Merge "[S-RBAC] Fix policies for CUD subnets APIs"

2023-06-22 11:51:32 +00:00 · 2023-06-22 11:51:32 +00:00 · aef2f285e4
parent 8887cdf5d3 6e3525188f
commit aef2f285e4
2 changed files with 26 additions and 7 deletions
--- a/neutron/conf/policies/subnet.py
+++ b/neutron/conf/policies/subnet.py
@ -36,13 +36,18 @@ ACTION_GET = [
    {'method': 'GET', 'path': RESOURCE_PATH},
 ]

+# TODO(slaweq): remove it once network will be added to the
+# EXT_PARENT_RESOURCE_MAPPING in neutron_lib and rule base.PARENT_OWNER_MEMBER
+# will be possible to use instead of RULE_NET_OWNER_MEMBER
+RULE_NET_OWNER_MEMBER = 'role:member and ' + base.RULE_NET_OWNER
+

 rules = [
    policy.DocumentedRuleDefault(
        name='create_subnet',
        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_NET_OWNER),
+            base.ADMIN,
+            RULE_NET_OWNER_MEMBER),
        scope_types=['project'],
        description='Create a subnet',
        operations=ACTION_POST,
@ -112,7 +117,7 @@ rules = [
        name='update_subnet',
        check_str=neutron_policy.policy_or(
            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_NET_OWNER),
+            RULE_NET_OWNER_MEMBER),
        scope_types=['project'],
        description='Update a subnet',
        operations=ACTION_PUT,
@ -150,7 +155,7 @@ rules = [
        name='delete_subnet',
        check_str=neutron_policy.policy_or(
            base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_NET_OWNER),
+            RULE_NET_OWNER_MEMBER),
        scope_types=['project'],
        description='Delete a subnet',
        operations=ACTION_DELETE,
--- a/neutron/tests/unit/conf/policies/test_subnet.py
+++ b/neutron/tests/unit/conf/policies/test_subnet.py
@ -29,19 +29,33 @@ class SubnetAPITestCase(base.PolicyBaseTestCase):

        self.network = {
            'id': uuidutils.generate_uuid(),
+            'tenant_id': self.project_id,
            'project_id': self.project_id}
+        self.alt_network = {
+            'id': uuidutils.generate_uuid(),
+            'tenant_id': self.alt_project_id,
+            'project_id': self.alt_project_id}
+
+        networks = {
+            self.network['id']: self.network,
+            self.alt_network['id']: self.alt_network}

        self.target = {
            'project_id': self.project_id,
+            'tenant_id': self.project_id,
            'network_id': self.network['id'],
            'ext_parent_network_id': self.network['id']}
        self.alt_target = {
            'project_id': self.alt_project_id,
-            'network_id': self.network['id'],
-            'ext_parent_network_id': self.network['id']}
+            'tenant_id': self.alt_project_id,
+            'network_id': self.alt_network['id'],
+            'ext_parent_network_id': self.alt_network['id']}
+
+        def get_network(context, id, fields=None):
+            return networks.get(id)

        self.plugin_mock = mock.Mock()
-        self.plugin_mock.get_network.return_value = self.network
+        self.plugin_mock.get_network.side_effect = get_network
        mock.patch(
            'neutron_lib.plugins.directory.get_plugin',
            return_value=self.plugin_mock).start()