openstack/ironic
Code Issues Proposed changes

Use ddt for existing policy tests

Browse Source 
This change aims to replicate the existing policy check tests using
ddt so that they can be represented in a declarative format.

The number of tests are expected to grow significantly with
secure-rbac, so the aim of this change is to explore how best to
represent the tests before the new tests are written.

Change-Id: Id1b60f5525773eadbe1b85797eeefdb70d73ae1d
This commit is contained in:
Steve Baker 2020-12-11 14:32:33 +13:00
parent 75134fc8d7
commit bf6e28fa64
1 changed files with 191 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

275
ironic/tests/unit/common/test_policy.py
View File

@ -18,6 +18,7 @@
import sys import sys
from unittest import mock from unittest import mock
import ddt
from oslo_config import cfg from oslo_config import cfg
from oslo_policy import policy as oslo_policy from oslo_policy import policy as oslo_policy
@ -26,110 +27,200 @@ from ironic.common import policy
from ironic.tests import base from ironic.tests import base
@ddt.ddt
class PolicyInCodeTestCase(base.TestCase): class PolicyInCodeTestCase(base.TestCase):
"""Tests whether the configuration of the policy engine is corect.""" """Tests whether the configuration of the policy engine is correct."""
def test_admin_api(self): @ddt.data(
creds = ({'roles': ['admin']}, dict(
rule='admin_api',
check=True,
targets=[],
creds=[
{'roles': ['admin']},
{'roles': ['administrator']}, {'roles': ['administrator']},
{'roles': ['admin', 'administrator']}) {'roles': ['admin', 'administrator']}
]),
for c in creds: dict(
self.assertTrue(policy.check('admin_api', c, c)) rule='admin_api',
check=False,
def test_public_api(self): targets=[],
creds = {'is_public_api': 'True'} creds=[{'roles': ['Member']}]),
self.assertTrue(policy.check('public_api', creds, creds)) dict(
rule='public_api',
def test_show_password(self): check=True,
creds = {'roles': [u'admin'], 'project_name': 'admin', targets=[],
'project_domain_id': 'default'} creds=[{'is_public_api': 'True'}]),
self.assertFalse(policy.check('show_password', creds, creds)) dict(
rule='public_api',
def test_is_member(self): check=False,
creds = [{'project_name': 'demo', 'project_domain_id': 'default'}, targets=[],
{'project_name': 'baremetal', 'project_domain_id': 'default'}, creds=[
{'is_public_api': 'False'},
{}
]),
dict(
rule='show_password',
check=False,
targets=[],
creds=[{
'roles': ['admin'],
'project_name': 'admin',
'project_domain_id': 'default'
}, {
'roles': ['admin'],
'tenant': 'demo'
}]),
dict(
rule='is_member',
check=True,
targets=[],
creds=[
{'project_name': 'demo', 'project_domain_id': 'default'},
{'project_name': 'baremetal',
'project_domain_id': 'default'},
{'project_name': 'demo', 'project_domain_id': None}, {'project_name': 'demo', 'project_domain_id': None},
{'project_name': 'baremetal', 'project_domain_id': None}] {'project_name': 'baremetal', 'project_domain_id': None}
for c in creds: ]),
self.assertTrue(policy.check('is_member', c, c)) dict(
c = {'project_name': 'demo1', 'project_domain_id': 'default2'} rule='is_member',
self.assertFalse(policy.check('is_member', c, c)) check=False,
targets=[],
def test_is_node_owner(self): creds=[{'project_name': 'demo1',
c1 = {'project_id': '1234', 'project_domain_id': 'default2'}]),
dict(
rule='is_node_owner',
check=True,
targets=[{
'node.owner': '1234',
'project_id': '1234',
'project_name': 'demo', 'project_name': 'demo',
'project_domain_id': 'default'} 'project_domain_id': 'default'
c2 = {'project_id': '5678', }],
creds=[{
'project_id': '1234',
'project_name': 'demo', 'project_name': 'demo',
'project_domain_id': 'default'} 'project_domain_id': 'default'
target = dict.copy(c1) }]),
target['node.owner'] = '1234' dict(
rule='is_node_owner',
self.assertTrue(policy.check('is_node_owner', target, c1)) check=False,
self.assertFalse(policy.check('is_node_owner', target, c2)) targets=[{
'node.owner': '1234',
def test_is_node_lessee(self): 'project_id': '1234',
c1 = {'project_id': '1234',
'project_name': 'demo', 'project_name': 'demo',
'project_domain_id': 'default'} 'project_domain_id': 'default'
c2 = {'project_id': '5678', }],
creds=[{
'project_id': '5678',
'project_name': 'demo', 'project_name': 'demo',
'project_domain_id': 'default'} 'project_domain_id': 'default'
target = dict.copy(c1) }]),
target['node.lessee'] = '1234' dict(
rule='is_node_lessee',
self.assertTrue(policy.check('is_node_lessee', target, c1)) check=True,
self.assertFalse(policy.check('is_node_lessee', target, c2)) targets=[{
'node.lessee': '1234',
def test_is_allocation_owner(self): 'project_id': '1234',
c1 = {'project_id': '1234',
'project_name': 'demo', 'project_name': 'demo',
'project_domain_id': 'default'} 'project_domain_id': 'default'
c2 = {'project_id': '5678', }],
creds=[{
'project_id': '1234',
'project_name': 'demo', 'project_name': 'demo',
'project_domain_id': 'default'} 'project_domain_id': 'default'
target = dict.copy(c1) }]),
target['allocation.owner'] = '1234' dict(
rule='is_node_lessee',
check=False,
targets=[{
'node.lessee': '1234',
'project_id': '1234',
'project_name': 'demo',
'project_domain_id': 'default'
}],
creds=[{
'project_id': '5678',
'project_name': 'demo',
'project_domain_id': 'default'
}]),
dict(
rule='is_allocation_owner',
check=True,
targets=[{
'allocation.owner': '1234',
'project_id': '1234',
'project_name': 'demo',
'project_domain_id': 'default'
}],
creds=[{
'project_id': '1234',
'project_name': 'demo',
'project_domain_id': 'default'
}]),
dict(
rule='is_allocation_owner',
check=False,
targets=[{
'allocation.owner': '1234',
'project_id': '1234',
'project_name': 'demo',
'project_domain_id': 'default'
}],
creds=[{
'project_id': '5678',
'project_name': 'demo',
'project_domain_id': 'default'
}]),
dict(
rule='baremetal:node:get',
check=True,
targets=[],
creds=[{
'roles': ['baremetal_observer'],
'project_name': 'demo',
'project_domain_id': 'default'
}]),
dict(
rule='baremetal:node:get',
check=False,
targets=[],
creds=[{'roles': ['generic_user'], 'tenant': 'demo'}]),
dict(
rule='baremetal:node:create',
check=True,
targets=[],
creds=[{
'roles': ['baremetal_admin'],
'project_name': 'demo',
'project_domain_id': 'default'
}]),
dict(
rule='baremetal:node:create',
check=False,
targets=[],
creds=[{
'roles': ['baremetal_observer'],
'tenant': 'demo'
}]),
)
@ddt.unpack
def test_creds(self, rule, check, targets, creds):
if not targets:
# when targets are not specified in the scenario,
# use the creds as the target dict
targets = creds
self.assertTrue(policy.check('is_allocation_owner', target, c1)) for target, creds in zip(targets, creds):
self.assertFalse(policy.check('is_allocation_owner', target, c2)) result = policy.check(rule, target, creds)
def test_node_get(self): if result != check:
creds = {'roles': ['baremetal_observer'], 'project_name': 'demo', msg = '%s should be %s for target %s, creds %s' % (
'project_domain_id': 'default'} rule, check, target, creds)
self.assertTrue(policy.check('baremetal:node:get', creds, creds)) if check:
self.assertTrue(result, msg)
def test_node_create(self): else:
creds = {'roles': ['baremetal_admin'], 'project_name': 'demo', self.assertFalse(result, msg)
'project_domain_id': 'default'}
self.assertTrue(policy.check('baremetal:node:create', creds, creds))
class PolicyInCodeTestCaseNegative(base.TestCase):
"""Tests whether the configuration of the policy engine is corect."""
def test_admin_api(self):
creds = {'roles': ['Member']}
self.assertFalse(policy.check('admin_api', creds, creds))
def test_public_api(self):
creds = ({'is_public_api': 'False'}, {})
for c in creds:
self.assertFalse(policy.check('public_api', c, c))
def test_show_password(self):
creds = {'roles': [u'admin'], 'tenant': 'demo'}
self.assertFalse(policy.check('show_password', creds, creds))
def test_node_get(self):
creds = {'roles': ['generic_user'], 'tenant': 'demo'}
self.assertFalse(policy.check('baremetal:node:get', creds, creds))
def test_node_create(self):
creds = {'roles': ['baremetal_observer'], 'tenant': 'demo'}
self.assertFalse(policy.check('baremetal:node:create', creds, creds))
class PolicyTestCase(base.TestCase): class PolicyTestCase(base.TestCase):