Merge "Introduce scope_types in Device Profiles Actions"

cyborg/common/authorize_wsgi.py

@@ -135,6 +135,8 @@ def authorize_wsgi(api_name, act=None, need_target=True):
             context = pecan.request.context
             credentials = context.to_policy_values()
             credentials['is_admin'] = context.is_admin
+            if context.system_scope == 'all':
+                credentials['system'] = True
             target = {}
             # maybe we can pass "_get_resource" to authorize_wsgi
             if need_target and hasattr(self, "_get_resource"):

cyborg/policies/device_profiles.py

@@ -54,6 +54,7 @@ device_profile_policies = [
                 'path': '/v2/device_profiles',
                 'method': 'GET'
             }],
+        scope_types=['system', 'project'],
         deprecated_rule=deprecated_get_all,
         deprecated_reason=('request admin_or_owmer rule is too strict for '
                            'listing device_profile'),
@@ -67,6 +68,7 @@ device_profile_policies = [
                 'path': '/v2/device_profiles/{device_profiles_uuid}',
                 'method': 'GET'
             }],
+        scope_types=['system', 'project'],
         deprecated_rule=deprecated_get_one,
         deprecated_reason=('request admin_or_owmer rule is too strict for '
                            'retrieving a device_profile'),
@@ -80,6 +82,7 @@ device_profile_policies = [
                 'path': '/v2/device_profiles',
                 'method': 'POST'
             }],
+        scope_types=['system'],
         deprecated_rule=deprecated_create,
         deprecated_reason=('project_admin_or_owner is too permissive, '
                            'introduce system_scoped admin for creation'),
@@ -96,6 +99,7 @@ device_profile_policies = [
                 'path': '/v2/device_profiles?value={device_profile_name1}',
                 'method': 'DELETE'},
             ],
+        scope_types=['system'],
         deprecated_rule=deprecated_delete,
         deprecated_reason=('project_admin_or_owner is too permissive, '
                            'introduce system_scoped admin for deletion'),

cyborg/tests/unit/api/base.py

@@ -22,7 +22,6 @@ import pecan.testing
 
 from cyborg.tests.unit.db import base
 
-
 cfg.CONF.import_group('keystone_authtoken', 'keystonemiddleware.auth_token')
 
 
@@ -49,6 +48,12 @@ class BaseApiTest(base.DbTestCase):
 
         self.addCleanup(reset_pecan)
 
+    def flags(self, **kw):
+        """Override flag variables for a test."""
+        group = kw.pop('group', None)
+        for k, v in kw.items():
+            cfg.CONF.set_override(k, v, group)
+
     def _make_app(self):
         # Determine where we are so we can set up paths in the config
         root_dir = self.get_path()
@@ -132,7 +137,7 @@ class BaseApiTest(base.DbTestCase):
             'X-User-Name': ct.get("user_name") or "user",
             'X-User-Id':
                 ct.get("user") or "1d6d686bc2c949ddb685ffb4682e0047",
-            'X-Project-Name': ct.get("project_name") or "project",
+            'X-Project-Name': ct.get("project_name") or "no_project_name",
             'X-Project-Id':
                 ct.get("tenant") or "86f64f561b6d4f479655384572727f70",
             'X-User-Domain-Id':
@@ -140,8 +145,10 @@ class BaseApiTest(base.DbTestCase):
             'X-User-Domain-Name': ct.get("domain_name") or "no_domain",
             'X-Auth-Token':
                 ct.get("auth_token") or "b9764005b8c145bf972634fb16a826e8",
-            'X-Roles': ct.get("roles") or role
+            'X-Roles': ct.get("roles") or role,
         }
+        if ct.get('system_scope') == 'all':
+            headers.update({'Openstack-System-Scope': 'all'})
         return headers
 
     def get_json(self, path, expect_errors=False, headers=None,

cyborg/tests/unit/policies/test_device_profiles.py

@@ -41,6 +41,7 @@ class DeviceProfilePolicyTest(base.BasePolicyTest):
     def setUp(self):
         super(DeviceProfilePolicyTest, self).setUp()
 
+        self.flags(enforce_scope=False, group="oslo_policy")
         self.controller = device_profiles.DeviceProfilesController()
         self.fake_dp_objs = fake_device_profile.get_obj_devprofs()
         self.fake_dps = fake_device_profile.get_api_devprofs()
@@ -152,3 +153,19 @@ class DeviceProfileScopeTypePolicyTest(DeviceProfilePolicyTest):
 
     def setUp(self):
         super(DeviceProfileScopeTypePolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")
+
+        # check that system_admin is able to do create and delete operations.
+        self.create_authorized_contexts = [
+            self.system_admin_context]
+        self.delete_authorized_contexts = self.create_authorized_contexts
+        # Check that non-system or non-admin is not able to perform the system
+        # level actions on device_profiles.
+        self.create_unauthorized_contexts = [
+            self.legacy_admin_context, self.system_member_context,
+            self.system_reader_context, self.system_foo_context,
+            self.project_admin_context, self.project_member_context,
+            self.other_project_member_context,
+            self.project_foo_context, self.project_reader_context
+        ]
+        self.delete_unauthorized_contexts = self.create_unauthorized_contexts