy-defaults-refresh

Change-Id: Ic6e1fb081fe61262f718efc045b3b3f28694e8a7
---
 nova/tests/unit/policies/base.py              | 27 ++++++++++++++++++
 .../unit/policies/test_admin_password.py      | 28 ++++++++++++++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/nova/tests/unit/policies/base.py b/nova/tests/unit/policies/base.py
index 490764c28c..b85c6389fe 100644
--- a/nova/tests/unit/policies/base.py
+++ b/nova/tests/unit/policies/base.py
@@ -24,6 +24,19 @@ LOG = logging.getLogger(__name__)
 
 
 class BasePolicyTest(test.TestCase):
+    # NOTE(gmann): Set this flag to True if you would like to tests the
+    # new behaviour of policy without deprecated rules.
+    # This means you can simulate the phase when policies completely
+    # switch to new behaviour by removing the support of old rules.
+    without_deprecated_rules = False
+
+    # Add rules here other than base rules which need to override
+    # to remove the deprecated rules.
+    # For Example:
+    # rules_without_deprecation{
+    #    "os_compute_api:os-deferred-delete:restore":
+    #        "rule:system_admin_or_owner"}
+    rules_without_deprecation = {}
 
     def setUp(self):
         super(BasePolicyTest, self).setUp()
@@ -84,6 +97,20 @@ class BasePolicyTest(test.TestCase):
             self.project_foo_context,
         ]
 
+        if self.without_deprecated_rules:
+            # To simulate the new world, remove deprecations by overriding
+            # rules which has the deprecated rules.
+            self.rules_without_deprecation.update({
+                "system_admin_or_owner":
+                    "rule:system_admin_api or rule:project_member_api",
+                "system_admin_api":
+                    "role:admin and system_scope:all",
+                "system_reader_api":
+                    "role:reader and system_scope:all",
+            })
+            self.policy.set_rules(self.rules_without_deprecation,
+                                  overwrite=False)
+
     def common_policy_check(self, authorized_contexts,
                             unauthorized_contexts, rule_name,
                             func, req, *arg, **kwarg):
diff --git a/nova/tests/unit/policies/test_admin_password.py b/nova/tests/unit/policies/test_admin_password.py
index 507c18252c..39547764fc 100644
--- a/nova/tests/unit/policies/test_admin_password.py
+++ b/nova/tests/unit/policies/test_admin_password.py
@@ -18,6 +18,7 @@ from oslo_utils import timeutils
 from nova.api.openstack.compute import admin_password
 from nova.compute import vm_states
 from nova import exception
+from nova.policies import admin_password as ap_policies
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
 from nova.tests.unit.policies import base
@@ -36,7 +37,7 @@ class AdminPasswordPolicyTest(base.BasePolicyTest):
         self.controller = admin_password.AdminPasswordController()
         self.req = fakes.HTTPRequest.blank('')
         user_id = self.req.environ['nova.context'].user_id
-        self.rule_name = "os_compute_api:os-admin-password"
+        self.rule_name = ap_policies.BASE_POLICY_NAME
         self.mock_get = self.useFixture(
             fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock
         uuid = uuids.fake_id
@@ -104,3 +105,28 @@ class AdminPasswordScopeTypePolicyTest(AdminPasswordPolicyTest):
     def setUp(self):
         super(AdminPasswordScopeTypePolicyTest, self).setUp()
         self.flags(enforce_scope=True, group="oslo_policy")
+
+
+class AdminPasswordNoLegacyPolicyTest(AdminPasswordPolicyTest):
+    """Test Admin Password APIs policies with system scope enabled,
+    and no more deprecated rules that allow the legacy admin API to
+    access system_admin_or_owner APIs.
+    """
+    without_deprecated_rules = True
+
+    def setUp(self):
+        super(AdminPasswordNoLegacyPolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # Check that system or projct admin or owner is able to change
+        # the password.
+        self.admin_authorized_contexts = [
+            self.system_admin_context,
+            self.project_admin_context, self.project_member_context]
+        # Check that non-system and non-admin/owner is not able to change the
+        self.admin_unauthorized_contexts = [
+            self.legacy_admin_context, self.project_reader_context,
+            self.project_foo_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context]