From 82699960ba144dd2ef6b5dce5f5b398d3c20cb5c Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Thu, 25 Sep 2025 11:32:06 +0200 Subject: [PATCH] [S-RBAC] Fix policies for the local_ip association APIs This patch updates local_ip association API policies so that POST and DELETE actions are allowed for the PARENT_OWNER_MEMBER role and GET is allowed for the PARENT_OWNER_READER. Additionally this patch fixes unit tests for the api policies for that APIs so that owner check is done during unit tests and issues like the one mentioned above can be catched by unit tests. Closes-bug: #2125657 Change-Id: I6844995d2b4c6e5ec4e2772d48d1a2b606dc558b Signed-off-by: Slawek Kaplonski (cherry picked from commit cc3813b06381d9d9de0d3659e4ceca2b81eef6fb) --- neutron/conf/policies/local_ip_association.py | 6 +++--- .../conf/policies/test_local_ip_association.py | 17 ++++++++++++++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/neutron/conf/policies/local_ip_association.py b/neutron/conf/policies/local_ip_association.py index 7a718703a9a..dca973f5989 100644 --- a/neutron/conf/policies/local_ip_association.py +++ b/neutron/conf/policies/local_ip_association.py @@ -29,7 +29,7 @@ rules = [ name='create_local_ip_port_association', check_str=neutron_policy.policy_or( base.ADMIN_OR_PROJECT_MEMBER, - base.RULE_PARENT_OWNER), + base.PARENT_OWNER_MEMBER), scope_types=['project'], description='Create a Local IP port association', operations=[ @@ -48,7 +48,7 @@ rules = [ name='get_local_ip_port_association', check_str=neutron_policy.policy_or( base.ADMIN_OR_PROJECT_READER, - base.RULE_PARENT_OWNER), + base.PARENT_OWNER_READER), scope_types=['project'], description='Get a Local IP port association', operations=[ @@ -71,7 +71,7 @@ rules = [ name='delete_local_ip_port_association', check_str=neutron_policy.policy_or( base.ADMIN_OR_PROJECT_MEMBER, - base.RULE_PARENT_OWNER), + base.PARENT_OWNER_MEMBER), scope_types=['project'], description='Delete a Local IP port association', operations=[ diff --git a/neutron/tests/unit/conf/policies/test_local_ip_association.py b/neutron/tests/unit/conf/policies/test_local_ip_association.py index 8423a10321f..c131133ef54 100644 --- a/neutron/tests/unit/conf/policies/test_local_ip_association.py +++ b/neutron/tests/unit/conf/policies/test_local_ip_association.py @@ -29,6 +29,9 @@ class LocalIPAssociationAPITestCase(base.PolicyBaseTestCase): self.local_ip = { 'id': uuidutils.generate_uuid(), 'project_id': self.project_id} + self.alt_local_ip = { + 'id': uuidutils.generate_uuid(), + 'project_id': self.alt_project_id} self.target = { 'project_id': self.project_id, @@ -36,11 +39,19 @@ class LocalIPAssociationAPITestCase(base.PolicyBaseTestCase): 'ext_parent_local_ip_id': self.local_ip['id']} self.alt_target = { 'project_id': self.alt_project_id, - 'local_ip_id': self.local_ip['id'], - 'ext_parent_local_ip_id': self.local_ip['id']} + 'local_ip_id': self.alt_local_ip['id'], + 'ext_parent_local_ip_id': self.alt_local_ip['id']} + + local_ips = { + self.local_ip['id']: self.local_ip, + self.alt_local_ip['id']: self.alt_local_ip, + } + + def get_local_ip(context, lip_id, fields=None): + return local_ips[lip_id] self.plugin_mock = mock.Mock() - self.plugin_mock.get_local_ip.return_value = self.local_ip + self.plugin_mock.get_local_ip.side_effect = get_local_ip mock.patch( 'neutron_lib.plugins.directory.get_plugin', return_value=self.plugin_mock).start()