openstack/neutron-fwaas
Code Issues Proposed changes

[S-RBAC] New default API policies added

Browse Source 
This patch adds new S-RBAC policies for the FWaaS APIs. It also
deprecates old policies for all of the FWaaS APIs.

Change-Id: Id6deb53a71009ef2677b8b20548bb260cf23b52b
This commit is contained in:
Slawek Kaplonski
2025-04-24 12:22:32 +02:00
parent 7ceba2df03
commit f1afc78fb3
9 changed files with 1417 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
neutron_fwaas/policies/firewall_group.py
View File

@@ -10,91 +10,134 @@
# License for the specific language governing permissions and limitations
# under the License.
from neutron.conf.policies import base as neutron_base
from neutron_lib import policy as base
from oslo_policy import policy
DEPRECATED_REASON = """
The FWaaS API now supports Secure RBAC default roles.
"""
rules = [
policy.RuleDefault(
'shared_firewall_groups',
'field:firewall_groups:shared=True',
'Definition of shared firewall groups'
name='shared_firewall_groups',
check_str='field:firewall_groups:shared=True',
description='Definition of shared firewall groups'
),
policy.DocumentedRuleDefault(
'create_firewall_group',
base.RULE_ANY,
'Create a firewall group',
[
name='create_firewall_group',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create a firewall group',
operations=[
{
'method': 'POST',
'path': '/fwaas/firewall_groups',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='create_firewall_group',
check_str=base.RULE_ANY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'update_firewall_group',
base.RULE_ADMIN_OR_OWNER,
'Update a firewall group',
[
name='update_firewall_group',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update a firewall group',
operations=[
{
'method': 'PUT',
'path': '/fwaas/firewall_groups/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='update_firewall_group',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'delete_firewall_group',
base.RULE_ADMIN_OR_OWNER,
'Delete a firewall group',
[
name='delete_firewall_group',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete a firewall group',
operations=[
{
'method': 'DELETE',
'path': '/fwaas/firewall_groups/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='delete_firewall_group',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'create_firewall_group:shared',
base.RULE_ADMIN_ONLY,
'Create a shared firewall group',
[
name='create_firewall_group:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Create a shared firewall group',
operations=[
{
'method': 'POST',
'path': '/fwaas/firewall_groups',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='create_firewall_group:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'update_firewall_group:shared',
base.RULE_ADMIN_ONLY,
'Update ``shared`` attribute of a firewall group',
[
name='update_firewall_group:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Update ``shared`` attribute of a firewall group',
operations=[
{
'method': 'PUT',
'path': '/fwaas/firewall_groups/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='update_firewall_group:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
# TODO(amotoki): Drop this rule as it has no effect.
policy.DocumentedRuleDefault(
'delete_firewall_group:shared',
base.RULE_ADMIN_ONLY,
'Delete a shared firewall group',
[
name='delete_firewall_group:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Delete a shared firewall group',
operations=[
{
'method': 'DELETE',
'path': '/fwaas/firewall_groups/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='delete_firewall_group:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'get_firewall_group',
'rule:admin_or_owner or rule:shared_firewall_groups',
'Get firewall groups',
[
name='get_firewall_group',
check_str=base.policy_or(
neutron_base.ADMIN_OR_PROJECT_READER,
'rule:shared_firewall_groups'),
scope_types=['project'],
description='Get firewall groups',
operations=[
{
'method': 'GET',
'path': '/fwaas/firewall_groups',
@@ -103,7 +146,12 @@ rules = [
'method': 'GET',
'path': '/fwaas/firewall_groups/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='get_firewall_group',
check_str='rule:admin_or_owner or rule:shared_firewall_groups',
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
]

125
neutron_fwaas/policies/firewall_policy.py
View File

@@ -10,91 +10,135 @@
# License for the specific language governing permissions and limitations
# under the License.
from neutron.conf.policies import base as neutron_base
from neutron_lib import policy as base
from oslo_policy import policy
DEPRECATED_REASON = """
The FWaaS API now supports Secure RBAC default roles.
"""
rules = [
policy.RuleDefault(
'shared_firewall_policies',
'field:firewall_policies:shared=True',
'Definition of shared firewall policies'
name='shared_firewall_policies',
check_str='field:firewall_policies:shared=True',
description='Definition of shared firewall policies'
),
policy.DocumentedRuleDefault(
'create_firewall_policy',
base.RULE_ANY,
'Create a firewall policy',
[
name='create_firewall_policy',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create a firewall policy',
operations=[
{
'method': 'POST',
'path': '/fwaas/firewall_policies',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='create_firewall_policy',
check_str=base.RULE_ANY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'update_firewall_policy',
base.RULE_ADMIN_OR_OWNER,
'Update a firewall policy',
[
name='update_firewall_policy',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update a firewall policy',
operations=[
{
'method': 'PUT',
'path': '/fwaas/firewall_policies/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='update_firewall_policy',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'delete_firewall_policy',
base.RULE_ADMIN_OR_OWNER,
'Delete a firewall policy',
[
name='delete_firewall_policy',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete a firewall policy',
operations=[
{
'method': 'DELETE',
'path': '/fwaas/firewall_policies/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='delete_firewall_policy',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'create_firewall_policy:shared',
base.RULE_ADMIN_ONLY,
'Create a shared firewall policy',
[
name='create_firewall_policy:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Create a shared firewall policy',
operations=[
{
'method': 'POST',
'path': '/fwaas/firewall_policies',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='create_firewall_policy:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'update_firewall_policy:shared',
base.RULE_ADMIN_ONLY,
'Update ``shared`` attribute of a firewall policy',
[
name='update_firewall_policy:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Update ``shared`` attribute of a firewall policy',
operations=[
{
'method': 'PUT',
'path': '/fwaas/firewall_policies/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='update_firewall_policy:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
# TODO(amotoki): Drop this rule as it has no effect.
policy.DocumentedRuleDefault(
'delete_firewall_policy:shared',
base.RULE_ADMIN_ONLY,
'Delete a shread firewall policy',
[
name='delete_firewall_policy:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Delete a shread firewall policy',
operations=[
{
'method': 'DELETE',
'path': '/fwaas/firewall_policies/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='delete_firewall_policy:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'get_firewall_policy',
'rule:admin_or_owner or rule:shared_firewall_policies',
'Get firewall policies',
[
name='get_firewall_policy',
check_str=base.policy_or(
neutron_base.ADMIN_OR_PROJECT_READER,
'rule:shared_firewall_policies'),
scope_types=['project'],
description='Get firewall policies',
operations=[
{
'method': 'GET',
'path': '/fwaas/firewall_policies',
@@ -103,7 +147,12 @@ rules = [
'method': 'GET',
'path': '/fwaas/firewall_policies/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='get_firewall_policy',
check_str='rule:admin_or_owner or rule:shared_firewall_policies',
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
]

157
neutron_fwaas/policies/firewall_rule.py
View File

@@ -10,91 +10,135 @@
# License for the specific language governing permissions and limitations
# under the License.
from neutron.conf.policies import base as neutron_base
from neutron_lib import policy as base
from oslo_policy import policy
DEPRECATED_REASON = """
The FWaaS API now supports Secure RBAC default roles.
"""
rules = [
policy.RuleDefault(
'shared_firewall_rules',
'field:firewall_rules:shared=True',
'Definition of shared firewall rules'
name='shared_firewall_rules',
check_str='field:firewall_rules:shared=True',
description='Definition of shared firewall rules'
),
policy.DocumentedRuleDefault(
'create_firewall_rule',
base.RULE_ANY,
'Create a firewall rule',
[
name='create_firewall_rule',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create a firewall rule',
operations=[
{
'method': 'POST',
'path': '/fwaas/firewall_rules',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='create_firewall_rule',
check_str=base.RULE_ANY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'update_firewall_rule',
base.RULE_ADMIN_OR_OWNER,
'Update a firewall rule',
[
name='update_firewall_rule',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update a firewall rule',
operations=[
{
'method': 'PUT',
'path': '/fwaas/firewall_rules/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='update_firewall_rule',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'delete_firewall_rule',
base.RULE_ADMIN_OR_OWNER,
'Delete a firewall rule',
[
name='delete_firewall_rule',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete a firewall rule',
operations=[
{
'method': 'DELETE',
'path': '/fwaas/firewall_rules/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='delete_firewall_rule',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'create_firewall_rule:shared',
base.RULE_ADMIN_ONLY,
'Create a shared firewall rule',
[
name='create_firewall_rule:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Create a shared firewall rule',
operations=[
{
'method': 'POST',
'path': '/fwaas/firewall_rules',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='create_firewall_rule:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'update_firewall_rule:shared',
base.RULE_ADMIN_ONLY,
'Update ``shared`` attribute of a firewall rule',
[
name='update_firewall_rule:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Update ``shared`` attribute of a firewall rule',
operations=[
{
'method': 'PUT',
'path': '/fwaas/firewall_rules/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='update_firewall_rule:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
# TODO(amotoki): Drop this rule as it has no effect.
policy.DocumentedRuleDefault(
'delete_firewall_rule:shared',
base.RULE_ADMIN_ONLY,
'Delete a shread firewall rule',
[
name='delete_firewall_rule:shared',
check_str=neutron_base.ADMIN,
scope_types=['project'],
description='Delete a shread firewall rule',
operations=[
{
'method': 'DELETE',
'path': '/fwaas/firewall_rules/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='delete_firewall_rule:shared',
check_str=base.RULE_ADMIN_ONLY,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'get_firewall_rule',
'rule:admin_or_owner or rule:shared_firewall_rules',
'Get firewall rules',
[
name='get_firewall_rule',
check_str=base.policy_or(
neutron_base.ADMIN_OR_PROJECT_READER,
'rule:shared_firewall_rules'),
scope_types=['project'],
description='Get firewall rules',
operations=[
{
'method': 'GET',
'path': '/fwaas/firewall_rules',
@@ -103,30 +147,47 @@ rules = [
'method': 'GET',
'path': '/fwaas/firewall_rules/{id}',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='get_firewall_rule',
check_str='rule:admin_or_owner or rule:shared_firewall_rules',
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'insert_rule',
base.RULE_ADMIN_OR_OWNER,
'Insert rule into a firewall policy',
[
name='insert_rule',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Insert rule into a firewall policy',
operations=[
{
'method': 'PUT',
'path': '/fwaas/firewall_policies/{id}/insert_rule',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='insert_rule',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'remove_rule',
base.RULE_ADMIN_OR_OWNER,
'Remove rule from a firewall policy',
[
name='remove_rule',
check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Remove rule from a firewall policy',
operations=[
{
'method': 'PUT',
'path': '/fwaas/firewall_policies/{id}/remove_rule',
},
]
],
deprecated_rule=policy.DeprecatedRule(
name='remove_rule',
check_str=base.RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
]

0
neutron_fwaas/tests/unit/policies/__init__.py Normal file
View File

345
neutron_fwaas/tests/unit/policies/test_firewall_group.py Normal file
View File

@@ -0,0 +1,345 @@
# Copyright (c) 2025 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_policy import policy as base_policy
from neutron import policy
from neutron.tests.unit.conf.policies import test_base as base
class FirewallGroupAPITestCase(base.PolicyBaseTestCase):
def setUp(self):
super().setUp()
self.target = {
'project_id': self.project_id,
'tenant_id': self.project_id}
self.alt_target = {
'project_id': self.alt_project_id,
'tenant_id': self.alt_project_id}
class SystemAdminTests(FirewallGroupAPITestCase):
def setUp(self):
super().setUp()
self.context = self.system_admin_ctx
def test_create_firewall_group(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_group', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_group',
self.alt_target)
def test_update_firewall_group(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_group', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_group',
self.alt_target)
def test_delete_firewall_group(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_group', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_group',
self.alt_target)
def test_create_firewall_group_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_group:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_group:shared',
self.alt_target)
def test_update_firewall_group_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_group:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_group:shared',
self.alt_target)
def test_delete_firewall_group_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_group:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_group:shared',
self.alt_target)
def test_get_firewall_group(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_firewall_group', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_firewall_group',
self.alt_target)
class SystemMemberTests(SystemAdminTests):
def setUp(self):
super().setUp()
self.context = self.system_member_ctx
class SystemReaderTests(SystemMemberTests):
def setUp(self):
super().setUp()
self.context = self.system_reader_ctx
class AdminTests(FirewallGroupAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_admin_ctx
def test_create_firewall_group(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_group', self.target))
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_group', self.alt_target))
def test_update_firewall_group(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_group', self.target))
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_group', self.alt_target))
def test_delete_firewall_group(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_group', self.target))
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_group', self.alt_target))
def test_create_firewall_group_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_group:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_group:shared', self.alt_target))
def test_update_firewall_group_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_group:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_group:shared', self.alt_target))
def test_delete_firewall_group_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_group:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_group:shared', self.alt_target))
def test_get_firewall_group(self):
self.assertTrue(
policy.enforce(self.context, 'get_firewall_group', self.target))
self.assertTrue(
policy.enforce(
self.context, 'get_firewall_group', self.alt_target))
class ProjectManagerTests(AdminTests):
def setUp(self):
super().setUp()
self.context = self.project_manager_ctx
def test_create_firewall_group(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_group', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group',
self.alt_target)
def test_update_firewall_group(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_group', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_group',
self.alt_target)
def test_delete_firewall_group(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_group', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_group',
self.alt_target)
def test_create_firewall_group_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group:shared',
self.alt_target)
def test_update_firewall_group_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_group:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group:shared',
self.alt_target)
def test_delete_firewall_group_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_group:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group:shared',
self.alt_target)
def test_get_firewall_group(self):
self.assertTrue(
policy.enforce(self.context, 'get_firewall_group', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_firewall_group',
self.alt_target)
class ProjectMemberTests(ProjectManagerTests):
def setUp(self):
super().setUp()
self.context = self.project_member_ctx
class ProjectReaderTests(ProjectMemberTests):
def setUp(self):
super().setUp()
self.context = self.project_reader_ctx
def test_create_firewall_group(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group',
self.alt_target)
def test_update_firewall_group(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_group',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_group',
self.alt_target)
def test_delete_firewall_group(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_group',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_group',
self.alt_target)
class ServiceRoleTests(FirewallGroupAPITestCase):
def setUp(self):
super().setUp()
self.context = self.service_ctx
def test_create_firewall_group(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group',
self.target)
def test_update_firewall_group(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_group',
self.target)
def test_delete_firewall_group(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_group',
self.target)
def test_create_firewall_group_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_group:shared',
self.target)
def test_update_firewall_group_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_group:shared',
self.target)
def test_delete_firewall_group_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_group:shared',
self.target)
def test_get_firewall_group(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_firewall_group',
self.target)

351
neutron_fwaas/tests/unit/policies/test_firewall_policy.py Normal file
View File

@@ -0,0 +1,351 @@
# Copyright (c) 2025 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_policy import policy as base_policy
from neutron import policy
from neutron.tests.unit.conf.policies import test_base as base
class FirewallPolicyAPITestCase(base.PolicyBaseTestCase):
def setUp(self):
super().setUp()
self.target = {
'project_id': self.project_id,
'tenant_id': self.project_id}
self.alt_target = {
'project_id': self.alt_project_id,
'tenant_id': self.alt_project_id}
class SystemAdminTests(FirewallPolicyAPITestCase):
def setUp(self):
super().setUp()
self.context = self.system_admin_ctx
def test_create_firewall_policy(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_policy',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_policy',
self.alt_target)
def test_update_firewall_policy(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_policy',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_policy',
self.alt_target)
def test_delete_firewall_policy(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_policy',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_policy',
self.alt_target)
def test_create_firewall_policy_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_policy:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_policy:shared',
self.alt_target)
def test_update_firewall_policy_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_policy:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_policy:shared',
self.alt_target)
def test_delete_firewall_policy_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_policy:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_policy:shared',
self.alt_target)
def test_get_firewall_policy(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_firewall_policy', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_firewall_policy',
self.alt_target)
class SystemMemberTests(SystemAdminTests):
def setUp(self):
super().setUp()
self.context = self.system_member_ctx
class SystemReaderTests(SystemMemberTests):
def setUp(self):
super().setUp()
self.context = self.system_reader_ctx
class AdminTests(FirewallPolicyAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_admin_ctx
def test_create_firewall_policy(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_policy', self.target))
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_policy', self.alt_target))
def test_update_firewall_policy(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_policy', self.target))
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_policy', self.alt_target))
def test_delete_firewall_policy(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_policy', self.target))
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_policy', self.alt_target))
def test_create_firewall_policy_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_policy:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_policy:shared',
self.alt_target))
def test_update_firewall_policy_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_policy:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_policy:shared',
self.alt_target))
def test_delete_firewall_policy_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_policy:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_policy:shared',
self.alt_target))
def test_get_firewall_policy(self):
self.assertTrue(
policy.enforce(self.context, 'get_firewall_policy', self.target))
self.assertTrue(
policy.enforce(
self.context, 'get_firewall_policy', self.alt_target))
class ProjectManagerTests(AdminTests):
def setUp(self):
super().setUp()
self.context = self.project_manager_ctx
def test_create_firewall_policy(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_policy', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy',
self.alt_target)
def test_update_firewall_policy(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_policy', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_policy',
self.alt_target)
def test_delete_firewall_policy(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_policy', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_policy',
self.alt_target)
def test_create_firewall_policy_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy:shared',
self.alt_target)
def test_update_firewall_policy_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_policy:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy:shared',
self.alt_target)
def test_delete_firewall_policy_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_policy:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy:shared',
self.alt_target)
def test_get_firewall_policy(self):
self.assertTrue(
policy.enforce(self.context, 'get_firewall_policy', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_firewall_policy',
self.alt_target)
class ProjectMemberTests(ProjectManagerTests):
def setUp(self):
super().setUp()
self.context = self.project_member_ctx
class ProjectReaderTests(ProjectMemberTests):
def setUp(self):
super().setUp()
self.context = self.project_reader_ctx
def test_create_firewall_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy',
self.alt_target)
def test_update_firewall_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_policy',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_policy',
self.alt_target)
def test_delete_firewall_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_policy',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_policy',
self.alt_target)
class ServiceRoleTests(FirewallPolicyAPITestCase):
def setUp(self):
super().setUp()
self.context = self.service_ctx
def test_create_firewall_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy',
self.target)
def test_update_firewall_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_policy',
self.target)
def test_delete_firewall_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_policy',
self.target)
def test_create_firewall_policy_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_policy:shared',
self.target)
def test_update_firewall_policy_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_policy:shared',
self.target)
def test_delete_firewall_policy_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_policy:shared',
self.target)
def test_get_firewall_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_firewall_policy',
self.target)

429
neutron_fwaas/tests/unit/policies/test_firewall_rule.py Normal file
View File

@@ -0,0 +1,429 @@
# Copyright (c) 2025 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_policy import policy as base_policy
from neutron import policy
from neutron.tests.unit.conf.policies import test_base as base
class FirewallRuleAPITestCase(base.PolicyBaseTestCase):
def setUp(self):
super().setUp()
self.target = {
'project_id': self.project_id,
'tenant_id': self.project_id}
self.alt_target = {
'project_id': self.alt_project_id,
'tenant_id': self.alt_project_id}
class SystemAdminTests(FirewallRuleAPITestCase):
def setUp(self):
super().setUp()
self.context = self.system_admin_ctx
def test_create_firewall_rule(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_rule', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_rule',
self.alt_target)
def test_update_firewall_rule(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_rule', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_rule',
self.alt_target)
def test_delete_firewall_rule(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_rule', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_rule',
self.alt_target)
def test_create_firewall_rule_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_rule:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'create_firewall_rule:shared',
self.alt_target)
def test_update_firewall_rule_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_rule:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'update_firewall_rule:shared',
self.alt_target)
def test_delete_firewall_rule_shared(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_rule:shared',
self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'delete_firewall_rule:shared',
self.alt_target)
def test_get_firewall_rule(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_firewall_rule', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'get_firewall_rule',
self.alt_target)
def test_insert_rule(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'insert_rule', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'insert_rule',
self.alt_target)
def test_remove_rule(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'remove_rule', self.target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce, self.context, 'remove_rule',
self.alt_target)
class SystemMemberTests(SystemAdminTests):
def setUp(self):
super().setUp()
self.context = self.system_member_ctx
class SystemReaderTests(SystemMemberTests):
def setUp(self):
super().setUp()
self.context = self.system_reader_ctx
class AdminTests(FirewallRuleAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_admin_ctx
def test_create_firewall_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_rule', self.target))
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_rule', self.alt_target))
def test_update_firewall_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_rule', self.target))
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_rule', self.alt_target))
def test_delete_firewall_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_rule', self.target))
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_rule', self.alt_target))
def test_create_firewall_rule_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_rule:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_rule:shared', self.alt_target))
def test_update_firewall_rule_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_rule:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_rule:shared', self.alt_target))
def test_delete_firewall_rule_shared(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_rule:shared', self.target))
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_rule:shared', self.alt_target))
def test_get_firewall_rule(self):
self.assertTrue(
policy.enforce(self.context, 'get_firewall_rule', self.target))
self.assertTrue(
policy.enforce(
self.context, 'get_firewall_rule', self.alt_target))
def test_insert_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'insert_rule', self.target))
self.assertTrue(
policy.enforce(
self.context, 'insert_rule', self.alt_target))
def test_remove_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'remove_rule', self.target))
self.assertTrue(
policy.enforce(
self.context, 'remove_rule', self.alt_target))
class ProjectManagerTests(AdminTests):
def setUp(self):
super().setUp()
self.context = self.project_manager_ctx
def test_create_firewall_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'create_firewall_rule', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule',
self.alt_target)
def test_update_firewall_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'update_firewall_rule', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_rule',
self.alt_target)
def test_delete_firewall_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'delete_firewall_rule', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_rule',
self.alt_target)
def test_create_firewall_rule_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule:shared',
self.alt_target)
def test_update_firewall_rule_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_rule:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule:shared',
self.alt_target)
def test_delete_firewall_rule_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_rule:shared',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule:shared',
self.alt_target)
def test_get_firewall_rule(self):
self.assertTrue(
policy.enforce(self.context, 'get_firewall_rule', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_firewall_rule',
self.alt_target)
def test_insert_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'insert_rule', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'insert_rule',
self.alt_target)
def test_remove_rule(self):
self.assertTrue(
policy.enforce(
self.context, 'remove_rule', self.target))
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'remove_rule',
self.alt_target)
class ProjectMemberTests(ProjectManagerTests):
def setUp(self):
super().setUp()
self.context = self.project_member_ctx
class ProjectReaderTests(ProjectMemberTests):
def setUp(self):
super().setUp()
self.context = self.project_reader_ctx
def test_create_firewall_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule',
self.alt_target)
def test_update_firewall_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_rule',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_rule',
self.alt_target)
def test_delete_firewall_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_rule',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_rule',
self.alt_target)
def test_insert_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'insert_rule',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'insert_rule',
self.alt_target)
def test_remove_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'remove_rule',
self.target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'remove_rule',
self.alt_target)
class ServiceRoleTests(FirewallRuleAPITestCase):
def setUp(self):
super().setUp()
self.context = self.service_ctx
def test_create_firewall_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule',
self.target)
def test_update_firewall_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_rule',
self.target)
def test_delete_firewall_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_rule',
self.target)
def test_create_firewall_rule_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'create_firewall_rule:shared',
self.target)
def test_update_firewall_rule_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'update_firewall_rule:shared',
self.target)
def test_delete_firewall_rule_shared(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'delete_firewall_rule:shared',
self.target)
def test_get_firewall_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'get_firewall_rule',
self.target)
def test_insert_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'insert_rule',
self.target)
def test_remove_rule(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce, self.context, 'remove_rule',
self.target)

3
neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py
View File

@@ -131,7 +131,8 @@ class FirewallPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase):
is_admin=True).elevated()
def _get_nonadmin_context(self, user_id='non-admin', tenant_id='tenant1'):
return context.Context(user_id=user_id, tenant_id=tenant_id)
return context.Context(user_id=user_id, tenant_id=tenant_id,
roles=['member', 'reader'])
def _test_list_resources(self, resource, items, neutron_context=None,
query_params=None, as_admin=False):

8
releasenotes/notes/s-rbac-api-policies-added-4dc1db4ff91fbbed.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
features:
- |
Neutron-fwaas API policies now supports S-RBAC roles.
deprecations:
- |
Old API policies are now deprecated and new policies, aligned with S-RBAC
roles are used for the neutron-fwaas APIs by default now.