Merge "Add test coverage of existing os-assisted_volume_snapshots policies"

2020-03-02 20:48:25 +00:00
parent 3c0842cc51 3fd641d9ac
commit ed09c2ced2
2 changed files with 85 additions and 35 deletions
@@ -1505,41 +1505,6 @@ class AssistedSnapshotDeleteTestCaseV275(AssistedSnapshotDeleteTestCaseV21):
                          self.controller.delete, req, 1)


-class TestAssistedVolumeSnapshotsPolicyEnforcementV21(test.NoDBTestCase):
-
-    def setUp(self):
-        super(TestAssistedVolumeSnapshotsPolicyEnforcementV21, self).setUp()
-        self.controller = (
-            assisted_snaps_v21.AssistedVolumeSnapshotsController())
-        self.req = fakes.HTTPRequest.blank('')
-
-    def test_create_assisted_volumes_snapshots_policy_failed(self):
-        rule_name = "os_compute_api:os-assisted-volume-snapshots:create"
-        self.policy.set_rules({rule_name: "project:non_fake"})
-        body = {'snapshot':
-                   {'volume_id': '1',
-                    'create_info': {'type': 'qcow2',
-                                    'new_file': 'new_file',
-                                    'snapshot_id': 'snapshot_id'}}}
-        exc = self.assertRaises(
-            exception.PolicyNotAuthorized,
-            self.controller.create, self.req, body=body)
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % rule_name,
-            exc.format_message())
-
-    def test_delete_assisted_volumes_snapshots_policy_failed(self):
-        rule_name = "os_compute_api:os-assisted-volume-snapshots:delete"
-        self.policy.set_rules({rule_name: "project:non_fake"})
-        exc = self.assertRaises(
-            exception.PolicyNotAuthorized,
-            self.controller.delete, self.req, '5')
-
-        self.assertEqual(
-            "Policy doesn't allow %s to be performed." % rule_name,
-            exc.format_message())
-
-
 class TestVolumeAttachPolicyEnforcementV21(test.NoDBTestCase):

    def setUp(self):
@@ -0,0 +1,85 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import mock
+from oslo_serialization import jsonutils
+from oslo_utils.fixture import uuidsentinel as uuids
+import urllib
+
+from nova.api.openstack.compute import assisted_volume_snapshots as snapshots
+from nova.tests.unit.api.openstack import fakes
+from nova.tests.unit.policies import base
+
+
+class AssistedVolumeSnapshotPolicyTest(base.BasePolicyTest):
+    """Test Assisted Volume Snapshots APIs policies with all possible context.
+    This class defines the set of context with different roles
+    which are allowed and not allowed to pass the policy checks.
+    With those set of context, it will call the API operation and
+    verify the expected behaviour.
+    """
+
+    def setUp(self):
+        super(AssistedVolumeSnapshotPolicyTest, self).setUp()
+        self.controller = snapshots.AssistedVolumeSnapshotsController()
+        self.req = fakes.HTTPRequest.blank('')
+        # Check that admin is able to take volume snapshot.
+        self.admin_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context]
+        # Check that non-admin is not able to take volume snapshot.
+        self.admin_unauthorized_contexts = [
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]
+
+    @mock.patch('nova.compute.api.API.volume_snapshot_create')
+    def test_assisted_create_policy(self, mock_create):
+        rule_name = "os_compute_api:os-assisted-volume-snapshots:create"
+        body = {'snapshot': {'volume_id': uuids.fake_id,
+                             'create_info': {'type': 'qcow2',
+                                             'new_file': 'new_file',
+                                             'snapshot_id': 'snapshot_id'}}}
+        self.common_policy_check(self.admin_authorized_contexts,
+                                 self.admin_unauthorized_contexts,
+                                 rule_name, self.controller.create,
+                                 self.req, body=body)
+
+    @mock.patch('nova.compute.api.API.volume_snapshot_delete')
+    def test_assisted_delete_policy(self, mock_delete):
+        rule_name = "os_compute_api:os-assisted-volume-snapshots:delete"
+        params = {
+            'delete_info': jsonutils.dumps({'volume_id': '1'}),
+        }
+        req = fakes.HTTPRequest.blank('?%s' % urllib.parse.urlencode(params))
+        self.common_policy_check(self.admin_authorized_contexts,
+                                 self.admin_unauthorized_contexts,
+                                 rule_name,
+                                 self.controller.delete,
+                                 req, 1)
+
+
+class AssistedSnapshotScopeTypePolicyTest(AssistedVolumeSnapshotPolicyTest):
+    """Test Assisted Volume Snapshots APIs policies with system scope enabled.
+    This class set the nova.conf [oslo_policy] enforce_scope to True
+    so that we can switch on the scope checking on oslo policy side.
+    It defines the set of context with scopped token
+    which are allowed and not allowed to pass the policy checks.
+    With those set of context, it will run the API operation and
+    verify the expected behaviour.
+    """
+
+    def setUp(self):
+        super(AssistedSnapshotScopeTypePolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")