From a21c4678c5caf0123e4d9a4bc86fcd87a5ed994f Mon Sep 17 00:00:00 2001 From: Dan Smith Date: Tue, 30 Nov 2021 11:12:02 -0800 Subject: [PATCH] Make API fixture pass roles This makes our API fixture pass roles in line with the user that is being used. For admin_api, the admin role is included, and two other clients are added for "reader" and "other". Change-Id: I4aa985072103aeab50a1a3db4784081a492dcb7b --- nova/tests/fixtures/nova.py | 20 +++++++++++++++++--- nova/tests/functional/api/client.py | 7 ++++++- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/nova/tests/fixtures/nova.py b/nova/tests/fixtures/nova.py index eece97f5f11f..d6a1ae891183 100644 --- a/nova/tests/fixtures/nova.py +++ b/nova/tests/fixtures/nova.py @@ -1007,6 +1007,11 @@ class OSAPIFixture(fixtures.Fixture): - resp.content - the body of the response - resp.headers - dictionary of HTTP headers returned + This fixture also has the following clients with various differences: + + self.admin_api - Project user with is_admin=True and the "admin" role + self.reader_api - Project user with only the "reader" role + self.other_api - Project user with only the "other" role """ def __init__( @@ -1070,9 +1075,17 @@ class OSAPIFixture(fixtures.Fixture): base_url += '/' + self.project_id self.api = client.TestOpenStackClient( - 'fake', base_url, project_id=self.project_id) + 'fake', base_url, project_id=self.project_id, + roles=['reader', 'member']) self.admin_api = client.TestOpenStackClient( - 'admin', base_url, project_id=self.project_id) + 'admin', base_url, project_id=self.project_id, + roles=['reader', 'member', 'admin']) + self.reader_api = client.TestOpenStackClient( + 'reader', base_url, project_id=self.project_id, + roles=['reader']) + self.other_api = client.TestOpenStackClient( + 'other', base_url, project_id=self.project_id, + roles=['other']) # Provide a way to access the wsgi application to tests using # the fixture. self.app = app @@ -1089,8 +1102,9 @@ class OSAPIFixture(fixtures.Fixture): user_id = env['HTTP_X_AUTH_USER'] project_id = env['HTTP_X_AUTH_PROJECT_ID'] is_admin = user_id == 'admin' + roles = env['HTTP_X_ROLES'].split(',') return context.RequestContext( - user_id, project_id, is_admin=is_admin, **kwargs) + user_id, project_id, is_admin=is_admin, roles=roles, **kwargs) self.useFixture(fixtures.MonkeyPatch( 'nova.api.auth.NovaKeystoneContext._create_context', fake_ctx)) diff --git a/nova/tests/functional/api/client.py b/nova/tests/functional/api/client.py index 21028d56017b..801ca4df7e46 100644 --- a/nova/tests/functional/api/client.py +++ b/nova/tests/functional/api/client.py @@ -123,9 +123,12 @@ class TestOpenStackClient(object): This is a really basic OpenStack API client that is under our control, so we can make changes / insert hooks for testing + By default, no roles are implied and must be passed like + roles=['reader', 'member'] in order for the user to have + privileges on the project, just like in a real deployment. """ - def __init__(self, auth_user, base_url, project_id=None): + def __init__(self, auth_user, base_url, project_id=None, roles=None): super(TestOpenStackClient, self).__init__() self.auth_user = auth_user self.base_url = base_url @@ -134,6 +137,7 @@ class TestOpenStackClient(object): else: self.project_id = project_id self.microversion = None + self.roles = roles or [] def request(self, url, method='GET', body=None, headers=None): _headers = {'Content-Type': 'application/json'} @@ -169,6 +173,7 @@ class TestOpenStackClient(object): headers.setdefault('X-Auth-User', self.auth_user) headers.setdefault('X-User-Id', self.auth_user) headers.setdefault('X-Auth-Project-Id', self.project_id) + headers.setdefault('X-Roles', ','.join(self.roles)) response = self.request(full_uri, **kwargs)