67410193b3
Based on nova commit 32c8ac6b7dfe4ca0c211cbce7c5a67d88558126f The new file was generated by oslopolicy-sample-generator: oslopolicy-sample-generator --namespace nova --format json nova uses policy-in-code now, so there is a lot of differences. Sorted version diff is http://paste.openstack.org/show/628742/ All policies with "@" have been dropped. Dropped policies used in horizon are: os_compute_api:os-certificates:create os_compute_api:os-scheduler-hints:discoverable os_compute_api:os-server-groups:discoverable [discoverable] "discoverable" policies are related to nova API extensions but the API extension mechanism has gone in Nova Queens, so these policies now make no sense in Nova. In Horizon side, we are still use a bit older API version to launch instance, so it seems some fallback policies are needed and they are added as conf/nova_policy.d. [os_compute_api:os-certificates:create] No corresponding policy is found, so the related policy check is dropped. EC2 API is provided as a separate project from nova. I guess this is the reason the policy was dropped. DownloadEC2 action referred to it, but we already checks EC2 service is available so I believe the policy can be dropped safely. [openstack_dashboard.test.unit.api.rest.test_policy] Unit tests are updated according to the nova policy change. Note that test_rule_alone previously succeeded because it used non-existing policy and fallbacked to 'default' rule. The rule is changed to a policy for non-admin user. Change-Id: I68f91bc29b20a4ecd613fc75735d38b9a48162ee
89 lines
3.3 KiB
Python
89 lines
3.3 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import json
|
|
|
|
from django.test.utils import override_settings
|
|
|
|
from openstack_dashboard.api.rest import policy
|
|
from openstack_dashboard.test import helpers as test
|
|
|
|
|
|
class PolicyRestTestCase(test.TestCase):
|
|
|
|
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
|
def _test_policy(self, body, expected=True):
|
|
request = self.mock_rest_request(body=body)
|
|
response = policy.Policy().post(request)
|
|
self.assertStatusCode(response, 200)
|
|
self.assertEqual({"allowed": expected}, response.json)
|
|
|
|
def test_policy(self):
|
|
body = json.dumps({"rules": []})
|
|
self._test_policy(body)
|
|
|
|
def test_rule_alone(self):
|
|
body = json.dumps({"rules":
|
|
[["compute", "os_compute_api:servers:index"]]})
|
|
self._test_policy(body)
|
|
|
|
def test_multiple_rule(self):
|
|
body = json.dumps(
|
|
{"rules": [["compute", "os_compute_api:servers:stop"],
|
|
["compute", "os_compute_api:servers:start"]]})
|
|
self._test_policy(body)
|
|
|
|
def test_rule_with_empty_target(self):
|
|
body = json.dumps(
|
|
{"rules": [["compute", "os_compute_api:servers:stop"],
|
|
["compute", "os_compute_api:servers:start"]],
|
|
"target": {}})
|
|
self._test_policy(body)
|
|
|
|
def test_rule_with_target(self):
|
|
body = json.dumps(
|
|
{"rules": [["compute", "os_compute_api:servers:stop"],
|
|
["compute", "os_compute_api:servers:start"]],
|
|
"target": {"project_id": "1"}})
|
|
self._test_policy(body)
|
|
|
|
def test_policy_fail(self):
|
|
# admin only rule, default test case user should fail
|
|
body = json.dumps(
|
|
{"rules": [["compute",
|
|
"os_compute_api:servers:index:get_all_tenants"]]})
|
|
self._test_policy(body, expected=False)
|
|
|
|
def test_policy_fail_with_nonexisting(self):
|
|
body = json.dumps(
|
|
{"rules": [["compute", "non-existing"]]})
|
|
self._test_policy(body, expected=True)
|
|
|
|
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
|
def test_policy_error(self):
|
|
request = self.mock_rest_request(
|
|
body=json.dumps({"bad": "compute"}))
|
|
response = policy.Policy().post(request)
|
|
self.assertStatusCode(response, 400)
|
|
|
|
|
|
class AdminPolicyRestTestCase(test.BaseAdminViewTests):
|
|
@override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check')
|
|
def test_rule_with_target(self):
|
|
body = json.dumps(
|
|
{"rules": [["compute",
|
|
"os_compute_api:servers:index:get_all_tenants"]]})
|
|
request = self.mock_rest_request(body=body)
|
|
response = policy.Policy().post(request)
|
|
self.assertStatusCode(response, 200)
|
|
self.assertEqual({"allowed": True}, response.json)
|