Make policy.json not filesystem location specific.
The interaction between the test suite and the policy.json file is problematic, because it imposes an operational assumption that the tests are running with the curdir set to nova/tests. There is no other reason to need to be located in that directory. Part of blueprint grizzly-testtools. Change-Id: I863dac815a768a78fa84d632e5f77ed0f4f599b2
This commit is contained in:
parent
ad3176ee53
commit
6ad04e81d2
|
@ -46,6 +46,7 @@ from nova.openstack.common import timeutils
|
|||
from nova import service
|
||||
from nova import tests
|
||||
from nova.tests import fake_flags
|
||||
from nova.tests import policy_fixture
|
||||
from nova.tests import utils
|
||||
|
||||
|
||||
|
@ -157,6 +158,7 @@ class TestCase(testtools.TestCase):
|
|||
self._services = []
|
||||
self._modules = {}
|
||||
self.useFixture(EnvironmentVariable('http_proxy'))
|
||||
self.policy = self.useFixture(policy_fixture.PolicyFixture())
|
||||
|
||||
def tearDown(self):
|
||||
"""Runs after each test method to tear down test environment."""
|
||||
|
|
|
@ -48,7 +48,6 @@ from nova.openstack.common import jsonutils
|
|||
from nova.openstack.common import log as logging
|
||||
from nova.openstack.common.notifier import api as notifier_api
|
||||
from nova.openstack.common.notifier import test_notifier
|
||||
from nova.openstack.common import policy as common_policy
|
||||
from nova.openstack.common import rpc
|
||||
from nova.openstack.common.rpc import common as rpc_common
|
||||
from nova.openstack.common import timeutils
|
||||
|
@ -5324,20 +5323,9 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
|
||||
def setUp(self):
|
||||
super(ComputePolicyTestCase, self).setUp()
|
||||
nova.policy.reset()
|
||||
nova.policy.init()
|
||||
|
||||
self.compute_api = compute.API()
|
||||
|
||||
def tearDown(self):
|
||||
super(ComputePolicyTestCase, self).tearDown()
|
||||
nova.policy.reset()
|
||||
|
||||
def _set_rules(self, rules):
|
||||
common_policy.set_rules(common_policy.Rules(
|
||||
dict((k, common_policy.parse_rule(v))
|
||||
for k, v in rules.items())))
|
||||
|
||||
def test_actions_are_prefixed(self):
|
||||
self.mox.StubOutWithMock(nova.policy, 'enforce')
|
||||
nova.policy.enforce(self.context, 'compute:reboot', {})
|
||||
|
@ -5349,20 +5337,20 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
|
||||
# force delete to fail
|
||||
rules = {"compute:delete": [["false:false"]]}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.compute_api.delete, self.context, instance)
|
||||
|
||||
# reset rules to allow deletion
|
||||
rules = {"compute:delete": []}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.compute_api.delete(self.context, instance)
|
||||
|
||||
def test_create_fail(self):
|
||||
rules = {"compute:create": [["false:false"]]}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.compute_api.create, self.context, '1', '1')
|
||||
|
@ -5373,7 +5361,7 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
"compute:create:attach_network": [["false:false"]],
|
||||
"compute:create:attach_volume": [],
|
||||
}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.compute_api.create, self.context, '1', '1',
|
||||
|
@ -5386,7 +5374,7 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
"compute:create:attach_network": [],
|
||||
"compute:create:attach_volume": [["false:false"]],
|
||||
}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.compute_api.create, self.context, '1', '1',
|
||||
|
@ -5399,7 +5387,7 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
rules = {
|
||||
"compute:get": [["false:false"]],
|
||||
}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.compute_api.get, self.context, instance['uuid'])
|
||||
|
@ -5408,7 +5396,7 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
rules = {
|
||||
"compute:get_all": [["false:false"]],
|
||||
}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.compute_api.get_all, self.context)
|
||||
|
@ -5421,7 +5409,7 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
rules = {
|
||||
"compute:get_instance_faults": [["false:false"]],
|
||||
}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.compute_api.get_instance_faults,
|
||||
|
@ -5430,7 +5418,7 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
def test_force_host_fail(self):
|
||||
rules = {"compute:create": [],
|
||||
"compute:create:forced_host": [["role:fake"]]}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.assertRaises(exception.PolicyNotAuthorized,
|
||||
self.compute_api.create, self.context, None, '1',
|
||||
|
@ -5439,7 +5427,7 @@ class ComputePolicyTestCase(BaseTestCase):
|
|||
def test_force_host_pass(self):
|
||||
rules = {"compute:create": [],
|
||||
"compute:create:forced_host": []}
|
||||
self._set_rules(rules)
|
||||
self.policy.set_rules(rules)
|
||||
|
||||
self.compute_api.create(self.context, None, '1',
|
||||
availability_zone='1:1')
|
||||
|
|
|
@ -1,3 +1,21 @@
|
|||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
|
||||
# Copyright (c) 2012 OpenStack, LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
policy_data = """
|
||||
{
|
||||
"admin_api": "role:admin",
|
||||
|
||||
|
@ -205,3 +223,4 @@
|
|||
"network:create_public_dns_domain": "",
|
||||
"network:delete_dns_domain": ""
|
||||
}
|
||||
"""
|
|
@ -1928,9 +1928,6 @@ class NetworkPolicyTestCase(test.TestCase):
|
|||
super(NetworkPolicyTestCase, self).tearDown()
|
||||
nova.policy.reset()
|
||||
|
||||
def _set_rules(self, rules):
|
||||
nova.common.policy.set_brain(nova.common.policy.HttpBrain(rules))
|
||||
|
||||
def test_check_policy(self):
|
||||
self.mox.StubOutWithMock(nova.policy, 'enforce')
|
||||
target = {
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
# Copyright 2012 Hewlett-Packard Development Company, L.P.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import os
|
||||
|
||||
import fixtures
|
||||
|
||||
from nova.openstack.common import cfg
|
||||
from nova.openstack.common import policy as common_policy
|
||||
import nova.policy
|
||||
from nova.tests import fake_policy
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
class PolicyFixture(fixtures.Fixture):
|
||||
|
||||
def setUp(self):
|
||||
super(PolicyFixture, self).setUp()
|
||||
self.policy_dir = self.useFixture(fixtures.TempDir())
|
||||
self.policy_file_name = os.path.join(self.policy_dir.path,
|
||||
'policy.json')
|
||||
with open(self.policy_file_name, 'w') as policy_file:
|
||||
policy_file.write(fake_policy.policy_data)
|
||||
CONF.set_override('policy_file', self.policy_file_name)
|
||||
nova.policy.reset()
|
||||
nova.policy.init()
|
||||
self.addCleanup(nova.policy.reset)
|
||||
|
||||
def set_rules(self, rules):
|
||||
common_policy.set_rules(common_policy.Rules(
|
||||
dict((k, common_policy.parse_rule(v))
|
||||
for k, v in rules.items())))
|
|
@ -32,17 +32,13 @@ from nova import utils
|
|||
class PolicyFileTestCase(test.TestCase):
|
||||
def setUp(self):
|
||||
super(PolicyFileTestCase, self).setUp()
|
||||
policy.reset()
|
||||
self.context = context.RequestContext('fake', 'fake')
|
||||
self.target = {}
|
||||
|
||||
def tearDown(self):
|
||||
super(PolicyFileTestCase, self).tearDown()
|
||||
policy.reset()
|
||||
|
||||
def test_modified_policy_reloads(self):
|
||||
with utils.tempdir() as tmpdir:
|
||||
tmpfilename = os.path.join(tmpdir, 'policy')
|
||||
|
||||
self.flags(policy_file=tmpfilename)
|
||||
|
||||
# NOTE(uni): context construction invokes policy check to determin
|
||||
|
@ -66,9 +62,6 @@ class PolicyFileTestCase(test.TestCase):
|
|||
class PolicyTestCase(test.TestCase):
|
||||
def setUp(self):
|
||||
super(PolicyTestCase, self).setUp()
|
||||
policy.reset()
|
||||
# NOTE(vish): preload rules to circumvent reloading from file
|
||||
policy.init()
|
||||
rules = {
|
||||
"true": '@',
|
||||
"example:allowed": '@',
|
||||
|
@ -81,17 +74,10 @@ class PolicyTestCase(test.TestCase):
|
|||
"example:lowercase_admin": "role:admin or role:sysadmin",
|
||||
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
|
||||
}
|
||||
# NOTE(vish): then overload underlying brain
|
||||
common_policy.set_rules(common_policy.Rules(
|
||||
dict((k, common_policy.parse_rule(v))
|
||||
for k, v in rules.items())))
|
||||
self.policy.set_rules(rules)
|
||||
self.context = context.RequestContext('fake', 'fake', roles=['member'])
|
||||
self.target = {}
|
||||
|
||||
def tearDown(self):
|
||||
policy.reset()
|
||||
super(PolicyTestCase, self).tearDown()
|
||||
|
||||
def test_enforce_nonexistent_action_throws(self):
|
||||
action = "example:noexist"
|
||||
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
|
||||
|
@ -165,8 +151,6 @@ class DefaultPolicyTestCase(test.TestCase):
|
|||
|
||||
def setUp(self):
|
||||
super(DefaultPolicyTestCase, self).setUp()
|
||||
policy.reset()
|
||||
policy.init()
|
||||
|
||||
self.rules = {
|
||||
"default": '',
|
||||
|
@ -183,10 +167,6 @@ class DefaultPolicyTestCase(test.TestCase):
|
|||
for k, v in self.rules.items()), default_rule)
|
||||
common_policy.set_rules(rules)
|
||||
|
||||
def tearDown(self):
|
||||
super(DefaultPolicyTestCase, self).tearDown()
|
||||
policy.reset()
|
||||
|
||||
def test_policy_called(self):
|
||||
self.assertRaises(exception.PolicyNotAuthorized, policy.enforce,
|
||||
self.context, "example:exist", {})
|
||||
|
|
Loading…
Reference in New Issue