Merge "Add policy rules for extraroute-atomic API"

2021-07-05 13:28:52 +00:00 · 2021-07-05 13:28:52 +00:00 · 3764969b82
parent bf7a6061a0 4df01d6eaa
commit 3764969b82
2 changed files with 164 additions and 0 deletions
--- a/neutron/conf/policies/router.py
+++ b/neutron/conf/policies/router.py
@ -299,6 +299,40 @@ rules = [
            deprecated_reason=DEPRECATED_REASON,
            deprecated_since=versionutils.deprecated.WALLABY)
    ),
+    policy.DocumentedRuleDefault(
+        name='add_extraroutes',
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        scope_types=['system', 'project'],
+        description='Add extra route to a router',
+        operations=[
+            {
+                'method': 'PUT',
+                'path': '/routers/{id}/add_extraroutes',
+            },
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name='add_extraroutes',
+            check_str=base.RULE_ADMIN_OR_OWNER,
+            deprecated_reason=DEPRECATED_REASON,
+            deprecated_since="Xena")
+    ),
+    policy.DocumentedRuleDefault(
+        name='remove_extraroutes',
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        scope_types=['system', 'project'],
+        description='Remove extra route from a router',
+        operations=[
+            {
+                'method': 'PUT',
+                'path': '/routers/{id}/remove_extraroutes',
+            },
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name='remove_extraroutes',
+            check_str=base.RULE_ADMIN_OR_OWNER,
+            deprecated_reason=DEPRECATED_REASON,
+            deprecated_since="Xena")
+    ),
 ]


--- a/neutron/tests/unit/conf/policies/test_router.py
+++ b/neutron/tests/unit/conf/policies/test_router.py
@ -14,6 +14,7 @@
 # limitations under the License.

 from oslo_policy import policy as base_policy
+from oslo_utils import uuidutils

 from neutron import policy
 from neutron.tests.unit.conf.policies import base
@ -728,3 +729,132 @@ class ProjectReaderTests(ProjectMemberTests):
            base_policy.PolicyNotAuthorized,
            policy.enforce,
            self.context, 'remove_router_interface', self.alt_target)
+
+
+class ExtrarouteAPITestCase(base.PolicyBaseTestCase):
+
+    def setUp(self):
+        super(ExtrarouteAPITestCase, self).setUp()
+        self.router = {
+            'id': uuidutils.generate_uuid(),
+            'project_id': self.project_id}
+
+        self.target = {
+            'project_id': self.project_id,
+            'router_id': self.router['id'],
+            'ext_parent_router_id': self.router['id']}
+        self.alt_target = {
+            'project_id': self.alt_project_id,
+            'router_id': self.router['id'],
+            'ext_parent_router_id': self.router['id']}
+
+
+class SystemAdminExtrarouteTests(ExtrarouteAPITestCase):
+
+    def setUp(self):
+        super(SystemAdminExtrarouteTests, self).setUp()
+        self.context = self.system_admin_ctx
+
+    def test_add_extraroute(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'add_extraroutes', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'add_extraroutes', self.alt_target))
+
+    def test_remove_extraroute(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'remove_extraroutes', self.target))
+        self.assertTrue(
+            policy.enforce(
+                self.context, 'remove_extraroutes', self.alt_target))
+
+
+class SystemMemberExtrarouteTests(SystemAdminExtrarouteTests):
+
+    def setUp(self):
+        super(SystemMemberExtrarouteTests, self).setUp()
+        self.context = self.system_member_ctx
+
+    def test_add_extraroute(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'add_extraroutes', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'add_extraroutes', self.alt_target)
+
+    def test_remove_extraroute(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_extraroutes', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_extraroutes', self.alt_target)
+
+
+class SystemReaderExtrarouteTests(SystemMemberExtrarouteTests):
+
+    def setUp(self):
+        super(SystemReaderExtrarouteTests, self).setUp()
+        self.context = self.system_reader_ctx
+
+
+class ProjectAdminExtrarouteTests(ExtrarouteAPITestCase):
+
+    def setUp(self):
+        super(ProjectAdminExtrarouteTests, self).setUp()
+        self.context = self.project_admin_ctx
+
+    def test_add_extraroute(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'add_extraroutes', self.target))
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_extraroutes', self.alt_target)
+
+    def test_remove_extraroute(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'remove_extraroutes', self.target))
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_extraroutes', self.alt_target)
+
+
+class ProjectMemberExtrarouteTests(ProjectAdminExtrarouteTests):
+
+    def setUp(self):
+        super(ProjectMemberExtrarouteTests, self).setUp()
+        self.context = self.project_member_ctx
+
+
+class ProjectReaderExtrarouteTests(ProjectMemberExtrarouteTests):
+
+    def setUp(self):
+        super(ProjectReaderExtrarouteTests, self).setUp()
+        self.context = self.project_reader_ctx
+
+    def test_add_extraroute(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'add_extraroutes', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'add_extraroutes', self.alt_target)
+
+    def test_remove_extraroute(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_extraroutes', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_extraroutes', self.alt_target)