openstack/tap-as-a-service
Code Issues Proposed changes

[S-RBAC] Default RBAC policies

Browse Source 
Update tap_flow and tap_service API to new s-rbac defaults and
added unit tests.
Added unit tests for the existing tap_mirror API for completeness

Change-Id: I9cb1ab098c6a25fc1e1991790a095e9366bb71c5
This commit is contained in:
Miro Tomaska 2025-04-30 01:49:39 +00:00
parent 6ef9395531
commit 6e94491c2c
7 changed files with 960 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
etc/neutron/policy.yaml.sample
View File

@ -1,34 +1,90 @@
# Create a tap flow
# POST /taas/tap_flows
#"create_tap_flow": "rule:admin_or_owner"
# Intended scope(s): project
#"create_tap_flow": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "create_tap_flow":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "create_tap_flow":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The neutron TAAS API now supports Secure RBAC default roles.
# Update a tap flow
# PUT /taas/tap_flows/{id}
#"update_tap_flow": "rule:admin_or_owner"
# Intended scope(s): project
#"update_tap_flow": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "update_tap_flow":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "update_tap_flow":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The neutron TAAS API now supports Secure RBAC default roles.
# Show a tap flow
# GET /taas/tap_flows/{id}
#"get_tap_flow": "rule:admin_or_owner"
# Intended scope(s): project
#"get_tap_flow": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "get_tap_flow":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "get_tap_flow":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The neutron TAAS API now supports Secure RBAC default roles.
# Delete a tap flow
# DELETE /taas/tap_flows/{id}
#"delete_tap_flow": "rule:admin_or_owner"
# Intended scope(s): project
#"delete_tap_flow": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "delete_tap_flow":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "delete_tap_flow":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The neutron TAAS API now supports Secure RBAC default roles.
# Create a tap service
# POST /taas/tap_services
#"create_tap_service": "rule:admin_or_owner"
# Intended scope(s): project
#"create_tap_service": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "create_tap_service":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "create_tap_service":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The neutron TAAS API now supports Secure RBAC default roles.
# Updates a tap service
# PUT /taas/tap_services/{id}
#"update_tap_service": "rule:admin_or_owner"
# Intended scope(s): project
#"update_tap_service": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "update_tap_service":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "update_tap_service":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The neutron TAAS API now supports Secure RBAC default roles.
# Show a tap service
# GET /taas/tap_services/{id}
#"get_tap_service": "rule:admin_or_owner"
# Intended scope(s): project
#"get_tap_service": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "get_tap_service":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "get_tap_service":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The neutron TAAS API now supports Secure RBAC default roles.
# Delete a tap service
# DELETE /taas/tap_services/{id}
#"delete_tap_service": "rule:admin_or_owner"
# Intended scope(s): project
#"delete_tap_service": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
# DEPRECATED
# "delete_tap_service":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "delete_tap_service":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The neutron TAAS API now supports Secure RBAC default roles.
# Create a Tap Mirror
# POST /taas/tap_mirrors

81
neutron_taas/policies/tap_flow.py
View File

@ -12,52 +12,85 @@
from oslo_policy import policy
from neutron.conf.policies import base
from neutron_lib.policy import RULE_ADMIN_OR_OWNER
COLLECTION_PATH = '/taas/tap_flows'
RESOURCE_PATH = '/taas/tap_flows/{id}'
DEPRECATED_REASON = """
The neutron TAAS API now supports Secure RBAC default roles.
"""
rules = [
policy.DocumentedRuleDefault(
'create_tap_flow',
RULE_ADMIN_OR_OWNER,
'Create a tap flow',
[
name='create_tap_flow',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create a tap flow',
operations=[
{
'method': 'POST',
'path': '/taas/tap_flows',
'path': COLLECTION_PATH,
}
]
],
deprecated_rule=policy.DeprecatedRule(
name='create_tap_flow',
check_str=RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'update_tap_flow',
RULE_ADMIN_OR_OWNER,
'Update a tap flow',
[
name='update_tap_flow',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Update a tap flow',
operations=[
{
'method': 'PUT',
'path': '/taas/tap_flows/{id}',
'path': RESOURCE_PATH,
}
]
],
deprecated_rule=policy.DeprecatedRule(
name='update_tap_flow',
check_str=RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'get_tap_flow',
RULE_ADMIN_OR_OWNER,
'Show a tap flow',
[
name='get_tap_flow',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Show a tap flow',
operations=[
{
'method': 'GET',
'path': '/taas/tap_flows/{id}',
'path': RESOURCE_PATH,
}
]
],
deprecated_rule=policy.DeprecatedRule(
name='get_tap_flow',
check_str=RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'delete_tap_flow',
RULE_ADMIN_OR_OWNER,
'Delete a tap flow',
[
name='delete_tap_flow',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete a tap flow',
operations=[
{
'method': 'DELETE',
'path': '/taas/tap_flows/{id}',
'path': RESOURCE_PATH,
}
]
],
deprecated_rule=policy.DeprecatedRule(
name='delete_tap_flow',
check_str=RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
]

81
neutron_taas/policies/tap_service.py
View File

@ -12,52 +12,85 @@
from oslo_policy import policy
from neutron.conf.policies import base
from neutron_lib.policy import RULE_ADMIN_OR_OWNER
COLLECTION_PATH = '/taas/tap_services'
RESOURCE_PATH = '/taas/tap_services/{id}'
DEPRECATED_REASON = """
The neutron TAAS API now supports Secure RBAC default roles.
"""
rules = [
policy.DocumentedRuleDefault(
'create_tap_service',
RULE_ADMIN_OR_OWNER,
'Create a tap service',
[
name='create_tap_service',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Create a tap service',
operations=[
{
'method': 'POST',
'path': '/taas/tap_services',
'path': COLLECTION_PATH,
}
]
],
deprecated_rule=policy.DeprecatedRule(
name='create_tap_service',
check_str=RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'update_tap_service',
RULE_ADMIN_OR_OWNER,
'Updates a tap service',
[
name='update_tap_service',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Updates a tap service',
operations=[
{
'method': 'PUT',
'path': '/taas/tap_services/{id}',
'path': RESOURCE_PATH,
}
]
],
deprecated_rule=policy.DeprecatedRule(
name='update_tap_service',
check_str=RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'get_tap_service',
RULE_ADMIN_OR_OWNER,
'Show a tap service',
[
name='get_tap_service',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Show a tap service',
operations=[
{
'method': 'GET',
'path': '/taas/tap_services/{id}',
'path': RESOURCE_PATH,
}
]
],
deprecated_rule=policy.DeprecatedRule(
name='get_tap_service',
check_str=RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
policy.DocumentedRuleDefault(
'delete_tap_service',
RULE_ADMIN_OR_OWNER,
'Delete a tap service',
[
name='delete_tap_service',
check_str=base.ADMIN_OR_PROJECT_MEMBER,
scope_types=['project'],
description='Delete a tap service',
operations=[
{
'method': 'DELETE',
'path': '/taas/tap_services/{id}',
'path': RESOURCE_PATH,
}
]
],
deprecated_rule=policy.DeprecatedRule(
name='delete_tap_service',
check_str=RULE_ADMIN_OR_OWNER,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='2025.2')
),
]

0
neutron_taas/tests/unit/policies/__init__.py Normal file
View File

261
neutron_taas/tests/unit/policies/test_tap_flow.py Normal file
View File

@ -0,0 +1,261 @@
# Copyright (c) 2025 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_policy import policy
from neutron import policy as neutron_policy
from neutron.tests.unit.conf.policies import test_base
class TapFlowGroupAPITestCase(test_base.PolicyBaseTestCase):
def setUp(self):
super().setUp()
self.target = {
'project_id': self.project_id,
'tenant_id': self.project_id
}
self.alt_target = {
'project_id': self.alt_project_id,
'tenant_id': self.alt_project_id
}
class SystemAdminTests(TapFlowGroupAPITestCase):
def setUp(self):
super().setUp()
self.context = self.system_admin_ctx
def test_create_tap_flow(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'create_tap_flow',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'create_tap_flow',
self.alt_target)
def test_update_tap_flow(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'update_tap_flow',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'update_tap_flow',
self.alt_target)
def test_get_tap_flow(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'get_tap_flow',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'get_tap_flow',
self.alt_target)
def test_delete_tap_flow(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'delete_tap_flow',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'delete_tap_flow',
self.alt_target)
class SystemMemberTests(SystemAdminTests):
def setUp(self):
super().setUp()
self.context = self.system_member_ctx
class SystemReaderTests(SystemMemberTests):
def setUp(self):
super().setUp()
self.context = self.system_reader_ctx
class AdminTest(TapFlowGroupAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_admin_ctx
def test_create_tap_flow(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'create_tap_flow', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'create_tap_flow', self.alt_target))
def test_update_tap_flow(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'update_tap_flow', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'update_tap_flow', self.alt_target))
def test_get_tap_flow(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'get_tap_flow', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'get_tap_flow', self.alt_target))
def test_delete_tap_flow(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'delete_tap_flow', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'delete_tap_flow', self.alt_target))
class ProjectManagerTests(TapFlowGroupAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_manager_ctx
def test_create_tap_flow(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'create_tap_flow',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_flow',
self.alt_target)
def test_update_tap_flow(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'update_tap_flow',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_flow',
self.alt_target)
def test_get_tap_flow(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'get_tap_flow',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_flow',
self.alt_target)
def test_delete_tap_flow(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'delete_tap_flow',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_flow',
self.alt_target)
class ProjectMemberTests(ProjectManagerTests):
def setUp(self):
super().setUp()
self.context = self.project_member_ctx
class ProjectReaderTests(ProjectMemberTests):
def setUp(self):
super().setUp()
self.context = self.project_reader_ctx
def test_create_tap_flow(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_flow',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_flow',
self.alt_target)
def test_update_tap_flow(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_flow',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_flow',
self.alt_target)
def test_get_tap_flow(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_flow',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_flow',
self.alt_target)
def test_delete_tap_flow(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_flow',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_flow',
self.alt_target)
class ServiceRoleTests(TapFlowGroupAPITestCase):
def setUp(self):
super().setUp()
self.context = self.service_ctx
def test_create_tap_flow(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_flow',
self.target)
def test_update_tap_flow(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_flow',
self.target)
def test_get_tap_flow(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_flow',
self.target)
def test_delete_tap_flow(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_flow',
self.target)

260
neutron_taas/tests/unit/policies/test_tap_mirror.py Normal file
View File

@ -0,0 +1,260 @@
# Copyright (c) 2025 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_policy import policy
from neutron import policy as neutron_policy
from neutron.tests.unit.conf.policies import test_base
class TapMirrorAPITestCase(test_base.PolicyBaseTestCase):
def setUp(self):
super().setUp()
self.target = {
'project_id': self.project_id,
'tenant_id': self.project_id
}
self.alt_target = {
'project_id': self.alt_project_id,
'tenant_id': self.alt_project_id
}
class SystemAdminTests(TapMirrorAPITestCase):
def setUp(self):
super().setUp()
self.context = self.system_admin_ctx
def test_create_tap_mirror(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'create_tap_mirror',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'create_tap_mirror',
self.alt_target)
def test_update_tap_mirror(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'update_tap_mirror',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'update_tap_mirror',
self.alt_target)
def test_get_tap_mirror(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'get_tap_mirror',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'get_tap_mirror',
self.alt_target)
def test_delete_tap_mirror(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'delete_tap_mirror',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'delete_tap_mirror',
self.alt_target)
class SystemMemberTests(SystemAdminTests):
def setUp(self):
super().setUp()
self.context = self.system_member_ctx
class SystemReaderTests(SystemMemberTests):
def setUp(self):
super().setUp()
self.context = self.system_reader_ctx
class AdminTests(TapMirrorAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_admin_ctx
def test_create_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'create_tap_mirror', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'create_tap_mirror', self.alt_target))
def test_update_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'update_tap_mirror', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'update_tap_mirror', self.alt_target))
def test_get_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'get_tap_mirror', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'get_tap_mirror', self.alt_target))
def test_delete_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'delete_tap_mirror', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'delete_tap_mirror', self.alt_target))
class ProjectManagerTests(TapMirrorAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_manager_ctx
def test_create_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'create_tap_mirror',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_mirror',
self.alt_target)
def test_update_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'update_tap_mirror',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_mirror',
self.alt_target)
def test_get_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'get_tap_mirror',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_mirror',
self.alt_target)
def test_delete_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'delete_tap_mirror',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_mirror',
self.alt_target)
class ProjectMemberTests(ProjectManagerTests):
def setUp(self):
super().setUp()
self.context = self.project_member_ctx
class ProjectReaderTests(TapMirrorAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_reader_ctx
def test_create_tap_mirror(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_mirror',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_mirror',
self.alt_target)
def test_update_tap_mirror(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_mirror',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_mirror',
self.alt_target)
def test_get_tap_mirror(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'get_tap_mirror',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_mirror',
self.alt_target)
def test_delete_tap_mirror(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_mirror',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_mirror',
self.alt_target)
class ServiceRoleTests(TapMirrorAPITestCase):
def setUp(self):
super().setUp()
self.context = self.service_ctx
def test_create_tap_mirror(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_mirror',
self.target)
def test_update_tap_mirror(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_mirror',
self.target)
def test_get_tap_mirror(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_mirror',
self.target)
def test_delete_tap_mirror(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_mirror',
self.target)

261
neutron_taas/tests/unit/policies/test_tap_service.py Normal file
View File

@ -0,0 +1,261 @@
# Copyright (c) 2025 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_policy import policy
from neutron import policy as neutron_policy
from neutron.tests.unit.conf.policies import test_base
class TapServiceAPITestCase(test_base.PolicyBaseTestCase):
def setUp(self):
super().setUp()
self.target = {
'project_id': self.project_id,
'tenant_id': self.project_id
}
self.alt_target = {
'project_id': self.alt_project_id,
'tenant_id': self.alt_project_id
}
class SystemAdminTests(TapServiceAPITestCase):
def setUp(self):
super().setUp()
self.context = self.system_admin_ctx
def test_create_tap_service(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'create_tap_service',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'create_tap_service',
self.alt_target)
def test_update_tap_service(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'update_tap_service',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'update_tap_service',
self.alt_target)
def test_get_tap_service(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'get_tap_service',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'get_tap_service',
self.alt_target)
def test_delete_tap_service(self):
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'delete_tap_service',
self.target)
self.assertRaises(
policy.InvalidScope,
neutron_policy.enforce, self.context, 'delete_tap_service',
self.alt_target)
class SystemMemberTests(SystemAdminTests):
def setUp(self):
super().setUp()
self.context = self.system_member_ctx
class SystemReaderTests(SystemMemberTests):
def setUp(self):
super().setUp()
self.context = self.system_reader_ctx
class AdminTests(TapServiceAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_admin_ctx
def test_create_tap_service(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'create_tap_service', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'create_tap_service', self.alt_target))
def test_update_tap_service(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'update_tap_service', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'update_tap_service', self.alt_target))
def test_get_tap_service(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'get_tap_service', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'get_tap_service', self.alt_target))
def test_delete_tap_service(self):
self.assertTrue(
neutron_policy.enforce(
self.context, 'delete_tap_service', self.target))
self.assertTrue(
neutron_policy.enforce(
self.context, 'delete_tap_service', self.alt_target))
class ProjectManagerTests(TapServiceAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_manager_ctx
def test_create_tap_service(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'create_tap_service',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_service',
self.alt_target)
def test_update_tap_service(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'update_tap_service',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_service',
self.alt_target)
def test_get_tap_service(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'get_tap_service',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_service',
self.alt_target)
def test_delete_tap_service(self):
self.assertTrue(
neutron_policy.enforce(self.context, 'delete_tap_service',
self.target))
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_service',
self.alt_target)
class ProjectMemberTests(ProjectManagerTests):
def setUp(self):
super().setUp()
self.context = self.project_member_ctx
class ProjectReaderTests(TapServiceAPITestCase):
def setUp(self):
super().setUp()
self.context = self.project_reader_ctx
def test_create_tap_service(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_service',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_service',
self.alt_target)
def test_update_tap_service(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_service',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_service',
self.alt_target)
def test_get_tap_service(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_service',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_service',
self.alt_target)
def test_delete_tap_service(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_service',
self.target)
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_service',
self.alt_target)
class ServiceRoleTests(TapServiceAPITestCase):
def setUp(self):
super().setUp()
self.context = self.service_ctx
def test_create_tap_service(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'create_tap_service',
self.target)
def test_update_tap_service(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'update_tap_service',
self.target)
def test_get_tap_service(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'get_tap_service',
self.target)
def test_delete_tap_service(self):
self.assertRaises(
policy.PolicyNotAuthorized,
neutron_policy.enforce, self.context, 'delete_tap_service',
self.target)