Merge "Use default policies in our tests"

This commit is contained in:
Zuul 2021-07-01 14:35:50 +00:00 committed by Gerrit Code Review
commit e788d68ef4
5 changed files with 30 additions and 172 deletions

View File

@ -1,164 +1,4 @@
# Defines the default rule used for policies that historically had an # FIXME (abhishekk): This special rule is required in unit tests
# empty policy in the supplied policy.yaml file. # to test property protection using policies. Need to make provision
#"default": "" # to set such rules on the fly.
# Defines the rule for the is_admin:True check.
#"context_is_admin": "role:admin"
# Default for admin-only metadef rules
"metadef_admin": "role:admin"
# add_image
"add_image": ""
# delete_image
"delete_image": ""
# get_image
"get_image": ""
# get_images
"get_images": ""
# modify_image
"modify_image": ""
# publicize_image
"publicize_image": ""
# communitize_image
"communitize_image": ""
# download_image
"download_image": ""
# upload_image
"upload_image": ""
# delete_image_location
"delete_image_location": ""
# get_image_location
"get_image_location": ""
# set_image_location
"set_image_location": ""
# add_member
"add_member": ""
# delete_member
"delete_member": ""
# get_member
"get_member": ""
# get_members
"get_members": ""
# modify_member
"modify_member": ""
# manage_image_cache
"manage_image_cache": ""
# deactivate
"deactivate": ""
# reactivate
"reactivate": ""
# get_task
"get_task": "role:admin"
# get_tasks
"get_tasks": "role:admin"
# add_task
"add_task": "role:admin"
# modify_task
"modify_task": "role:admin"
# get_metadef_namespace
"get_metadef_namespace": ""
# get_metadef_namespaces
"get_metadef_namespaces": ""
# modify_metadef_namespace
"modify_metadef_namespace": "rule:metadef_admin"
# add_metadef_namespace
"add_metadef_namespace": "rule:metadef_admin"
# delete_metadef_namespace
"delete_metadef_namespace": "rule:metadef_admin"
# get_metadef_object
"get_metadef_object": ""
# get_metadef_objects
"get_metadef_objects": ""
# modify_metadef_object
"modify_metadef_object": "rule:metadef_admin"
# add_metadef_object
"add_metadef_object": "rule:metadef_admin"
# delete_metadef_object
"delete_metadef_object": "rule:metadef_admin"
# list_metadef_resource_types
"list_metadef_resource_types": ""
# get_metadef_resource_type
"get_metadef_resource_type": ""
# add_metadef_resource_type_association
"add_metadef_resource_type_association": "rule:metadef_admin"
# remove_metadef_resource_type_association
"remove_metadef_resource_type_association": "rule:metadef_admin"
# get_metadef_property
"get_metadef_property": ""
# get_metadef_properties
"get_metadef_properties": ""
# modify_metadef_property
"modify_metadef_property": "rule:metadef_admin"
# add_metadef_property
"add_metadef_property": "rule:metadef_admin"
# remove_metadef_property
"remove_metadef_property": "rule:metadef_admin"
# get_metadef_tag
"get_metadef_tag": ""
# get_metadef_tags
"get_metadef_tags": ""
# modify_metadef_tag
"modify_metadef_tag": "rule:metadef_admin"
# add_metadef_tag
"add_metadef_tag": "rule:metadef_admin"
# add_metadef_tags
"add_metadef_tags": "rule:metadef_admin"
# delete_metadef_tag
"delete_metadef_tag": "rule:metadef_admin"
# delete_metadef_tags
"delete_metadef_tags": "rule:metadef_admin"
# WARNING: Below rules are either deprecated rules
# or extra rules in policy file, it is strongly
# recommended to switch to new rules.
"glance_creator": "role:admin or role:spl_role" "glance_creator": "role:admin or role:spl_role"

View File

@ -804,7 +804,6 @@ class FunctionalTest(test_utils.BaseTestCase):
conf_dir = os.path.join(self.test_dir, 'etc') conf_dir = os.path.join(self.test_dir, 'etc')
utils.safe_mkdirs(conf_dir) utils.safe_mkdirs(conf_dir)
self.copy_data_file('schema-image.json', conf_dir) self.copy_data_file('schema-image.json', conf_dir)
self.copy_data_file('policy.yaml', conf_dir)
self.copy_data_file('property-protections.conf', conf_dir) self.copy_data_file('property-protections.conf', conf_dir)
self.copy_data_file('property-protections-policies.conf', conf_dir) self.copy_data_file('property-protections-policies.conf', conf_dir)
self.property_file_roles = os.path.join(conf_dir, self.property_file_roles = os.path.join(conf_dir,
@ -1153,7 +1152,6 @@ class MultipleBackendFunctionalTest(test_utils.BaseTestCase):
conf_dir = os.path.join(self.test_dir, 'etc') conf_dir = os.path.join(self.test_dir, 'etc')
utils.safe_mkdirs(conf_dir) utils.safe_mkdirs(conf_dir)
self.copy_data_file('schema-image.json', conf_dir) self.copy_data_file('schema-image.json', conf_dir)
self.copy_data_file('policy.yaml', conf_dir)
self.copy_data_file('property-protections.conf', conf_dir) self.copy_data_file('property-protections.conf', conf_dir)
self.copy_data_file('property-protections-policies.conf', conf_dir) self.copy_data_file('property-protections-policies.conf', conf_dir)
self.property_file_roles = os.path.join(conf_dir, self.property_file_roles = os.path.join(conf_dir,

View File

@ -57,7 +57,8 @@ class TestScrubber(functional.FunctionalTest):
def _send_create_image_http_request(self, path, body=None): def _send_create_image_http_request(self, path, body=None):
headers = { headers = {
"Content-Type": "application/json" "Content-Type": "application/json",
"X-Roles": "admin",
} }
body = body or {'container_format': 'ovf', body = body or {'container_format': 'ovf',
'disk_format': 'raw', 'disk_format': 'raw',

View File

@ -59,7 +59,8 @@ class BaseCacheMiddlewareTest(object):
# Add an image and verify success # Add an image and verify success
path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port) path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
http = httplib2.Http() http = httplib2.Http()
headers = self._headers({'content-type': 'application/json'}) headers = self._headers({'content-type': 'application/json',
'X-Roles': 'admin'})
image_entity = { image_entity = {
'name': 'Image1', 'name': 'Image1',
'visibility': 'public', 'visibility': 'public',
@ -121,7 +122,8 @@ class BaseCacheMiddlewareTest(object):
# Add an image and verify success # Add an image and verify success
path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port) path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
http = httplib2.Http() http = httplib2.Http()
headers = self._headers({'content-type': 'application/json'}) headers = self._headers({'content-type': 'application/json',
'X-Roles': 'admin'})
image_entity = { image_entity = {
'name': 'Image1', 'name': 'Image1',
'visibility': 'public', 'visibility': 'public',
@ -187,7 +189,8 @@ class BaseCacheMiddlewareTest(object):
# Add an image and verify success # Add an image and verify success
path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port) path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
http = httplib2.Http() http = httplib2.Http()
headers = self._headers({'content-type': 'application/json'}) headers = self._headers({'content-type': 'application/json',
'X-Roles': 'admin'})
image_entity = { image_entity = {
'name': 'Image1', 'name': 'Image1',
'visibility': 'public', 'visibility': 'public',
@ -269,7 +272,8 @@ class BaseCacheMiddlewareTest(object):
# Add an image and verify success # Add an image and verify success
path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port) path = "http://%s:%d/v2/images" % ("127.0.0.1", self.api_port)
http = httplib2.Http() http = httplib2.Http()
headers = self._headers({'content-type': 'application/json'}) headers = self._headers({'content-type': 'application/json',
'X-Roles': 'admin'})
image_entity = { image_entity = {
'name': 'Image1', 'name': 'Image1',
'visibility': 'public', 'visibility': 'public',

View File

@ -785,7 +785,8 @@ class TestImages(functional.FunctionalTest):
# Change the image to public so TENANT2 can see it # Change the image to public so TENANT2 can see it
path = self._url('/v2/images/%s' % image_id) path = self._url('/v2/images/%s' % image_id)
media_type = 'application/openstack-images-v2.0-json-patch' media_type = 'application/openstack-images-v2.0-json-patch'
headers = self._headers({'content-type': media_type}) headers = self._headers({'content-type': media_type,
'X-Roles': 'admin'})
data = jsonutils.dumps([{"replace": "/visibility", "value": "public"}]) data = jsonutils.dumps([{"replace": "/visibility", "value": "public"}])
response = requests.patch(path, headers=headers, data=data) response = requests.patch(path, headers=headers, data=data)
self.assertEqual(http.OK, response.status_code, response.text) self.assertEqual(http.OK, response.status_code, response.text)
@ -2423,6 +2424,10 @@ class TestImages(functional.FunctionalTest):
def test_property_protections_with_policies(self): def test_property_protections_with_policies(self):
# Enable property protection # Enable property protection
rules = {
"glance_creator": "role:admin or role:spl_role"
}
self.set_policy_rules(rules)
self.api_server.property_protection_file = self.property_file_policies self.api_server.property_protection_file = self.property_file_policies
self.api_server.property_protection_rule_format = 'policies' self.api_server.property_protection_rule_format = 'policies'
self.start_servers(**self.__dict__.copy()) self.start_servers(**self.__dict__.copy())
@ -3789,7 +3794,8 @@ class TestImageDirectURLVisibility(functional.FunctionalTest):
# Create an image # Create an image
path = self._url('/v2/images') path = self._url('/v2/images')
headers = self._headers({'content-type': 'application/json'}) headers = self._headers({'content-type': 'application/json',
'X-Roles': 'admin'})
data = jsonutils.dumps({'name': 'image-1', 'type': 'kernel', data = jsonutils.dumps({'name': 'image-1', 'type': 'kernel',
'foo': 'bar', 'disk_format': 'aki', 'foo': 'bar', 'disk_format': 'aki',
'container_format': 'aki', 'container_format': 'aki',
@ -4073,9 +4079,13 @@ class TestImageMembers(functional.FunctionalTest):
for owner in owners: for owner in owners:
for visibility in visibilities: for visibility in visibilities:
path = self._url('/v2/images') path = self._url('/v2/images')
role = 'member'
if visibility == 'public':
role = 'admin'
headers = self._headers({ headers = self._headers({
'content-type': 'application/json', 'content-type': 'application/json',
'X-Auth-Token': 'createuser:%s:admin' % owner, 'X-Auth-Token': 'createuser:%s:admin' % owner,
'X-Roles': role,
}) })
data = jsonutils.dumps({ data = jsonutils.dumps({
'name': '%s-%s' % (owner, visibility), 'name': '%s-%s' % (owner, visibility),
@ -6385,9 +6395,14 @@ class TestMultiStoreImageMembers(functional.MultipleBackendFunctionalTest):
for owner in owners: for owner in owners:
for visibility in visibilities: for visibility in visibilities:
path = self._url('/v2/images') path = self._url('/v2/images')
role = 'member'
if visibility == 'public':
role = 'admin'
headers = self._headers(custom_headers={ headers = self._headers(custom_headers={
'content-type': 'application/json', 'content-type': 'application/json',
'X-Auth-Token': 'createuser:%s:admin' % owner, 'X-Auth-Token': 'createuser:%s:admin' % owner,
'X-Roles': role,
}) })
data = jsonutils.dumps({ data = jsonutils.dumps({
'name': '%s-%s' % (owner, visibility), 'name': '%s-%s' % (owner, visibility),