def test_attachment_operations_not_authorized(self, mock_get, mock_synch): mock_get.return_value = self.attachment1 req = fakes.HTTPRequest.blank('/v3/%s/attachments/%s' % (fake.PROJECT2_ID, self.attachment1.id), version=mv.NEW_ATTACH, use_admin_context=False) body = { "attachment": { "connector": { 'fake_key': 'fake_value', 'host': 'somehost' }, }, } rules = { attachments_policies.UPDATE_POLICY: base_policy.RULE_ADMIN_OR_OWNER } policy.set_rules(oslo_policy.Rules.from_dict(rules)) self.addCleanup(policy.reset) self.assertRaises(exception.NotAuthorized, self.controller.update, req, self.attachment1.id, body=body) self.assertRaises(exception.NotAuthorized, self.controller.delete, req, self.attachment1.id)
def test_delete_image_metadata_policy_not_authorized(self, fake_get): rules = { metadata_policy.IMAGE_METADATA_POLICY: base_policy.RULE_ADMIN_API } policy.set_rules(oslo_policy.Rules.from_dict(rules)) self.addCleanup(policy.reset) fake_get.return_value = {} req = fakes.HTTPRequest.blank('/v2/%s/volumes/%s/action' % (fake.PROJECT_ID, fake.VOLUME_ID), use_admin_context=False) req.method = 'POST' req.content_type = "application/json" body = { "os-unset_image_metadata": { "metadata": { "image_name": "fake" } } } req.body = jsonutils.dump_as_bytes(body) self.assertRaises(exception.ValidationError, self.controller.delete, req, fake.VOLUME_ID, body=None)
def test_attachment_create_bootable_multiattach_policy(self): """Test attachment_create no connector.""" volume_params = {'status': 'available'} vref = tests_utils.create_volume(self.context, **volume_params) vref.multiattach = True vref.bootable = True vref.status = 'in-use' rules = { attachment_policy.MULTIATTACH_BOOTABLE_VOLUME_POLICY: base_policy.RULE_ADMIN_API # noqa } policy.set_rules(oslo_policy.Rules.from_dict(rules)) self.addCleanup(policy.reset) self.assertRaises(exception.PolicyNotAuthorized, self.volume_api.attachment_create, self.user_context, vref, fake.UUID2)
def test_delete_group_snapshot_policy_not_authorized(self): group_snapshot = utils.create_group_snapshot( self.context, group_id=self.group.id, status=fields.GroupSnapshotStatus.AVAILABLE) req = fakes.HTTPRequest.blank('/v3/%s/group_snapshots/%s/' % (fake.PROJECT_ID, group_snapshot.id), version=mv.GROUP_SNAPSHOTS, use_admin_context=False) rules = { group_snapshots_policy.DELETE_POLICY: base_policy.RULE_ADMIN_API } policy.set_rules(oslo_policy.Rules.from_dict(rules)) self.addCleanup(policy.reset) self.assertRaises(exception.PolicyNotAuthorized, self.controller.delete, req, group_snapshot.id)
def test_delete_image_metadata_policy_not_authorized(self, fake_get): rules = { metadata_policy.IMAGE_METADATA_POLICY: base_policy.RULE_ADMIN_API } policy.set_rules(oslo_policy.Rules.from_dict(rules)) self.addCleanup(policy.reset) fake_get.return_value = {} req = fakes.HTTPRequest.blank('/v2/%s/volumes/%s/action' % ( fake.PROJECT_ID, fake.VOLUME_ID), use_admin_context=False) req.method = 'POST' req.content_type = "application/json" body = {"os-unset_image_metadata": { "metadata": {"image_name": "fake"}} } req.body = jsonutils.dump_as_bytes(body) self.assertRaises(exception.ValidationError, self.controller.delete, req, fake.VOLUME_ID, body=None)
def set_rules(self, rules, overwrite=True): policy = cinder.policy._ENFORCER policy.set_rules(oslo_policy.Rules.from_dict(rules), overwrite=overwrite)