Merge "Unit tests for auto_allocated_topology API policies"

2021-04-01 08:59:07 +00:00 · 2021-04-01 08:59:07 +00:00 · 07c0cc4a66
commit 07c0cc4a66
parent 3cbe340846 f6682b6b55
2 changed files with 134 additions and 0 deletions
--- a/neutron/tests/unit/conf/policies/base.py
+++ b/neutron/tests/unit/conf/policies/base.py
@ -37,6 +37,7 @@ class PolicyBaseTestCase(tests_base.BaseTestCase):
        self.user_id = uuidutils.generate_uuid()
        self._prepare_system_scope_personas()
        self._prepare_project_scope_personas()
+        self.alt_project_id = uuidutils.generate_uuid()

    def _prepare_system_scope_personas(self):
        self.system_admin_ctx = context.Context(
--- a/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py
+++ b/neutron/tests/unit/conf/policies/test_auto_allocated_topology.py
@ -0,0 +1,133 @@
+# Copyright (c) 2021 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo_policy import policy as base_policy
+
+from neutron import policy
+from neutron.tests.unit.conf.policies import base
+
+GET_POLICY = 'get_auto_allocated_topology'
+DELETE_POLICY = 'delete_auto_allocated_topology'
+
+
+class AutoAllocatedTopologyAPITestCase(base.PolicyBaseTestCase):
+
+    def setUp(self):
+        super(AutoAllocatedTopologyAPITestCase, self).setUp()
+        self.target = {'project_id': self.project_id}
+        self.alt_target = {'project_id': self.alt_project_id}
+
+
+class SystemAdminTests(AutoAllocatedTopologyAPITestCase):
+
+    def setUp(self):
+        super(SystemAdminTests, self).setUp()
+        self.context = self.system_admin_ctx
+
+    def test_get_topology(self):
+        # System admins can get topologies for any project.
+        self.assertTrue(policy.enforce(self.context, GET_POLICY, self.target))
+        self.assertTrue(policy.enforce(
+            self.context, GET_POLICY, self.alt_target))
+
+    def test_delete_topology(self):
+        # System admins can delete topologies for any project.
+        self.assertTrue(
+            policy.enforce(self.context, DELETE_POLICY, self.target)
+        )
+        self.assertTrue(
+            policy.enforce(self.context, DELETE_POLICY, self.alt_target)
+        )
+
+
+class SystemMemberTests(AutoAllocatedTopologyAPITestCase):
+
+    def setUp(self):
+        super(SystemMemberTests, self).setUp()
+        self.context = self.system_member_ctx
+
+    def test_delete_topology(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, DELETE_POLICY, self.target
+        )
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, DELETE_POLICY, self.alt_target
+        )
+
+
+class SystemReaderTests(SystemMemberTests):
+
+    def setUp(self):
+        super(SystemReaderTests, self).setUp()
+        self.context = self.system_reader_ctx
+
+
+class ProjectAdminTests(AutoAllocatedTopologyAPITestCase):
+
+    def setUp(self):
+        super(ProjectAdminTests, self).setUp()
+        self.context = self.project_admin_ctx
+
+    def test_get_topology(self):
+        self.assertTrue(policy.enforce(self.context, GET_POLICY, self.target))
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, GET_POLICY, self.alt_target
+        )
+
+    def test_delete_topology(self):
+        # Project members can delete topolies inside project, but not outside
+        # project
+        self.assertTrue(
+            policy.enforce(self.context, DELETE_POLICY, self.target)
+        )
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, DELETE_POLICY, self.alt_target
+        )
+
+
+class ProjectMemberTests(ProjectAdminTests):
+
+    def setUp(self):
+        super(ProjectMemberTests, self).setUp()
+        self.context = self.project_member_ctx
+
+
+class ProjectReaderTests(ProjectMemberTests):
+
+    def setUp(self):
+        super(ProjectReaderTests, self).setUp()
+        self.context = self.project_reader_ctx
+
+    def test_delete_topology(self):
+        # Project readers can't delete allocation topologies inside or outside
+        # of project
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, DELETE_POLICY, self.target
+        )
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, DELETE_POLICY, self.alt_target
+        )