[S-RBAC] Fix policies for the l3_conntrack_helpers APIs

This patch updates l3_conntrack_helpers API policies so that POST, PUT and DELETE actions are allowed for the PARENT_OWNER_MEMBER role and GET is allowed for the PARENT_OWNER_READER. Additionally this patch fixes unit tests for the api policies for that APIs so that owner check is done during unit tests and issues like the one mentioned above can be catched by unit tests. Closes-bug: #2125660 Change-Id: I1dc6eabbb666e5923d9c18465d10cdf95e472915 Signed-off-by: Slawek Kaplonski <skaplons@redhat.com> (cherry picked from commit cb3331e525)
2025-09-25 11:53:40 +02:00
parent 5a96fc167e
commit 830f03370f
2 changed files with 19 additions and 8 deletions
--- a/neutron/conf/policies/l3_conntrack_helper.py
+++ b/neutron/conf/policies/l3_conntrack_helper.py
@@ -32,7 +32,7 @@ rules = [
        name='create_router_conntrack_helper',
        check_str=neutron_policy.policy_or(
            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
        scope_types=['project'],
        description='Create a router conntrack helper',
        operations=[
@@ -51,7 +51,7 @@ rules = [
        name='get_router_conntrack_helper',
        check_str=neutron_policy.policy_or(
            base.ADMIN_OR_PROJECT_READER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_READER),
        scope_types=['project'],
        description='Get a router conntrack helper',
        operations=[
@@ -74,7 +74,7 @@ rules = [
        name='update_router_conntrack_helper',
        check_str=neutron_policy.policy_or(
            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
        scope_types=['project'],
        description='Update a router conntrack helper',
        operations=[
@@ -93,7 +93,7 @@ rules = [
        name='delete_router_conntrack_helper',
        check_str=neutron_policy.policy_or(
            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
        scope_types=['project'],
        description='Delete a router conntrack helper',
        operations=[
--- a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py
+++ b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py
@@ -29,18 +29,29 @@ class L3ConntrackHelperAPITestCase(base.PolicyBaseTestCase):
        self.router = {
            'id': uuidutils.generate_uuid(),
            'project_id': self.project_id}
+        self.alt_router = {
+            'id': uuidutils.generate_uuid(),
+            'project_id': self.alt_project_id}
+
        self.target = {
            'project_id': self.project_id,
            'router_id': self.router['id'],
            'ext_parent_router_id': self.router['id']}
-
        self.alt_target = {
            'project_id': self.alt_project_id,
-            'router_id': self.router['id'],
-            'ext_parent_router_id': self.router['id']}
+            'router_id': self.alt_router['id'],
+            'ext_parent_router_id': self.alt_router['id']}
+
+        routers = {
+            self.router['id']: self.router,
+            self.alt_router['id']: self.alt_router,
+        }
+
+        def get_router(context, router_id, fields=None):
+            return routers[router_id]

        self.plugin_mock = mock.Mock()
-        self.plugin_mock.get_router.return_value = self.router
+        self.plugin_mock.get_router.side_effect = get_router
        mock.patch(
            'neutron_lib.plugins.directory.get_plugin',
            return_value=self.plugin_mock).start()