From 830f03370fd7796bc93dbf2f10e3044e3f2d1172 Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Thu, 25 Sep 2025 11:53:40 +0200 Subject: [PATCH] [S-RBAC] Fix policies for the l3_conntrack_helpers APIs This patch updates l3_conntrack_helpers API policies so that POST, PUT and DELETE actions are allowed for the PARENT_OWNER_MEMBER role and GET is allowed for the PARENT_OWNER_READER. Additionally this patch fixes unit tests for the api policies for that APIs so that owner check is done during unit tests and issues like the one mentioned above can be catched by unit tests. Closes-bug: #2125660 Change-Id: I1dc6eabbb666e5923d9c18465d10cdf95e472915 Signed-off-by: Slawek Kaplonski (cherry picked from commit cb3331e52580a67fd6d65b3e44eca9b14fc9cefb) --- neutron/conf/policies/l3_conntrack_helper.py | 8 ++++---- .../conf/policies/test_l3_conntrack_helper.py | 19 +++++++++++++++---- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/neutron/conf/policies/l3_conntrack_helper.py b/neutron/conf/policies/l3_conntrack_helper.py index 42c73614a21..c55a8988509 100644 --- a/neutron/conf/policies/l3_conntrack_helper.py +++ b/neutron/conf/policies/l3_conntrack_helper.py @@ -32,7 +32,7 @@ rules = [ name='create_router_conntrack_helper', check_str=neutron_policy.policy_or( base.ADMIN_OR_PROJECT_MEMBER, - base.RULE_PARENT_OWNER), + base.PARENT_OWNER_MEMBER), scope_types=['project'], description='Create a router conntrack helper', operations=[ @@ -51,7 +51,7 @@ rules = [ name='get_router_conntrack_helper', check_str=neutron_policy.policy_or( base.ADMIN_OR_PROJECT_READER, - base.RULE_PARENT_OWNER), + base.PARENT_OWNER_READER), scope_types=['project'], description='Get a router conntrack helper', operations=[ @@ -74,7 +74,7 @@ rules = [ name='update_router_conntrack_helper', check_str=neutron_policy.policy_or( base.ADMIN_OR_PROJECT_MEMBER, - base.RULE_PARENT_OWNER), + base.PARENT_OWNER_MEMBER), scope_types=['project'], description='Update a router conntrack helper', operations=[ @@ -93,7 +93,7 @@ rules = [ name='delete_router_conntrack_helper', check_str=neutron_policy.policy_or( base.ADMIN_OR_PROJECT_MEMBER, - base.RULE_PARENT_OWNER), + base.PARENT_OWNER_MEMBER), scope_types=['project'], description='Delete a router conntrack helper', operations=[ diff --git a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py index eac73335eb2..d69f67942a7 100644 --- a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py +++ b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py @@ -29,18 +29,29 @@ class L3ConntrackHelperAPITestCase(base.PolicyBaseTestCase): self.router = { 'id': uuidutils.generate_uuid(), 'project_id': self.project_id} + self.alt_router = { + 'id': uuidutils.generate_uuid(), + 'project_id': self.alt_project_id} + self.target = { 'project_id': self.project_id, 'router_id': self.router['id'], 'ext_parent_router_id': self.router['id']} - self.alt_target = { 'project_id': self.alt_project_id, - 'router_id': self.router['id'], - 'ext_parent_router_id': self.router['id']} + 'router_id': self.alt_router['id'], + 'ext_parent_router_id': self.alt_router['id']} + + routers = { + self.router['id']: self.router, + self.alt_router['id']: self.alt_router, + } + + def get_router(context, router_id, fields=None): + return routers[router_id] self.plugin_mock = mock.Mock() - self.plugin_mock.get_router.return_value = self.router + self.plugin_mock.get_router.side_effect = get_router mock.patch( 'neutron_lib.plugins.directory.get_plugin', return_value=self.plugin_mock).start()