Adds unit test for etc/nova/policy.json data

* Test live etc/nova/policy.json data * Convert all actions in policy.json to admin-only actions * Check that Policy auth exception is raised when all above actions are called using non-admin context Change-Id: I1b97987f8e9e3bacc606385a56daad189cf6ce19 Closes-Bug: #1262325
2014-02-26 13:35:49 +01:00 · 2014-02-26 13:35:49 +01:00 · 07af3e4e60
commit 07af3e4e60
parent 8311578248
3 changed files with 51 additions and 0 deletions
--- a/nova/policy.py
+++ b/nova/policy.py
@ -129,3 +129,7 @@ class IsAdminCheck(policy.Check):
        """Determine whether is_admin matches the requested value."""

        return creds['is_admin'] == self.expected
+
+
+def get_rules():
+    return policy._rules
--- a/nova/tests/policy_fixture.py
+++ b/nova/tests/policy_fixture.py
@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+import json
 import os

 import fixtures
@ -42,3 +43,31 @@ class PolicyFixture(fixtures.Fixture):
        common_policy.set_rules(common_policy.Rules(
                dict((k, common_policy.parse_rule(v))
                     for k, v in rules.items())))
+
+
+class RoleBasedPolicyFixture(fixtures.Fixture):
+
+    def __init__(self, role="admin", *args, **kwargs):
+        super(RoleBasedPolicyFixture, self).__init__(*args, **kwargs)
+        self.role = role
+
+    def setUp(self):
+        """Copy live policy.json file and convert all actions to
+           allow users of the specified role only
+        """
+        super(RoleBasedPolicyFixture, self).setUp()
+        policy = json.load(open(CONF.policy_file))
+
+        # Convert all actions to require specified role
+        for action, rule in policy.iteritems():
+            policy[action] = 'role:%s' % self.role
+
+        self.policy_dir = self.useFixture(fixtures.TempDir())
+        self.policy_file_name = os.path.join(self.policy_dir.path,
+                                            'policy.json')
+        with open(self.policy_file_name, 'w') as policy_file:
+            json.dump(policy, policy_file)
+        CONF.set_override('policy_file', self.policy_file_name)
+        nova.policy.reset()
+        nova.policy.init()
+        self.addCleanup(nova.policy.reset)
--- a/nova/tests/test_policy.py
+++ b/nova/tests/test_policy.py
@ -24,6 +24,7 @@ from nova import exception
 from nova.openstack.common import policy as common_policy
 from nova import policy
 from nova import test
+from nova.tests import policy_fixture
 from nova import utils


@ -204,3 +205,20 @@ class IsAdminCheckTestCase(test.NoDBTestCase):

        self.assertEqual(check('target', dict(is_admin=True)), False)
        self.assertEqual(check('target', dict(is_admin=False)), True)
+
+
+class AdminRolePolicyTestCase(test.NoDBTestCase):
+    def setUp(self):
+        super(AdminRolePolicyTestCase, self).setUp()
+        self.policy = self.useFixture(policy_fixture.RoleBasedPolicyFixture())
+        self.context = context.RequestContext('fake', 'fake', roles=['member'])
+        self.actions = policy.get_rules().keys()
+        self.target = {}
+
+    def test_enforce_admin_actions_with_nonadmin_context_throws(self):
+        """Check if non-admin context passed to admin actions throws
+           Policy not authorized exception
+        """
+        for action in self.actions:
+            self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
+                          self.context, action, self.target)