Merge "Use default policies in our tests"

glance/tests/etc/policy.yaml

@@ -1,164 +1,4 @@
-# Defines the default rule used for policies that historically had an
+# FIXME (abhishekk): This special rule is required in unit tests
-# empty policy in the supplied policy.yaml file.
+# to test property protection using policies. Need to make provision
-#"default": ""
+# to set such rules on the fly.
-
-# Defines the rule for the is_admin:True check.
-#"context_is_admin": "role:admin"
-
-# Default for admin-only metadef rules
-"metadef_admin": "role:admin"
-
-# add_image
-"add_image": ""
-
-# delete_image
-"delete_image": ""
-
-# get_image
-"get_image": ""
-
-# get_images
-"get_images": ""
-
-# modify_image
-"modify_image": ""
-
-# publicize_image
-"publicize_image": ""
-
-# communitize_image
-"communitize_image": ""
-
-# download_image
-"download_image": ""
-
-# upload_image
-"upload_image": ""
-
-# delete_image_location
-"delete_image_location": ""
-
-# get_image_location
-"get_image_location": ""
-
-# set_image_location
-"set_image_location": ""
-
-# add_member
-"add_member": ""
-
-# delete_member
-"delete_member": ""
-
-# get_member
-"get_member": ""
-
-# get_members
-"get_members": ""
-
-# modify_member
-"modify_member": ""
-
-# manage_image_cache
-"manage_image_cache": ""
-
-# deactivate
-"deactivate": ""
-
-# reactivate
-"reactivate": ""
-
-# get_task
-"get_task": "role:admin"
-
-# get_tasks
-"get_tasks": "role:admin"
-
-# add_task
-"add_task": "role:admin"
-
-# modify_task
-"modify_task": "role:admin"
-
-# get_metadef_namespace
-"get_metadef_namespace": ""
-
-# get_metadef_namespaces
-"get_metadef_namespaces": ""
-
-# modify_metadef_namespace
-"modify_metadef_namespace": "rule:metadef_admin"
-
-# add_metadef_namespace
-"add_metadef_namespace": "rule:metadef_admin"
-
-# delete_metadef_namespace
-"delete_metadef_namespace": "rule:metadef_admin"
-
-# get_metadef_object
-"get_metadef_object": ""
-
-# get_metadef_objects
-"get_metadef_objects": ""
-
-# modify_metadef_object
-"modify_metadef_object": "rule:metadef_admin"
-
-# add_metadef_object
-"add_metadef_object": "rule:metadef_admin"
-
-# delete_metadef_object
-"delete_metadef_object": "rule:metadef_admin"
-
-# list_metadef_resource_types
-"list_metadef_resource_types": ""
-
-# get_metadef_resource_type
-"get_metadef_resource_type": ""
-
-# add_metadef_resource_type_association
-"add_metadef_resource_type_association": "rule:metadef_admin"
-
-# remove_metadef_resource_type_association
-"remove_metadef_resource_type_association": "rule:metadef_admin"
-
-# get_metadef_property
-"get_metadef_property": ""
-
-# get_metadef_properties
-"get_metadef_properties": ""
-
-# modify_metadef_property
-"modify_metadef_property": "rule:metadef_admin"
-
-# add_metadef_property
-"add_metadef_property": "rule:metadef_admin"
-
-# remove_metadef_property
-"remove_metadef_property": "rule:metadef_admin"
-
-# get_metadef_tag
-"get_metadef_tag": ""
-
-# get_metadef_tags
-"get_metadef_tags": ""
-
-# modify_metadef_tag
-"modify_metadef_tag": "rule:metadef_admin"
-
-# add_metadef_tag
-"add_metadef_tag": "rule:metadef_admin"
-
-# add_metadef_tags
-"add_metadef_tags": "rule:metadef_admin"
-
-# delete_metadef_tag
-"delete_metadef_tag": "rule:metadef_admin"
-
-# delete_metadef_tags
-"delete_metadef_tags": "rule:metadef_admin"
-
-# WARNING: Below rules are either deprecated rules
-# or extra rules in policy file, it is strongly
-# recommended to switch to new rules.
 "glance_creator": "role:admin or role:spl_role"

glance/tests/functional/__init__.py

@@ -804,7 +804,6 @@ class FunctionalTest(test_utils.BaseTestCase):
         conf_dir = os.path.join(self.test_dir, 'etc')
         utils.safe_mkdirs(conf_dir)
         self.copy_data_file('schema-image.json', conf_dir)
-        self.copy_data_file('policy.yaml', conf_dir)
         self.copy_data_file('property-protections.conf', conf_dir)
         self.copy_data_file('property-protections-policies.conf', conf_dir)
         self.property_file_roles = os.path.join(conf_dir,
@@ -1153,7 +1152,6 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase):
         conf_dir = os.path.join(self.test_dir, 'etc')
         utils.safe_mkdirs(conf_dir)
         self.copy_data_file('schema-image.json', conf_dir)
-        self.copy_data_file('policy.yaml', conf_dir)
         self.copy_data_file('property-protections.conf', conf_dir)
         self.copy_data_file('property-protections-policies.conf', conf_dir)
         self.property_file_roles = os.path.join(conf_dir,

glance/tests/functional/serial/test_scrubber.py

@@ -57,7 +57,8 @@ class TestScrubber(functional.FunctionalTest):
 
     def _send_create_image_http_request(self, path, body=None):
         headers = {
-            "Content-Type": "application/json"
+            "Content-Type": "application/json",
+            "X-Roles": "admin",
         }
         body = body or {'container_format': 'ovf',
                         'disk_format': 'raw',

glance/tests/functional/test_cache_middleware.py

@@ -59,7 +59,8 @@ class BaseCacheMiddlewareTest(object):
         # Add an image and verify success
         path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
         http = httplib2.Http()
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
         image_entity = {
             'name': 'Image1',
             'visibility': 'public',
@@ -121,7 +122,8 @@ class BaseCacheMiddlewareTest(object):
         # Add an image and verify success
         path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
         http = httplib2.Http()
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
         image_entity = {
             'name': 'Image1',
             'visibility': 'public',
@@ -187,7 +189,8 @@ class BaseCacheMiddlewareTest(object):
         # Add an image and verify success
         path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
         http = httplib2.Http()
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
         image_entity = {
             'name': 'Image1',
             'visibility': 'public',
@@ -269,7 +272,8 @@ class BaseCacheMiddlewareTest(object):
         # Add an image and verify success
         path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
         http = httplib2.Http()
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
         image_entity = {
             'name': 'Image1',
             'visibility': 'public',

glance/tests/functional/v2/test_images.py

@@ -785,7 +785,8 @@ class TestImages(functional.FunctionalTest):
         # Change the image to public so TENANT2 can see it
         path = self._url('/v2/images/%s' % image_id)
         media_type = 'application/openstack-images-v2.0-json-patch'
-        headers = self._headers({'content-type': media_type})
+        headers = self._headers({'content-type': media_type,
+                                 'X-Roles': 'admin'})
         data = jsonutils.dumps([{"replace": "/visibility", "value": "public"}])
         response = requests.patch(path, headers=headers, data=data)
         self.assertEqual(http.OK, response.status_code, response.text)
@@ -2423,6 +2424,10 @@ class TestImages(functional.FunctionalTest):
 
     def test_property_protections_with_policies(self):
         # Enable property protection
+        rules = {
+            "glance_creator": "role:admin or role:spl_role"
+        }
+        self.set_policy_rules(rules)
         self.api_server.property_protection_file = self.property_file_policies
         self.api_server.property_protection_rule_format = 'policies'
         self.start_servers(**self.__dict__.copy())
@@ -3789,7 +3794,8 @@ class TestImageDirectURLVisibility(functional.FunctionalTest):
 
         # Create an image
         path = self._url('/v2/images')
-        headers = self._headers({'content-type': 'application/json'})
+        headers = self._headers({'content-type': 'application/json',
+                                 'X-Roles': 'admin'})
         data = jsonutils.dumps({'name': 'image-1', 'type': 'kernel',
                                 'foo': 'bar', 'disk_format': 'aki',
                                 'container_format': 'aki',
@@ -4073,9 +4079,13 @@ class TestImageMembers(functional.FunctionalTest):
         for owner in owners:
             for visibility in visibilities:
                 path = self._url('/v2/images')
+                role = 'member'
+                if visibility == 'public':
+                    role = 'admin'
                 headers = self._headers({
                     'content-type': 'application/json',
                     'X-Auth-Token': 'createuser:%s:admin' % owner,
+                    'X-Roles': role,
                 })
                 data = jsonutils.dumps({
                     'name': '%s-%s' % (owner, visibility),
@@ -6385,9 +6395,14 @@ class TestMultiStoreImageMembers(functional.MultipleBackendFunctionalTest):
             for owner in owners:
                 for visibility in visibilities:
                     path = self._url('/v2/images')
+                    role = 'member'
+                    if visibility == 'public':
+                        role = 'admin'
+
                     headers = self._headers(custom_headers={
                         'content-type': 'application/json',
                         'X-Auth-Token': 'createuser:%s:admin' % owner,
+                        'X-Roles': role,
                     })
                     data = jsonutils.dumps({
                         'name': '%s-%s' % (owner, visibility),