Add missed actions into policy.json

This patch adds following actions into policy.json. 1. v2.0/fw/firewall_policies/{firewall_policy_id}/insert_rule 2. v2.0/fw/firewall_policies/{firewall_policy_id}/remove_rule Closes-Bug: #1439383 Change-Id: I8051a97852f0f1f21bf266c16a477a5e2fd32062
2015-04-07 10:56:55 +09:00 · 2015-04-07 10:56:55 +09:00 · f1b4dfd52b
parent 48c336e450
commit f1b4dfd52b
3 changed files with 30 additions and 1 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -102,6 +102,9 @@
    "update_firewall_policy": "rule:admin_or_owner",
    "delete_firewall_policy": "rule:admin_or_owner",

+    "insert_rule": "rule:admin_or_owner",
+    "remove_rule": "rule:admin_or_owner",
+
    "create_firewall_rule": "",
    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
    "update_firewall_rule": "rule:admin_or_owner",
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@ -102,6 +102,9 @@
    "update_firewall_policy": "rule:admin_or_owner",
    "delete_firewall_policy": "rule:admin_or_owner",

+    "insert_rule": "rule:admin_or_owner",
+    "remove_rule": "rule:admin_or_owner",
+
    "create_firewall_rule": "",
    "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
    "update_firewall_rule": "rule:admin_or_owner",
--- a/neutron/tests/unit/test_policy.py
+++ b/neutron/tests/unit/test_policy.py
@ -253,7 +253,10 @@ class NeutronPolicyTestCase(base.BaseTestCase):
            "get_firewall_policy": "rule:admin_or_owner or "
                            "rule:shared",
            "get_firewall_rule": "rule:admin_or_owner or "
-                            "rule:shared"
+                            "rule:shared",
+
+            "insert_rule": "rule:admin_or_owner",
+            "remove_rule": "rule:admin_or_owner",
        }.items())

        def remove_fake_resource():
@ -272,6 +275,26 @@ class NeutronPolicyTestCase(base.BaseTestCase):
        fake_manager_instance = fake_manager.return_value
        fake_manager_instance.plugin = plugin_klass()

+    def test_firewall_policy_insert_rule_with_admin_context(self):
+        action = "insert_rule"
+        target = {}
+        result = policy.check(context.get_admin_context(), action, target)
+        self.assertTrue(result)
+
+    def test_firewall_policy_insert_rule_with_owner(self):
+        action = "insert_rule"
+        target = {"tenant_id": "own_tenant"}
+        user_context = context.Context('', "own_tenant", roles=['user'])
+        result = policy.check(user_context, action, target)
+        self.assertTrue(result)
+
+    def test_firewall_policy_remove_rule_without_admin_or_owner(self):
+        action = "remove_rule"
+        target = {"firewall_rule_id": "rule_id", "tenant_id": "tenantA"}
+        user_context = context.Context('', "another_tenant", roles=['user'])
+        result = policy.check(user_context, action, target)
+        self.assertFalse(result)
+
    def _test_action_on_attr(self, context, action, obj, attr, value,
                             exception=None, **kwargs):
        action = "%s_%s" % (action, obj)