diff --git a/neutron_fwaas/policies/firewall_group.py b/neutron_fwaas/policies/firewall_group.py index b74c096f0..33cbaf2ea 100644 --- a/neutron_fwaas/policies/firewall_group.py +++ b/neutron_fwaas/policies/firewall_group.py @@ -10,91 +10,134 @@ # License for the specific language governing permissions and limitations # under the License. +from neutron.conf.policies import base as neutron_base from neutron_lib import policy as base from oslo_policy import policy +DEPRECATED_REASON = """ +The FWaaS API now supports Secure RBAC default roles. +""" rules = [ policy.RuleDefault( - 'shared_firewall_groups', - 'field:firewall_groups:shared=True', - 'Definition of shared firewall groups' + name='shared_firewall_groups', + check_str='field:firewall_groups:shared=True', + description='Definition of shared firewall groups' ), policy.DocumentedRuleDefault( - 'create_firewall_group', - base.RULE_ANY, - 'Create a firewall group', - [ + name='create_firewall_group', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Create a firewall group', + operations=[ { 'method': 'POST', 'path': '/fwaas/firewall_groups', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='create_firewall_group', + check_str=base.RULE_ANY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'update_firewall_group', - base.RULE_ADMIN_OR_OWNER, - 'Update a firewall group', - [ + name='update_firewall_group', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Update a firewall group', + operations=[ { 'method': 'PUT', 'path': '/fwaas/firewall_groups/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='update_firewall_group', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'delete_firewall_group', - base.RULE_ADMIN_OR_OWNER, - 'Delete a firewall group', - [ + name='delete_firewall_group', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Delete a firewall group', + operations=[ { 'method': 'DELETE', 'path': '/fwaas/firewall_groups/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='delete_firewall_group', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'create_firewall_group:shared', - base.RULE_ADMIN_ONLY, - 'Create a shared firewall group', - [ + name='create_firewall_group:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Create a shared firewall group', + operations=[ { 'method': 'POST', 'path': '/fwaas/firewall_groups', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='create_firewall_group:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'update_firewall_group:shared', - base.RULE_ADMIN_ONLY, - 'Update ``shared`` attribute of a firewall group', - [ + name='update_firewall_group:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Update ``shared`` attribute of a firewall group', + operations=[ { 'method': 'PUT', 'path': '/fwaas/firewall_groups/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='update_firewall_group:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), # TODO(amotoki): Drop this rule as it has no effect. policy.DocumentedRuleDefault( - 'delete_firewall_group:shared', - base.RULE_ADMIN_ONLY, - 'Delete a shared firewall group', - [ + name='delete_firewall_group:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Delete a shared firewall group', + operations=[ { 'method': 'DELETE', 'path': '/fwaas/firewall_groups/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='delete_firewall_group:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'get_firewall_group', - 'rule:admin_or_owner or rule:shared_firewall_groups', - 'Get firewall groups', - [ + name='get_firewall_group', + check_str=base.policy_or( + neutron_base.ADMIN_OR_PROJECT_READER, + 'rule:shared_firewall_groups'), + scope_types=['project'], + description='Get firewall groups', + operations=[ { 'method': 'GET', 'path': '/fwaas/firewall_groups', @@ -103,7 +146,12 @@ rules = [ 'method': 'GET', 'path': '/fwaas/firewall_groups/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='get_firewall_group', + check_str='rule:admin_or_owner or rule:shared_firewall_groups', + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), ] diff --git a/neutron_fwaas/policies/firewall_policy.py b/neutron_fwaas/policies/firewall_policy.py index 0102b6381..617d25018 100644 --- a/neutron_fwaas/policies/firewall_policy.py +++ b/neutron_fwaas/policies/firewall_policy.py @@ -10,91 +10,135 @@ # License for the specific language governing permissions and limitations # under the License. +from neutron.conf.policies import base as neutron_base from neutron_lib import policy as base from oslo_policy import policy +DEPRECATED_REASON = """ +The FWaaS API now supports Secure RBAC default roles. +""" + rules = [ policy.RuleDefault( - 'shared_firewall_policies', - 'field:firewall_policies:shared=True', - 'Definition of shared firewall policies' + name='shared_firewall_policies', + check_str='field:firewall_policies:shared=True', + description='Definition of shared firewall policies' ), policy.DocumentedRuleDefault( - 'create_firewall_policy', - base.RULE_ANY, - 'Create a firewall policy', - [ + name='create_firewall_policy', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Create a firewall policy', + operations=[ { 'method': 'POST', 'path': '/fwaas/firewall_policies', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='create_firewall_policy', + check_str=base.RULE_ANY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'update_firewall_policy', - base.RULE_ADMIN_OR_OWNER, - 'Update a firewall policy', - [ + name='update_firewall_policy', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Update a firewall policy', + operations=[ { 'method': 'PUT', 'path': '/fwaas/firewall_policies/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='update_firewall_policy', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'delete_firewall_policy', - base.RULE_ADMIN_OR_OWNER, - 'Delete a firewall policy', - [ + name='delete_firewall_policy', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Delete a firewall policy', + operations=[ { 'method': 'DELETE', 'path': '/fwaas/firewall_policies/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='delete_firewall_policy', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'create_firewall_policy:shared', - base.RULE_ADMIN_ONLY, - 'Create a shared firewall policy', - [ + name='create_firewall_policy:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Create a shared firewall policy', + operations=[ { 'method': 'POST', 'path': '/fwaas/firewall_policies', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='create_firewall_policy:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'update_firewall_policy:shared', - base.RULE_ADMIN_ONLY, - 'Update ``shared`` attribute of a firewall policy', - [ + name='update_firewall_policy:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Update ``shared`` attribute of a firewall policy', + operations=[ { 'method': 'PUT', 'path': '/fwaas/firewall_policies/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='update_firewall_policy:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), # TODO(amotoki): Drop this rule as it has no effect. policy.DocumentedRuleDefault( - 'delete_firewall_policy:shared', - base.RULE_ADMIN_ONLY, - 'Delete a shread firewall policy', - [ + name='delete_firewall_policy:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Delete a shread firewall policy', + operations=[ { 'method': 'DELETE', 'path': '/fwaas/firewall_policies/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='delete_firewall_policy:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'get_firewall_policy', - 'rule:admin_or_owner or rule:shared_firewall_policies', - 'Get firewall policies', - [ + name='get_firewall_policy', + check_str=base.policy_or( + neutron_base.ADMIN_OR_PROJECT_READER, + 'rule:shared_firewall_policies'), + scope_types=['project'], + description='Get firewall policies', + operations=[ { 'method': 'GET', 'path': '/fwaas/firewall_policies', @@ -103,7 +147,12 @@ rules = [ 'method': 'GET', 'path': '/fwaas/firewall_policies/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='get_firewall_policy', + check_str='rule:admin_or_owner or rule:shared_firewall_policies', + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), ] diff --git a/neutron_fwaas/policies/firewall_rule.py b/neutron_fwaas/policies/firewall_rule.py index 45628c07a..b9306482a 100644 --- a/neutron_fwaas/policies/firewall_rule.py +++ b/neutron_fwaas/policies/firewall_rule.py @@ -10,91 +10,135 @@ # License for the specific language governing permissions and limitations # under the License. +from neutron.conf.policies import base as neutron_base from neutron_lib import policy as base from oslo_policy import policy +DEPRECATED_REASON = """ +The FWaaS API now supports Secure RBAC default roles. +""" + rules = [ policy.RuleDefault( - 'shared_firewall_rules', - 'field:firewall_rules:shared=True', - 'Definition of shared firewall rules' + name='shared_firewall_rules', + check_str='field:firewall_rules:shared=True', + description='Definition of shared firewall rules' ), policy.DocumentedRuleDefault( - 'create_firewall_rule', - base.RULE_ANY, - 'Create a firewall rule', - [ + name='create_firewall_rule', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Create a firewall rule', + operations=[ { 'method': 'POST', 'path': '/fwaas/firewall_rules', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='create_firewall_rule', + check_str=base.RULE_ANY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'update_firewall_rule', - base.RULE_ADMIN_OR_OWNER, - 'Update a firewall rule', - [ + name='update_firewall_rule', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Update a firewall rule', + operations=[ { 'method': 'PUT', 'path': '/fwaas/firewall_rules/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='update_firewall_rule', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'delete_firewall_rule', - base.RULE_ADMIN_OR_OWNER, - 'Delete a firewall rule', - [ + name='delete_firewall_rule', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Delete a firewall rule', + operations=[ { 'method': 'DELETE', 'path': '/fwaas/firewall_rules/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='delete_firewall_rule', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'create_firewall_rule:shared', - base.RULE_ADMIN_ONLY, - 'Create a shared firewall rule', - [ + name='create_firewall_rule:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Create a shared firewall rule', + operations=[ { 'method': 'POST', 'path': '/fwaas/firewall_rules', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='create_firewall_rule:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'update_firewall_rule:shared', - base.RULE_ADMIN_ONLY, - 'Update ``shared`` attribute of a firewall rule', - [ + name='update_firewall_rule:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Update ``shared`` attribute of a firewall rule', + operations=[ { 'method': 'PUT', 'path': '/fwaas/firewall_rules/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='update_firewall_rule:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), # TODO(amotoki): Drop this rule as it has no effect. policy.DocumentedRuleDefault( - 'delete_firewall_rule:shared', - base.RULE_ADMIN_ONLY, - 'Delete a shread firewall rule', - [ + name='delete_firewall_rule:shared', + check_str=neutron_base.ADMIN, + scope_types=['project'], + description='Delete a shread firewall rule', + operations=[ { 'method': 'DELETE', 'path': '/fwaas/firewall_rules/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='delete_firewall_rule:shared', + check_str=base.RULE_ADMIN_ONLY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'get_firewall_rule', - 'rule:admin_or_owner or rule:shared_firewall_rules', - 'Get firewall rules', - [ + name='get_firewall_rule', + check_str=base.policy_or( + neutron_base.ADMIN_OR_PROJECT_READER, + 'rule:shared_firewall_rules'), + scope_types=['project'], + description='Get firewall rules', + operations=[ { 'method': 'GET', 'path': '/fwaas/firewall_rules', @@ -103,30 +147,47 @@ rules = [ 'method': 'GET', 'path': '/fwaas/firewall_rules/{id}', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='get_firewall_rule', + check_str='rule:admin_or_owner or rule:shared_firewall_rules', + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'insert_rule', - base.RULE_ADMIN_OR_OWNER, - 'Insert rule into a firewall policy', - [ + name='insert_rule', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Insert rule into a firewall policy', + operations=[ { 'method': 'PUT', 'path': '/fwaas/firewall_policies/{id}/insert_rule', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='insert_rule', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), policy.DocumentedRuleDefault( - 'remove_rule', - base.RULE_ADMIN_OR_OWNER, - 'Remove rule from a firewall policy', - [ + name='remove_rule', + check_str=neutron_base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description='Remove rule from a firewall policy', + operations=[ { 'method': 'PUT', 'path': '/fwaas/firewall_policies/{id}/remove_rule', }, - ] + ], + deprecated_rule=policy.DeprecatedRule( + name='remove_rule', + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='2025.2') ), ] diff --git a/neutron_fwaas/tests/unit/policies/__init__.py b/neutron_fwaas/tests/unit/policies/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/neutron_fwaas/tests/unit/policies/test_firewall_group.py b/neutron_fwaas/tests/unit/policies/test_firewall_group.py new file mode 100644 index 000000000..1e0d4bc93 --- /dev/null +++ b/neutron_fwaas/tests/unit/policies/test_firewall_group.py @@ -0,0 +1,345 @@ +# Copyright (c) 2025 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from oslo_policy import policy as base_policy + +from neutron import policy +from neutron.tests.unit.conf.policies import test_base as base + + +class FirewallGroupAPITestCase(base.PolicyBaseTestCase): + + def setUp(self): + super().setUp() + self.target = { + 'project_id': self.project_id, + 'tenant_id': self.project_id} + self.alt_target = { + 'project_id': self.alt_project_id, + 'tenant_id': self.alt_project_id} + + +class SystemAdminTests(FirewallGroupAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.system_admin_ctx + + def test_create_firewall_group(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_group', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_group', + self.alt_target) + + def test_update_firewall_group(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_group', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_group', + self.alt_target) + + def test_delete_firewall_group(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_group', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_group', + self.alt_target) + + def test_create_firewall_group_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_group:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_group:shared', + self.alt_target) + + def test_update_firewall_group_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_group:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_group:shared', + self.alt_target) + + def test_delete_firewall_group_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_group:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_group:shared', + self.alt_target) + + def test_get_firewall_group(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'get_firewall_group', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'get_firewall_group', + self.alt_target) + + +class SystemMemberTests(SystemAdminTests): + + def setUp(self): + super().setUp() + self.context = self.system_member_ctx + + +class SystemReaderTests(SystemMemberTests): + + def setUp(self): + super().setUp() + self.context = self.system_reader_ctx + + +class AdminTests(FirewallGroupAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.project_admin_ctx + + def test_create_firewall_group(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_group', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_group', self.alt_target)) + + def test_update_firewall_group(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_group', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_group', self.alt_target)) + + def test_delete_firewall_group(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_group', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_group', self.alt_target)) + + def test_create_firewall_group_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_group:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_group:shared', self.alt_target)) + + def test_update_firewall_group_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_group:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_group:shared', self.alt_target)) + + def test_delete_firewall_group_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_group:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_group:shared', self.alt_target)) + + def test_get_firewall_group(self): + self.assertTrue( + policy.enforce(self.context, 'get_firewall_group', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'get_firewall_group', self.alt_target)) + + +class ProjectManagerTests(AdminTests): + + def setUp(self): + super().setUp() + self.context = self.project_manager_ctx + + def test_create_firewall_group(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_group', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group', + self.alt_target) + + def test_update_firewall_group(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_group', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_group', + self.alt_target) + + def test_delete_firewall_group(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_group', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_group', + self.alt_target) + + def test_create_firewall_group_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group:shared', + self.alt_target) + + def test_update_firewall_group_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_group:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group:shared', + self.alt_target) + + def test_delete_firewall_group_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_group:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group:shared', + self.alt_target) + + def test_get_firewall_group(self): + self.assertTrue( + policy.enforce(self.context, 'get_firewall_group', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_firewall_group', + self.alt_target) + + +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super().setUp() + self.context = self.project_member_ctx + + +class ProjectReaderTests(ProjectMemberTests): + + def setUp(self): + super().setUp() + self.context = self.project_reader_ctx + + def test_create_firewall_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group', + self.alt_target) + + def test_update_firewall_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_group', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_group', + self.alt_target) + + def test_delete_firewall_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_group', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_group', + self.alt_target) + + +class ServiceRoleTests(FirewallGroupAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.service_ctx + + def test_create_firewall_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group', + self.target) + + def test_update_firewall_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_group', + self.target) + + def test_delete_firewall_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_group', + self.target) + + def test_create_firewall_group_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_group:shared', + self.target) + + def test_update_firewall_group_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_group:shared', + self.target) + + def test_delete_firewall_group_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_group:shared', + self.target) + + def test_get_firewall_group(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_firewall_group', + self.target) diff --git a/neutron_fwaas/tests/unit/policies/test_firewall_policy.py b/neutron_fwaas/tests/unit/policies/test_firewall_policy.py new file mode 100644 index 000000000..d816f49f3 --- /dev/null +++ b/neutron_fwaas/tests/unit/policies/test_firewall_policy.py @@ -0,0 +1,351 @@ +# Copyright (c) 2025 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from oslo_policy import policy as base_policy + +from neutron import policy +from neutron.tests.unit.conf.policies import test_base as base + + +class FirewallPolicyAPITestCase(base.PolicyBaseTestCase): + + def setUp(self): + super().setUp() + self.target = { + 'project_id': self.project_id, + 'tenant_id': self.project_id} + self.alt_target = { + 'project_id': self.alt_project_id, + 'tenant_id': self.alt_project_id} + + +class SystemAdminTests(FirewallPolicyAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.system_admin_ctx + + def test_create_firewall_policy(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_policy', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_policy', + self.alt_target) + + def test_update_firewall_policy(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_policy', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_policy', + self.alt_target) + + def test_delete_firewall_policy(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_policy', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_policy', + self.alt_target) + + def test_create_firewall_policy_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_policy:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_policy:shared', + self.alt_target) + + def test_update_firewall_policy_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_policy:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_policy:shared', + self.alt_target) + + def test_delete_firewall_policy_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_policy:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_policy:shared', + self.alt_target) + + def test_get_firewall_policy(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'get_firewall_policy', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'get_firewall_policy', + self.alt_target) + + +class SystemMemberTests(SystemAdminTests): + + def setUp(self): + super().setUp() + self.context = self.system_member_ctx + + +class SystemReaderTests(SystemMemberTests): + + def setUp(self): + super().setUp() + self.context = self.system_reader_ctx + + +class AdminTests(FirewallPolicyAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.project_admin_ctx + + def test_create_firewall_policy(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_policy', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_policy', self.alt_target)) + + def test_update_firewall_policy(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_policy', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_policy', self.alt_target)) + + def test_delete_firewall_policy(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_policy', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_policy', self.alt_target)) + + def test_create_firewall_policy_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_policy:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_policy:shared', + self.alt_target)) + + def test_update_firewall_policy_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_policy:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_policy:shared', + self.alt_target)) + + def test_delete_firewall_policy_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_policy:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_policy:shared', + self.alt_target)) + + def test_get_firewall_policy(self): + self.assertTrue( + policy.enforce(self.context, 'get_firewall_policy', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'get_firewall_policy', self.alt_target)) + + +class ProjectManagerTests(AdminTests): + + def setUp(self): + super().setUp() + self.context = self.project_manager_ctx + + def test_create_firewall_policy(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_policy', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy', + self.alt_target) + + def test_update_firewall_policy(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_policy', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_policy', + self.alt_target) + + def test_delete_firewall_policy(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_policy', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_policy', + self.alt_target) + + def test_create_firewall_policy_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy:shared', + self.alt_target) + + def test_update_firewall_policy_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_policy:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy:shared', + self.alt_target) + + def test_delete_firewall_policy_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_policy:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy:shared', + self.alt_target) + + def test_get_firewall_policy(self): + self.assertTrue( + policy.enforce(self.context, 'get_firewall_policy', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_firewall_policy', + self.alt_target) + + +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super().setUp() + self.context = self.project_member_ctx + + +class ProjectReaderTests(ProjectMemberTests): + + def setUp(self): + super().setUp() + self.context = self.project_reader_ctx + + def test_create_firewall_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy', + self.alt_target) + + def test_update_firewall_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_policy', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_policy', + self.alt_target) + + def test_delete_firewall_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_policy', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_policy', + self.alt_target) + + +class ServiceRoleTests(FirewallPolicyAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.service_ctx + + def test_create_firewall_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy', + self.target) + + def test_update_firewall_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_policy', + self.target) + + def test_delete_firewall_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_policy', + self.target) + + def test_create_firewall_policy_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_policy:shared', + self.target) + + def test_update_firewall_policy_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_policy:shared', + self.target) + + def test_delete_firewall_policy_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_policy:shared', + self.target) + + def test_get_firewall_policy(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_firewall_policy', + self.target) diff --git a/neutron_fwaas/tests/unit/policies/test_firewall_rule.py b/neutron_fwaas/tests/unit/policies/test_firewall_rule.py new file mode 100644 index 000000000..206f88e17 --- /dev/null +++ b/neutron_fwaas/tests/unit/policies/test_firewall_rule.py @@ -0,0 +1,429 @@ +# Copyright (c) 2025 Red Hat Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from oslo_policy import policy as base_policy + +from neutron import policy +from neutron.tests.unit.conf.policies import test_base as base + + +class FirewallRuleAPITestCase(base.PolicyBaseTestCase): + + def setUp(self): + super().setUp() + self.target = { + 'project_id': self.project_id, + 'tenant_id': self.project_id} + self.alt_target = { + 'project_id': self.alt_project_id, + 'tenant_id': self.alt_project_id} + + +class SystemAdminTests(FirewallRuleAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.system_admin_ctx + + def test_create_firewall_rule(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_rule', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_rule', + self.alt_target) + + def test_update_firewall_rule(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_rule', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_rule', + self.alt_target) + + def test_delete_firewall_rule(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_rule', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_rule', + self.alt_target) + + def test_create_firewall_rule_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_rule:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'create_firewall_rule:shared', + self.alt_target) + + def test_update_firewall_rule_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_rule:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'update_firewall_rule:shared', + self.alt_target) + + def test_delete_firewall_rule_shared(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_rule:shared', + self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'delete_firewall_rule:shared', + self.alt_target) + + def test_get_firewall_rule(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'get_firewall_rule', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'get_firewall_rule', + self.alt_target) + + def test_insert_rule(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'insert_rule', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'insert_rule', + self.alt_target) + + def test_remove_rule(self): + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'remove_rule', self.target) + self.assertRaises( + base_policy.InvalidScope, + policy.enforce, self.context, 'remove_rule', + self.alt_target) + + +class SystemMemberTests(SystemAdminTests): + + def setUp(self): + super().setUp() + self.context = self.system_member_ctx + + +class SystemReaderTests(SystemMemberTests): + + def setUp(self): + super().setUp() + self.context = self.system_reader_ctx + + +class AdminTests(FirewallRuleAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.project_admin_ctx + + def test_create_firewall_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_rule', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_rule', self.alt_target)) + + def test_update_firewall_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_rule', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_rule', self.alt_target)) + + def test_delete_firewall_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_rule', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_rule', self.alt_target)) + + def test_create_firewall_rule_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_rule:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_rule:shared', self.alt_target)) + + def test_update_firewall_rule_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_rule:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_rule:shared', self.alt_target)) + + def test_delete_firewall_rule_shared(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_rule:shared', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_rule:shared', self.alt_target)) + + def test_get_firewall_rule(self): + self.assertTrue( + policy.enforce(self.context, 'get_firewall_rule', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'get_firewall_rule', self.alt_target)) + + def test_insert_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'insert_rule', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'insert_rule', self.alt_target)) + + def test_remove_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'remove_rule', self.target)) + self.assertTrue( + policy.enforce( + self.context, 'remove_rule', self.alt_target)) + + +class ProjectManagerTests(AdminTests): + + def setUp(self): + super().setUp() + self.context = self.project_manager_ctx + + def test_create_firewall_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'create_firewall_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule', + self.alt_target) + + def test_update_firewall_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'update_firewall_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_rule', + self.alt_target) + + def test_delete_firewall_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'delete_firewall_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_rule', + self.alt_target) + + def test_create_firewall_rule_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule:shared', + self.alt_target) + + def test_update_firewall_rule_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_rule:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule:shared', + self.alt_target) + + def test_delete_firewall_rule_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_rule:shared', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule:shared', + self.alt_target) + + def test_get_firewall_rule(self): + self.assertTrue( + policy.enforce(self.context, 'get_firewall_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_firewall_rule', + self.alt_target) + + def test_insert_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'insert_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'insert_rule', + self.alt_target) + + def test_remove_rule(self): + self.assertTrue( + policy.enforce( + self.context, 'remove_rule', self.target)) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'remove_rule', + self.alt_target) + + +class ProjectMemberTests(ProjectManagerTests): + + def setUp(self): + super().setUp() + self.context = self.project_member_ctx + + +class ProjectReaderTests(ProjectMemberTests): + + def setUp(self): + super().setUp() + self.context = self.project_reader_ctx + + def test_create_firewall_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule', + self.alt_target) + + def test_update_firewall_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_rule', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_rule', + self.alt_target) + + def test_delete_firewall_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_rule', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_rule', + self.alt_target) + + def test_insert_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'insert_rule', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'insert_rule', + self.alt_target) + + def test_remove_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'remove_rule', + self.target) + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'remove_rule', + self.alt_target) + + +class ServiceRoleTests(FirewallRuleAPITestCase): + + def setUp(self): + super().setUp() + self.context = self.service_ctx + + def test_create_firewall_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule', + self.target) + + def test_update_firewall_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_rule', + self.target) + + def test_delete_firewall_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_rule', + self.target) + + def test_create_firewall_rule_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'create_firewall_rule:shared', + self.target) + + def test_update_firewall_rule_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'update_firewall_rule:shared', + self.target) + + def test_delete_firewall_rule_shared(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'delete_firewall_rule:shared', + self.target) + + def test_get_firewall_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'get_firewall_rule', + self.target) + + def test_insert_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'insert_rule', + self.target) + + def test_remove_rule(self): + self.assertRaises( + base_policy.PolicyNotAuthorized, + policy.enforce, self.context, 'remove_rule', + self.target) diff --git a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py index 9ccf1ba70..a35afd7cb 100644 --- a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py +++ b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin_v2.py @@ -131,7 +131,8 @@ class FirewallPluginV2TestCase(test_db_plugin.NeutronDbPluginV2TestCase): is_admin=True).elevated() def _get_nonadmin_context(self, user_id='non-admin', tenant_id='tenant1'): - return context.Context(user_id=user_id, tenant_id=tenant_id) + return context.Context(user_id=user_id, tenant_id=tenant_id, + roles=['member', 'reader']) def _test_list_resources(self, resource, items, neutron_context=None, query_params=None, as_admin=False): diff --git a/releasenotes/notes/s-rbac-api-policies-added-4dc1db4ff91fbbed.yaml b/releasenotes/notes/s-rbac-api-policies-added-4dc1db4ff91fbbed.yaml new file mode 100644 index 000000000..8804d1cc3 --- /dev/null +++ b/releasenotes/notes/s-rbac-api-policies-added-4dc1db4ff91fbbed.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Neutron-fwaas API policies now supports S-RBAC roles. +deprecations: + - | + Old API policies are now deprecated and new policies, aligned with S-RBAC + roles are used for the neutron-fwaas APIs by default now.