Make property protection tests use member role
In order to avoid overriding the default policy in tests to be completely unrestricted (as they are today), the property protection tests need to add the member role into the roles being used to test the additional permissions. This is because the actual default policies require "admin or project member" permissions to do anything, and just using one of the special roles will get blocked by the regular policy before property protections are checked. This could also be fixed by constructing a very complex policy for these tests which allows those special roles to do their thing in addition to member, but I do not believe this is how real deployments would actually implement it. These should definitely be reviewed with scrutiny to make sure that all the assertions are still valid, and make sure we don't need more than are already here. Note that there are a couple assertions that were looking for CONFLICT instead of FORBIDDEN on the special role attempt, that seems to be a case of "test the current behavior not the desired one". Change-Id: Ib6540223468421776f07745010e5d4afe5d58774
This commit is contained in:
parent
525b6addd0
commit
76162a7222
@ -1579,7 +1579,8 @@ class TestImagesController(base.IsolatedUnitTest):
|
|||||||
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
|
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
|
||||||
another_request, created_image.image_id, changes)
|
another_request, created_image.image_id, changes)
|
||||||
|
|
||||||
another_request = unit_test_utils.get_fake_request(roles=['spl_role'])
|
another_request = unit_test_utils.get_fake_request(roles=['member',
|
||||||
|
'spl_role'])
|
||||||
output = self.controller.update(another_request,
|
output = self.controller.update(another_request,
|
||||||
created_image.image_id, changes)
|
created_image.image_id, changes)
|
||||||
self.assertEqual('bar',
|
self.assertEqual('bar',
|
||||||
@ -1845,7 +1846,8 @@ class TestImagesController(base.IsolatedUnitTest):
|
|||||||
created_image = self.controller.create(request, image=image,
|
created_image = self.controller.create(request, image=image,
|
||||||
extra_properties=extra_props,
|
extra_properties=extra_props,
|
||||||
tags=[])
|
tags=[])
|
||||||
another_request = unit_test_utils.get_fake_request(roles=['joe_soap'])
|
another_request = unit_test_utils.get_fake_request(roles=['member',
|
||||||
|
'joe_soap'])
|
||||||
changes = [
|
changes = [
|
||||||
{'op': 'replace', 'path': ['x_all_permitted'], 'value': 'baz'},
|
{'op': 'replace', 'path': ['x_all_permitted'], 'value': 'baz'},
|
||||||
]
|
]
|
||||||
@ -1911,11 +1913,12 @@ class TestImagesController(base.IsolatedUnitTest):
|
|||||||
created_image = self.controller.create(request, image=image,
|
created_image = self.controller.create(request, image=image,
|
||||||
extra_properties=extra_props,
|
extra_properties=extra_props,
|
||||||
tags=[])
|
tags=[])
|
||||||
another_request = unit_test_utils.get_fake_request(roles=['fake_role'])
|
another_request = unit_test_utils.get_fake_request(roles=['member',
|
||||||
|
'fake_role'])
|
||||||
changes = [
|
changes = [
|
||||||
{'op': 'replace', 'path': ['x_none_update'], 'value': 'baz'},
|
{'op': 'replace', 'path': ['x_none_update'], 'value': 'baz'},
|
||||||
]
|
]
|
||||||
self.assertRaises(webob.exc.HTTPConflict, self.controller.update,
|
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
|
||||||
another_request, created_image.image_id, changes)
|
another_request, created_image.image_id, changes)
|
||||||
|
|
||||||
def test_delete_locked_down_protected_prop(self):
|
def test_delete_locked_down_protected_prop(self):
|
||||||
@ -1927,11 +1930,12 @@ class TestImagesController(base.IsolatedUnitTest):
|
|||||||
created_image = self.controller.create(request, image=image,
|
created_image = self.controller.create(request, image=image,
|
||||||
extra_properties=extra_props,
|
extra_properties=extra_props,
|
||||||
tags=[])
|
tags=[])
|
||||||
another_request = unit_test_utils.get_fake_request(roles=['fake_role'])
|
another_request = unit_test_utils.get_fake_request(roles=['member',
|
||||||
|
'fake_role'])
|
||||||
changes = [
|
changes = [
|
||||||
{'op': 'remove', 'path': ['x_none_delete']}
|
{'op': 'remove', 'path': ['x_none_delete']}
|
||||||
]
|
]
|
||||||
self.assertRaises(webob.exc.HTTPConflict, self.controller.update,
|
self.assertRaises(webob.exc.HTTPForbidden, self.controller.update,
|
||||||
another_request, created_image.image_id, changes)
|
another_request, created_image.image_id, changes)
|
||||||
|
|
||||||
def test_update_replace_locations_non_empty(self):
|
def test_update_replace_locations_non_empty(self):
|
||||||
|
Loading…
Reference in New Issue
Block a user