3cc97ca806
As per the community goal of migrating the policy file the format from JSON to YAML[1], we need to do two things: 1. Change the default value of '[oslo_policy] policy_file'' config option from 'policy.json' to 'policy.yaml' with upgrade checks. 2. Deprecate the JSON formatted policy file on the project side via warning in doc and releasenotes. Also convert the neutron_lib/tests/etc/policy.json and neutron_lib/tests/etc/dummy_policy.json to policy.yaml file. Replace policy.json to policy.yaml ref from doc and tests. [1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html Change-Id: I63a41a21784fa6ce6d9c249f41991c0df3346135
75 lines
3.1 KiB
Python
75 lines
3.1 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from unittest import mock
|
|
|
|
from neutron_lib import context
|
|
from neutron_lib.policy import _engine as policy_engine
|
|
|
|
from neutron_lib.tests import _base as base
|
|
|
|
|
|
class TestPolicyEnforcer(base.BaseTestCase):
|
|
def setUp(self):
|
|
super(TestPolicyEnforcer, self).setUp()
|
|
# Isolate one _ROLE_ENFORCER per test case
|
|
mock.patch.object(policy_engine, '_ROLE_ENFORCER', None).start()
|
|
|
|
def test_init_reset(self):
|
|
self.assertIsNone(policy_engine._ROLE_ENFORCER)
|
|
policy_engine.init()
|
|
self.assertIsNotNone(policy_engine._ROLE_ENFORCER)
|
|
|
|
def test_check_user_is_not_admin(self):
|
|
ctx = context.Context('me', 'my_project')
|
|
self.assertFalse(policy_engine.check_is_admin(ctx))
|
|
|
|
def test_check_user_elevated_is_admin(self):
|
|
ctx = context.Context('me', 'my_project', roles=['user']).elevated()
|
|
self.assertTrue(policy_engine.check_is_admin(ctx))
|
|
|
|
def test_check_is_admin_no_roles_no_admin(self):
|
|
policy_engine.init(policy_file='dummy_policy.yaml')
|
|
ctx = context.Context('me', 'my_project', roles=['user']).elevated()
|
|
# With no admin role, elevated() should not work.
|
|
self.assertFalse(policy_engine.check_is_admin(ctx))
|
|
|
|
def test_check_user_elevated_is_admin_with_default_policy(self):
|
|
policy_engine.init(policy_file='no_policy.yaml')
|
|
ctx = context.Context('me', 'my_project', roles=['user']).elevated()
|
|
self.assertTrue(policy_engine.check_is_admin(ctx))
|
|
|
|
def test_check_is_advsvc_role(self):
|
|
ctx = context.Context('me', 'my_project', roles=['advsvc'])
|
|
self.assertTrue(policy_engine.check_is_advsvc(ctx))
|
|
|
|
def test_check_is_not_advsvc_user(self):
|
|
ctx = context.Context('me', 'my_project', roles=['user'])
|
|
self.assertFalse(policy_engine.check_is_advsvc(ctx))
|
|
|
|
def test_check_is_not_advsvc_admin(self):
|
|
ctx = context.Context('me', 'my_project').elevated()
|
|
self.assertTrue(policy_engine.check_is_admin(ctx))
|
|
self.assertFalse(policy_engine.check_is_advsvc(ctx))
|
|
|
|
def test_check_is_advsvc_no_roles_no_advsvc(self):
|
|
policy_engine.init(policy_file='dummy_policy.yaml')
|
|
ctx = context.Context('me', 'my_project', roles=['advsvc'])
|
|
# No advsvc role in the policy file, so cannot assume the role.
|
|
self.assertFalse(policy_engine.check_is_advsvc(ctx))
|
|
|
|
def test_check_is_advsvc_role_with_default_policy(self):
|
|
policy_engine.init(policy_file='no_policy.yaml')
|
|
ctx = context.Context('me', 'my_project', roles=['advsvc'])
|
|
self.assertTrue(policy_engine.check_is_advsvc(ctx))
|