Merge "trivial: remove unnecessary grouping in base policies"

2021-03-10 18:20:29 +00:00 · 2021-03-10 18:20:29 +00:00 · 66f5c8d6e1
commit 66f5c8d6e1
parent 751e5ed812 2b498e61f4
2 changed files with 12 additions and 4 deletions
--- a/glance/policies/base.py
+++ b/glance/policies/base.py
@ -14,12 +14,12 @@ from oslo_policy import policy

 # Generic check string for checking if a user is authorized on a particular
 # project, specifically with the member role.
-PROJECT_MEMBER = 'role:member and (project_id:%(project_id)s)'
+PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
 # Generic check string for checking if a user is authorized on a particular
 # project but with read-only access. For example, this persona would be able to
 # list private images owned by a project but cannot make any writeable changes
 # to those images.
-PROJECT_READER = 'role:reader and (project_id:%(project_id)s)'
+PROJECT_READER = 'role:reader and project_id:%(project_id)s'

 # Make sure the member_id of the supplied target matches the project_id from
 # the context object, which is derived from keystone tokens.
--- a/glance/tests/unit/test_policy.py
+++ b/glance/tests/unit/test_policy.py
@ -1062,9 +1062,13 @@ class TestContextPolicyEnforcer(base.IsolatedUnitTest):
 class TestDefaultPolicyCheckStrings(base.IsolatedUnitTest):

    def test_project_member_check_string(self):
-        expected = 'role:member and (project_id:%(project_id)s)'
+        expected = 'role:member and project_id:%(project_id)s'
        self.assertEqual(expected, base_policy.PROJECT_MEMBER)

+    def test_admin_or_project_member_check_string(self):
+        expected = 'role:admin or (role:member and project_id:%(project_id)s)'
+        self.assertEqual(expected, base_policy.ADMIN_OR_PROJECT_MEMBER)
+
    def test_project_member_download_image_check_string(self):
        expected = (
            'role:member and (project_id:%(project_id)s or '
@ -1077,9 +1081,13 @@ class TestDefaultPolicyCheckStrings(base.IsolatedUnitTest):
        )

    def test_project_reader_check_string(self):
-        expected = 'role:reader and (project_id:%(project_id)s)'
+        expected = 'role:reader and project_id:%(project_id)s'
        self.assertEqual(expected, base_policy.PROJECT_READER)

+    def test_admin_or_project_reader_check_string(self):
+        expected = 'role:admin or (role:reader and project_id:%(project_id)s)'
+        self.assertEqual(expected, base_policy.ADMIN_OR_PROJECT_READER)
+
    def test_project_reader_get_image_check_string(self):
        expected = (
            'role:reader and (project_id:%(project_id)s or '