openstack
/
glance
Code Issues Proposed changes

Make property protection tests use member role 

In order to avoid overriding the default policy in tests to be
completely unrestricted (as they are today), the property protection
tests need to add the member role into the roles being used to
test the additional permissions. This is because the actual default
policies require "admin or project member" permissions to do anything,
and just using one of the special roles will get blocked by the
regular policy before property protections are checked.

This could also be fixed by constructing a very complex policy for
these tests which allows those special roles to do their thing in
addition to member, but I do not believe this is how real deployments
would actually implement it.

These should definitely be reviewed with scrutiny to make sure that
all the assertions are still valid, and make sure we don't need more
than are already here.

Note that there are a couple assertions that were looking for CONFLICT
instead of FORBIDDEN on the special role attempt, that seems to be
a case of "test the current behavior not the desired one".

Change-Id: Ib6540223468421776f07745010e5d4afe5d58774
This commit is contained in:
Dan Smith 2021-05-05 08:21:08 -07:00
parent 525b6addd0
commit 76162a7222
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
glance/tests/unit/v2/test_images_resource.py
View File

@ -1579,7 +1579,8 @@ class TestImagesController(base.IsolatedUnitTest):
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
another_request, created_image.image_id, changes)
another_request = unit_test_utils.get_fake_request(roles=['spl_role'])
another_request = unit_test_utils.get_fake_request(roles=['member',
'spl_role'])
output = self.controller.update(another_request,
created_image.image_id, changes)
self.assertEqual('bar',
@ -1845,7 +1846,8 @@ class TestImagesController(base.IsolatedUnitTest):
created_image = self.controller.create(request, image=image,
extra_properties=extra_props,
tags=[])
another_request = unit_test_utils.get_fake_request(roles=['joe_soap'])
another_request = unit_test_utils.get_fake_request(roles=['member',
'joe_soap'])
changes = [
{'op': 'replace', 'path': ['x_all_permitted'], 'value': 'baz'},
]
@ -1911,11 +1913,12 @@ class TestImagesController(base.IsolatedUnitTest):
created_image = self.controller.create(request, image=image,
extra_properties=extra_props,
tags=[])
another_request = unit_test_utils.get_fake_request(roles=['fake_role'])
another_request = unit_test_utils.get_fake_request(roles=['member',
'fake_role'])
changes = [
{'op': 'replace', 'path': ['x_none_update'], 'value': 'baz'},
]
self.assertRaises(webob.exc.HTTPConflict, self.controller.update,
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
another_request, created_image.image_id, changes)
def test_delete_locked_down_protected_prop(self):
@ -1927,11 +1930,12 @@ class TestImagesController(base.IsolatedUnitTest):
created_image = self.controller.create(request, image=image,
extra_properties=extra_props,
tags=[])
another_request = unit_test_utils.get_fake_request(roles=['fake_role'])
another_request = unit_test_utils.get_fake_request(roles=['member',
'fake_role'])
changes = [
{'op': 'remove', 'path': ['x_none_delete']}
]
self.assertRaises(webob.exc.HTTPConflict, self.controller.update,
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
another_request, created_image.image_id, changes)
def test_update_replace_locations_non_empty(self):