From f1b4dfd52bd37ff613b0f8c9156386b6032295b2 Mon Sep 17 00:00:00 2001 From: Yushiro FURUKAWA Date: Tue, 7 Apr 2015 10:56:55 +0900 Subject: [PATCH] Add missed actions into policy.json This patch adds following actions into policy.json. 1. v2.0/fw/firewall_policies/{firewall_policy_id}/insert_rule 2. v2.0/fw/firewall_policies/{firewall_policy_id}/remove_rule Closes-Bug: #1439383 Change-Id: I8051a97852f0f1f21bf266c16a477a5e2fd32062 --- etc/policy.json | 3 +++ neutron/tests/etc/policy.json | 3 +++ neutron/tests/unit/test_policy.py | 25 ++++++++++++++++++++++++- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/etc/policy.json b/etc/policy.json index 8a5de9bf308..87f6b266897 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -102,6 +102,9 @@ "update_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner", + "insert_rule": "rule:admin_or_owner", + "remove_rule": "rule:admin_or_owner", + "create_firewall_rule": "", "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", "update_firewall_rule": "rule:admin_or_owner", diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json index 8a5de9bf308..87f6b266897 100644 --- a/neutron/tests/etc/policy.json +++ b/neutron/tests/etc/policy.json @@ -102,6 +102,9 @@ "update_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner", + "insert_rule": "rule:admin_or_owner", + "remove_rule": "rule:admin_or_owner", + "create_firewall_rule": "", "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", "update_firewall_rule": "rule:admin_or_owner", diff --git a/neutron/tests/unit/test_policy.py b/neutron/tests/unit/test_policy.py index 63fc16475d4..5216d8e0b1f 100644 --- a/neutron/tests/unit/test_policy.py +++ b/neutron/tests/unit/test_policy.py @@ -253,7 +253,10 @@ class NeutronPolicyTestCase(base.BaseTestCase): "get_firewall_policy": "rule:admin_or_owner or " "rule:shared", "get_firewall_rule": "rule:admin_or_owner or " - "rule:shared" + "rule:shared", + + "insert_rule": "rule:admin_or_owner", + "remove_rule": "rule:admin_or_owner", }.items()) def remove_fake_resource(): @@ -272,6 +275,26 @@ class NeutronPolicyTestCase(base.BaseTestCase): fake_manager_instance = fake_manager.return_value fake_manager_instance.plugin = plugin_klass() + def test_firewall_policy_insert_rule_with_admin_context(self): + action = "insert_rule" + target = {} + result = policy.check(context.get_admin_context(), action, target) + self.assertTrue(result) + + def test_firewall_policy_insert_rule_with_owner(self): + action = "insert_rule" + target = {"tenant_id": "own_tenant"} + user_context = context.Context('', "own_tenant", roles=['user']) + result = policy.check(user_context, action, target) + self.assertTrue(result) + + def test_firewall_policy_remove_rule_without_admin_or_owner(self): + action = "remove_rule" + target = {"firewall_rule_id": "rule_id", "tenant_id": "tenantA"} + user_context = context.Context('', "another_tenant", roles=['user']) + result = policy.check(user_context, action, target) + self.assertFalse(result) + def _test_action_on_attr(self, context, action, obj, attr, value, exception=None, **kwargs): action = "%s_%s" % (action, obj)