Adds unit test for etc/nova/policy.json data

* Test live etc/nova/policy.json data
* Convert all actions in policy.json to admin-only actions
* Check that Policy auth exception is raised when all above actions are
  called using non-admin context

Change-Id: I1b97987f8e9e3bacc606385a56daad189cf6ce19
Closes-Bug: #1262325
This commit is contained in:
Rohan Kanade 2014-02-26 13:35:49 +01:00
parent 8311578248
commit 07af3e4e60
3 changed files with 51 additions and 0 deletions

View File

@ -129,3 +129,7 @@ class IsAdminCheck(policy.Check):
"""Determine whether is_admin matches the requested value."""
return creds['is_admin'] == self.expected
def get_rules():
return policy._rules

View File

@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations
# under the License.
import json
import os
import fixtures
@ -42,3 +43,31 @@ class PolicyFixture(fixtures.Fixture):
common_policy.set_rules(common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
class RoleBasedPolicyFixture(fixtures.Fixture):
def __init__(self, role="admin", *args, **kwargs):
super(RoleBasedPolicyFixture, self).__init__(*args, **kwargs)
self.role = role
def setUp(self):
"""Copy live policy.json file and convert all actions to
allow users of the specified role only
"""
super(RoleBasedPolicyFixture, self).setUp()
policy = json.load(open(CONF.policy_file))
# Convert all actions to require specified role
for action, rule in policy.iteritems():
policy[action] = 'role:%s' % self.role
self.policy_dir = self.useFixture(fixtures.TempDir())
self.policy_file_name = os.path.join(self.policy_dir.path,
'policy.json')
with open(self.policy_file_name, 'w') as policy_file:
json.dump(policy, policy_file)
CONF.set_override('policy_file', self.policy_file_name)
nova.policy.reset()
nova.policy.init()
self.addCleanup(nova.policy.reset)

View File

@ -24,6 +24,7 @@ from nova import exception
from nova.openstack.common import policy as common_policy
from nova import policy
from nova import test
from nova.tests import policy_fixture
from nova import utils
@ -204,3 +205,20 @@ class IsAdminCheckTestCase(test.NoDBTestCase):
self.assertEqual(check('target', dict(is_admin=True)), False)
self.assertEqual(check('target', dict(is_admin=False)), True)
class AdminRolePolicyTestCase(test.NoDBTestCase):
def setUp(self):
super(AdminRolePolicyTestCase, self).setUp()
self.policy = self.useFixture(policy_fixture.RoleBasedPolicyFixture())
self.context = context.RequestContext('fake', 'fake', roles=['member'])
self.actions = policy.get_rules().keys()
self.target = {}
def test_enforce_admin_actions_with_nonadmin_context_throws(self):
"""Check if non-admin context passed to admin actions throws
Policy not authorized exception
"""
for action in self.actions:
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
self.context, action, self.target)