Add router `PUT` external gateways actions policies

In [1], released in neutron-lib 3.6.0, and available since 2023.2 (Bobcat), three new actions were added to the router resource: * PUT add_external_gateways * PUT update_external_gateways * PUT remove_external_gateways [1]https://review.opendev.org/c/openstack/neutron-lib/+/870887 Closes-Bug: #2098109 Related-Bug: #2002687 Change-Id: Idc502903fe6a45c9a18798b8d76036a8a1b7236a (cherry picked from commit 179807f417)
2025-02-13 07:37:42 +00:00
parent 0ca60e95e3
commit 706569c732
2 changed files with 134 additions and 0 deletions
--- a/neutron/conf/policies/router.py
+++ b/neutron/conf/policies/router.py
@@ -312,6 +312,27 @@ rules = [
        description='Update the router tags',
        operations=ACTION_PUT_TAGS,
    ),
+    policy.DocumentedRuleDefault(
+        name='add_external_gateways',
+        check_str=base.ADMIN,
+        scope_types=['project'],
+        description=('Add router external gateways'),
+        operations=ACTION_PUT,
+    ),
+    policy.DocumentedRuleDefault(
+        name='update_external_gateways',
+        check_str=base.ADMIN,
+        scope_types=['project'],
+        description=('Update router external gateways'),
+        operations=ACTION_PUT,
+    ),
+    policy.DocumentedRuleDefault(
+        name='remove_external_gateways',
+        check_str=base.ADMIN,
+        scope_types=['project'],
+        description=('Remove router external gateways'),
+        operations=ACTION_PUT,
+    ),

    policy.DocumentedRuleDefault(
        name='delete_router',
--- a/neutron/tests/unit/conf/policies/test_router.py
+++ b/neutron/tests/unit/conf/policies/test_router.py
@@ -292,6 +292,36 @@ class SystemAdminTests(RouterAPITestCase):
            policy.enforce,
            self.context, 'update_routers_tags', self.alt_target)

+    def test_add_external_gateways(self):
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'add_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'add_external_gateways', self.alt_target)
+
+    def test_update_external_gateways(self):
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'update_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'update_external_gateways', self.alt_target)
+
+    def test_remove_external_gateways(self):
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'remove_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.InvalidScope,
+            policy.enforce,
+            self.context, 'remove_external_gateways', self.alt_target)
+
    def test_delete_router(self):
        self.assertRaises(
            base_policy.InvalidScope,
@@ -534,6 +564,29 @@ class AdminTests(RouterAPITestCase):
            policy.enforce(self.context, 'update_routers_tags',
                           self.alt_target))

+    def test_add_external_gateways(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'add_external_gateways', self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'add_external_gateways',
+                           self.alt_target))
+
+    def test_update_external_gateways(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'update_external_gateways',
+                           self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'update_external_gateways',
+                           self.alt_target))
+
+    def test_remove_external_gateways(self):
+        self.assertTrue(
+            policy.enforce(self.context, 'remove_external_gateways',
+                           self.target))
+        self.assertTrue(
+            policy.enforce(self.context, 'remove_external_gateways',
+                           self.alt_target))
+
    def test_delete_router(self):
        self.assertTrue(
            policy.enforce(self.context, 'delete_router', self.target))
@@ -794,6 +847,36 @@ class ProjectMemberTests(AdminTests):
            policy.enforce,
            self.context, 'update_routers_tags', self.alt_target)

+    def test_add_external_gateways(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'add_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'add_external_gateways', self.alt_target)
+
+    def test_update_external_gateways(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'update_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'update_external_gateways', self.alt_target)
+
+    def test_remove_external_gateways(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_external_gateways', self.alt_target)
+
    def test_delete_router(self):
        self.assertTrue(
            policy.enforce(self.context, 'delete_router', self.target))
@@ -913,6 +996,36 @@ class ProjectReaderTests(ProjectMemberTests):
            policy.enforce,
            self.context, 'update_routers_tags', self.alt_target)

+    def test_add_external_gateways(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'add_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'add_external_gateways', self.alt_target)
+
+    def test_update_external_gateways(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'update_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'update_external_gateways', self.alt_target)
+
+    def test_remove_external_gateways(self):
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_external_gateways', self.target)
+        self.assertRaises(
+            base_policy.PolicyNotAuthorized,
+            policy.enforce,
+            self.context, 'remove_external_gateways', self.alt_target)
+
    def test_delete_router(self):
        self.assertRaises(
            base_policy.PolicyNotAuthorized,