def test_quotas_limit_check(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id, is_admin=True) } quotas = {'quota': {'network': 5}} res = self.api.put(_get_path('quotas', id=tenant_id, fmt=self.fmt), self.serialize(quotas), extra_environ=env) self.assertEqual(200, res.status_int) quota.QUOTAS.limit_check(context.Context('', tenant_id), tenant_id, network=4)
def test_quotas_limit_check_with_over_quota(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id, is_admin=True) } quotas = {'quota': {'network': 5}} res = self.api.put(_get_path('quotas', id=tenant_id, fmt=self.fmt), self.serialize(quotas), extra_environ=env) self.assertEqual(200, res.status_int) with testtools.ExpectedException(exceptions.OverQuota): quota.QUOTAS.limit_check(context.Context('', tenant_id), tenant_id, network=6)
def test_update_quotas_with_admin(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id + '2', is_admin=True) } quotas = {'quota': {'network': 100}} res = self.api.put_json(_get_path('quotas', id=tenant_id, fmt='json'), quotas, extra_environ=env) self.assertEquals(200, res.status_int) env2 = {'quantum.context': context.Context('', tenant_id)} res = self.api.get(_get_path('quotas', id=tenant_id), extra_environ=env2).json self.assertEquals(100, res['quota']['network'])
def _test_update(self, req_tenant_id, real_tenant_id, expected_code, expect_errors=False): env = {} if req_tenant_id: env = {'quantum.context': context.Context('', req_tenant_id)} # leave out 'name' field intentionally data = {'network': {'admin_state_up': True}} return_value = {'subnets': []} return_value.update(data['network'].copy()) instance = self.plugin.return_value instance.get_network.return_value = { 'tenant_id': real_tenant_id, 'shared': False } instance.update_network.return_value = return_value res = self.api.put_json(_get_path('networks', id=str(uuid.uuid4())), data, extra_environ=env, expect_errors=expect_errors) self.assertEqual(res.status_int, expected_code)
def test_create_with_keystone_env(self): tenant_id = _uuid() net_id = _uuid() env = {'quantum.context': context.Context('', tenant_id)} # tenant_id should be fetched from env initial_input = {'network': {'name': 'net1'}} full_input = { 'network': { 'admin_state_up': True, 'shared': False, 'tenant_id': tenant_id } } full_input['network'].update(initial_input['network']) return_value = {'id': net_id, 'status': "ACTIVE"} return_value.update(full_input['network']) instance = self.plugin.return_value instance.create_network.return_value = return_value res = self.api.post_json(_get_path('networks'), initial_input, extra_environ=env) instance.create_network.assert_called_with(mock.ANY, network=full_input) self.assertEqual(res.status_int, exc.HTTPCreated.code)
def test_update_port_non_admin_does_not_show_queue_id(self): body = { 'qos_queue': { 'tenant_id': 'not_admin', 'name': 'foo', 'min': 20, 'max': 20 } } res = self._create_qos_queue('json', body, tenant_id='not_admin') q1 = self.deserialize('json', res) res = self._create_network('json', 'net1', True, arg_list=(ext_qos.QUEUE, ), tenant_id='not_admin', queue_id=q1['qos_queue']['id']) net1 = self.deserialize('json', res) res = self._create_port('json', net1['network']['id'], tenant_id='not_admin', set_context=True) port = self.deserialize('json', res) device_id = "00fff4d0-e4a8-4a3a-8906-4c4cdafb59f1" data = {'port': {'device_id': device_id}} quantum_context = context.Context('', 'not_admin') port = self._update('ports', port['port']['id'], data, quantum_context=quantum_context) self.assertEqual(ext_qos.QUEUE not in port['port'], True)
def _create_network(self, fmt, name, admin_state_up, arg_list=None, providernet_args=None, **kwargs): data = { 'network': { 'name': name, 'admin_state_up': admin_state_up, 'tenant_id': self._tenant_id } } attributes = kwargs if providernet_args: attributes.update(providernet_args) for arg in (('admin_state_up', 'tenant_id', 'shared') + (arg_list or ())): # Arg must be present and not empty if arg in kwargs and kwargs[arg]: data['network'][arg] = kwargs[arg] network_req = self.new_create_request('networks', data, fmt) if (kwargs.get('set_context') and 'tenant_id' in kwargs): # create a specific auth context for this request network_req.environ['quantum.context'] = context.Context( '', kwargs['tenant_id']) return network_req.get_response(self.api)
def test_nonadmin_read_on_shared_returns_200(self): action = "get_network" user_context = context.Context('', "user", roles=['user']) # 420 is the int value of the bitmask for rw-r--r-- target = {'tenant_id': 'the_owner', 'shared': True} result = policy.enforce(user_context, action, target, None) self.assertEqual(result, None)
def test_create_agent(self): data = {'agent': {}} _req = self.new_create_request('agents', data, self.fmt) _req.environ['quantum.context'] = context.Context( '', 'tenant_id') res = _req.get_response(self.ext_api) self.assertEqual(res.status_int, exc.HTTPBadRequest.code)
def setUp(self): super(QuantumPolicyTestCase, self).setUp() policy.reset() policy.init() self.rules = { "admin_or_network_owner": [["role:admin"], ["tenant_id:%(network_tenant_id)s"]], "admin_only": [["role:admin"]], "regular_user": [["role:user"]], "default": [], "networks:private:read": [["rule:admin_only"]], "networks:private:write": [["rule:admin_only"]], "networks:shared:read": [["rule:regular_user"]], "networks:shared:write": [["rule:admin_only"]], "create_network": [], "create_network:shared": [["rule:admin_only"]], "update_network": [], "update_network:shared": [["rule:admin_only"]], "get_network": [], "create_port:mac": [["rule:admin_or_network_owner"]], } def fakepolicyinit(): common_policy.set_brain(common_policy.Brain(self.rules)) self.patcher = mock.patch.object(quantum.policy, 'init', new=fakepolicyinit) self.patcher.start() self.context = context.Context('fake', 'fake', roles=['user']) plugin_klass = importutils.import_class( "quantum.db.db_base_plugin_v2.QuantumDbPluginV2") self.plugin = plugin_klass()
def test_update_port_security_off_shared_network(self): with self.network(shared=True, do_delete=False) as net: with self.subnet(network=net, do_delete=False): res = self._create_port('json', net['network']['id'], tenant_id='not_network_owner', set_context=True) port = self.deserialize('json', res) # remove security group on port update_port = { 'port': { ext_sg.SECURITYGROUPS: None, psec.PORTSECURITY: False } } req = self.new_update_request('ports', update_port, port['port']['id']) req.environ['quantum.context'] = context.Context( '', 'not_network_owner') res = req.get_response(self.api) # TODO(salvatore-orlando): Expected error is 404 because # the current API controller always returns this error # code for any policy check failures on update. # It should be 404 when the caller cannot access the whole # resource, and 403 when it cannot access a single attribute self.assertEqual(res.status_int, 404)
def test_nonadmin_write_on_shared_returns_403(self): action = "update_network" user_context = context.Context('', "user", roles=['user']) # 384 is the int value of the bitmask for rw-r--r-- target = {'tenant_id': 'the_owner', 'shared': True} self.assertRaises(exceptions.PolicyNotAuthorized, policy.enforce, user_context, action, target, None)
def test_update_service_type_nonadminctx_returns_403(self): tenant_id = _uuid() env = { 'quantum.context': context.Context('', tenant_id, is_admin=False) } self._test_service_type_update( env=env, expected_status=webexc.HTTPForbidden.code)
def _test_nonadmin_action_on_attr(self, action, attr, value, exception=None): user_context = context.Context('', "user", roles=['user']) self._test_action_on_attr(user_context, action, attr, value, exception)
def setUp(self): super(PolicyFileTestCase, self).setUp() policy.reset() self.addCleanup(policy.reset) self.context = context.Context('fake', 'fake', is_admin=False) self.target = {} self.tempdir = self.useFixture(fixtures.TempDir())
def _test_list(self, req_tenant_id, real_tenant_id): env = {} if req_tenant_id: env = {'quantum.context': context.Context('', req_tenant_id)} input_dict = {'id': str(uuid.uuid4()), 'name': 'net1', 'admin_state_up': True, 'status': "ACTIVE", 'tenant_id': real_tenant_id, 'shared': False, 'subnets': []} return_value = [input_dict] instance = self.plugin.return_value instance.get_networks.return_value = return_value res = self.api.get(_get_path('networks'), extra_environ=env) self.assertTrue('networks' in res.json) if not req_tenant_id or req_tenant_id == real_tenant_id: # expect full list returned self.assertEqual(len(res.json['networks']), 1) output_dict = res.json['networks'][0] input_dict['shared'] = False self.assertEqual(len(input_dict), len(output_dict)) for k, v in input_dict.iteritems(): self.assertEqual(v, output_dict[k]) else: # expect no results self.assertEqual(len(res.json['networks']), 0)
def _create_qos_queue(self, fmt, body, **kwargs): qos_queue = self.new_create_request('qos-queues', body) if (kwargs.get('set_context') and 'tenant_id' in kwargs): # create a specific auth context for this request qos_queue.environ['quantum.context'] = context.Context( '', kwargs['tenant_id']) return qos_queue.get_response(self.ext_api)
def test_create_bad_keystone_tenant(self): tenant_id = _uuid() data = {'network': {'name': 'net1', 'tenant_id': tenant_id}} env = {'quantum.context': context.Context('', tenant_id + "bad")} res = self.api.post_json(_get_path('networks'), data, expect_errors=True, extra_environ=env) self.assertEqual(res.status_int, exc.HTTPBadRequest.code)
def test_update_attributes(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id + '2', is_admin=True) } quotas = {'quota': {'extra1': 100}} res = self.api.put(_get_path('quotas', id=tenant_id, fmt=self.fmt), self.serialize(quotas), extra_environ=env) self.assertEqual(200, res.status_int) env2 = {'quantum.context': context.Context('', tenant_id)} res = self.api.get(_get_path('quotas', id=tenant_id, fmt=self.fmt), extra_environ=env2) quota = self.deserialize(res) self.assertEqual(100, quota['quota']['extra1'])
def test_ignore_case_role_check(self): lowercase_action = "example:lowercase_admin" uppercase_action = "example:uppercase_admin" # NOTE(dprince) we mix case in the Admin role here to ensure # case is ignored admin_context = context.Context('admin', 'fake', roles=['AdMiN']) policy.enforce(admin_context, lowercase_action, self.target) policy.enforce(admin_context, uppercase_action, self.target)
def setUp(self): super(QuantumPolicyTestCase, self).setUp() policy.reset() policy.init() self.addCleanup(policy.reset) self.admin_only_legacy = "role:admin" self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s" self.rules = dict( (k, common_policy.parse_rule(v)) for k, v in { "context_is_admin": "role:admin", "admin_or_network_owner": "rule:context_is_admin or " "tenant_id:%(network:tenant_id)s", "admin_or_owner": ("rule:context_is_admin or " "tenant_id:%(tenant_id)s"), "admin_only": "rule:context_is_admin", "regular_user": "******", "shared": "field:networks:shared=True", "external": "field:networks:router:external=True", "default": '@', "create_network": "rule:admin_or_owner", "create_network:shared": "rule:admin_only", "update_network": '@', "update_network:shared": "rule:admin_only", "get_network": "rule:admin_or_owner or " "rule:shared or " "rule:external", "create_port:mac": "rule:admin_or_network_owner", }.items()) def fakepolicyinit(): common_policy.set_rules(common_policy.Rules(self.rules)) self.patcher = mock.patch.object(quantum.policy, 'init', new=fakepolicyinit) self.patcher.start() self.addCleanup(self.patcher.stop) self.context = context.Context('fake', 'fake', roles=['user']) plugin_klass = importutils.import_class( "quantum.db.db_base_plugin_v2.QuantumDbPluginV2") self.manager_patcher = mock.patch('quantum.manager.QuantumManager') fake_manager = self.manager_patcher.start() fake_manager_instance = fake_manager.return_value fake_manager_instance.plugin = plugin_klass() self.addCleanup(self.manager_patcher.stop)
def test_delete_service_type_in_use_returns_409(self): with self.service_type() as svc_type: svc_type_data = svc_type[self.resource_name] mgr = servicetype_db.ServiceTypeManager.get_instance() ctx = context.Context('', '', is_admin=True) mgr.increase_service_type_refcount(ctx, svc_type_data['id']) res = self._delete_service_type(svc_type_data['id'], True) self.assertEqual(res.status_int, webexc.HTTPConflict.code) mgr.decrease_service_type_refcount(ctx, svc_type_data['id'])
def test_delete_quotas_forbidden(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id, is_admin=False) } res = self.api.delete(_get_path('quotas', id=tenant_id, fmt=self.fmt), extra_environ=env, expect_errors=True) self.assertEqual(403, res.status_int)
def test_quotas_defaul_values(self): tenant_id = 'tenant_id1' env = {'quantum.context': context.Context('', tenant_id)} res = self.api.get(_get_path('quotas', id=tenant_id), extra_environ=env) self.assertEquals(10, res.json['quota']['network']) self.assertEquals(10, res.json['quota']['subnet']) self.assertEquals(50, res.json['quota']['port']) self.assertEquals(-1, res.json['quota']['extra1'])
def test_list_quotas_without_admin_forbidden_returns_403(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id, is_admin=False) } res = self.api.get(_get_path('quotas', fmt=self.fmt), extra_environ=env, expect_errors=True) self.assertEqual(403, res.status_int)
def test_show_quotas_with_admin(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id + '2', is_admin=True) } res = self.api.get(_get_path('quotas', id=tenant_id, fmt=self.fmt), extra_environ=env) self.assertEqual(200, res.status_int)
def test_list_quotas_with_admin(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id, is_admin=True) } res = self.api.get(_get_path('quotas', fmt=self.fmt), extra_environ=env) self.assertEqual(200, res.status_int) quota = self.deserialize(res) self.assertEqual([], quota['quotas'])
def test_quotas_default_values(self): tenant_id = 'tenant_id1' env = {'quantum.context': context.Context('', tenant_id)} res = self.api.get(_get_path('quotas', id=tenant_id, fmt=self.fmt), extra_environ=env) quota = self.deserialize(res) self.assertEqual(10, quota['quota']['network']) self.assertEqual(10, quota['quota']['subnet']) self.assertEqual(50, quota['quota']['port']) self.assertEqual(-1, quota['quota']['extra1'])
def test_quotas_get_tenant_from_request_context(self): tenant_id = 'tenant_id1' env = { 'quantum.context': context.Context('', tenant_id, is_admin=True) } res = self.api.get(_get_path('quotas/tenant', fmt=self.fmt), extra_environ=env) self.assertEqual(200, res.status_int) quota = self.deserialize(res) self.assertEqual(quota['tenant']['tenant_id'], tenant_id)
def _create_security_group_rule(self, fmt, rules, **kwargs): security_group_rule_req = self.new_create_request( 'security-group-rules', rules, fmt) if (kwargs.get('set_context') and 'tenant_id' in kwargs): # create a specific auth context for this request security_group_rule_req.environ['quantum.context'] = ( context.Context('', kwargs['tenant_id'])) return security_group_rule_req.get_response(self.ext_api)