def test_update_with_non_admin(self, mock_policy_authorize, mock_get,
mock_update):
# allow policy authorized user to update type
mock_policy_authorize.return_value = None
mock_get.return_value = return_volume_types_get_volume_type_updated(
DEFAULT_VOLUME_TYPE, is_public=False)
name = "vol_type_%s" % DEFAULT_VOLUME_TYPE
updated_name = "%s_%s" % (name, DEFAULT_VOLUME_TYPE)
desc = "vol_type_desc_%s" % DEFAULT_VOLUME_TYPE
updated_desc = "%s_%s" % (desc, DEFAULT_VOLUME_TYPE)
body = {"volume_type": {"name": updated_name,
"description": updated_desc,
"is_public": False}}
req = fakes.HTTPRequest.blank('/v3/%s/types/%s' % (
fake.PROJECT_ID, DEFAULT_VOLUME_TYPE),
use_admin_context=False)
req.method = 'PUT'
self.assertEqual(0, len(self.notifier.notifications))
res_dict = self.controller._update(req, DEFAULT_VOLUME_TYPE, body=body)
self.assertEqual(1, len(self.notifier.notifications))
self._check_test_results(res_dict,
{'expected_desc': updated_desc,
'expected_name': updated_name,
'is_public': False})
# non policy authorized user fails to update type
mock_policy_authorize.side_effect = (
exception.PolicyNotAuthorized(action='type_update'))
self.assertRaises(exception.PolicyNotAuthorized,
self.controller._update,
req, DEFAULT_VOLUME_TYPE, body=body)
def test_delete_cgsnapshot_delete_policy_not_auth(self, mock_delete):
vol_type = utils.create_volume_type(context.get_admin_context(),
self,
name='my_vol_type')
consistencygroup = utils.create_group(self.context,
group_type_id=fake.GROUP_TYPE_ID,
volume_type_ids=[vol_type['id']])
volume_id = utils.create_volume(self.context,
volume_type_id=vol_type['id'],
group_id=consistencygroup.id)['id']
cgsnapshot = utils.create_group_snapshot(
self.context,
group_id=consistencygroup.id,
group_type_id=fake.GROUP_TYPE_ID,
status='available')
mock_delete.side_effect = exception.PolicyNotAuthorized(
message='PolicyNotAuthorized')
req = webob.Request.blank('/v2/%s/cgsnapshots/%s' %
(fake.PROJECT_ID, cgsnapshot.id))
req.method = 'DELETE'
req.headers['Content-Type'] = 'application/json'
res = req.get_response(
fakes.wsgi_app(fake_auth_context=self.user_ctxt))
res_dict = jsonutils.loads(res.body)
self.assertEqual('PolicyNotAuthorized',
res_dict['forbidden']['message'])
cgsnapshot.destroy()
db.volume_destroy(context.get_admin_context(), volume_id)
consistencygroup.destroy()
def test_create_with_none_admin(self, mock_policy_authorize,
mock_get_volume_type_by_name,
mock_create_type):
# allow policy authorized user to create type
mock_policy_authorize.return_value = None
mock_get_volume_type_by_name.return_value = \
{'extra_specs': {"key1": "value1"},
'id': DEFAULT_VOLUME_TYPE,
'name': 'vol_type_1',
'description': 'vol_type_desc_1'}
body = {"volume_type": {"name": "vol_type_1",
"os-volume-type-access:is_public": True,
"extra_specs": {"key1": "value1"}}}
req = fakes.HTTPRequest.blank('/v3/%s/types' % fake.PROJECT_ID,
use_admin_context=False)
self.assertEqual(0, len(self.notifier.notifications))
res_dict = self.controller._create(req, body=body)
self.assertEqual(1, len(self.notifier.notifications))
self._check_test_results(res_dict, {
'expected_name': 'vol_type_1', 'expected_desc': 'vol_type_desc_1'})
# non policy authorized user fails to create type
mock_policy_authorize.side_effect = (
exception.PolicyNotAuthorized(action='type_create'))
self.assertRaises(exception.PolicyNotAuthorized,
self.controller._create,
req, body=body)
def enforce(context, action: str, target: dict):
"""Verifies that the action is valid on the target in this context.
:param context: cinder context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. ``compute:create_instance``,
``compute:attach_volume``,
``volume:attach_volume``
:param target: dictionary representing the object of the action for object
creation this should be a dictionary representing the
location of the object e.g.
``{'project_id': context.project_id}``
:raises PolicyNotAuthorized: if verification fails.
"""
init()
assert _ENFORCER is not None
try:
return _ENFORCER.enforce(action,
target,
context,
do_raise=True,
exc=exception.PolicyNotAuthorized,
action=action)
except policy.InvalidScope:
raise exception.PolicyNotAuthorized(action=action)
def enforce(context, action, target):
"""Verifies that the action is valid on the target in this context.
:param context: cinder context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. ``compute:create_instance``,
``compute:attach_volume``,
``volume:attach_volume``
:param object: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. ``{'project_id': context.project_id}``
:raises cinder.exception.PolicyNotAllowed: if verification fails.
"""
init()
match_list = ('rule:%s' % action, )
credentials = context.to_dict()
try:
policy.enforce(match_list, target, credentials)
except policy.NotAuthorized:
raise exception.PolicyNotAuthorized(action=action)
def test_update_with_non_admin(self, mock_policy_enforce, mock_get,
mock_update):
# allow policy authorized user to update type
mock_policy_enforce.return_value = None
mock_get.return_value = return_volume_types_get_volume_type_updated(
'1', is_public=False)
body = {
"volume_type": {
"name": "vol_type_1_1",
"description": "vol_type_desc_1_1",
"is_public": False
}
}
req = fakes.HTTPRequest.blank('/v2/fake/types/1',
use_admin_context=False)
req.method = 'PUT'
self.assertEqual(0, len(self.notifier.notifications))
res_dict = self.controller._update(req, '1', body)
self.assertEqual(1, len(self.notifier.notifications))
self._check_test_results(
res_dict, {
'expected_desc': 'vol_type_desc_1_1',
'expected_name': 'vol_type_1_1',
'is_public': False
})
# non policy authorized user fails to update type
mock_policy_enforce.side_effect = (exception.PolicyNotAuthorized(
action='type_update'))
self.assertRaises(exception.PolicyNotAuthorized,
self.controller._update, req, '1', body)
def test_volume_types_delete_with_non_admin(self, mock_policy_enforce,
mock_get, mock_destroy):
# allow policy authorized user to delete type
mock_policy_enforce.return_value = None
mock_get.return_value = \
{'extra_specs': {"key1": "value1"},
'id': 1,
'name': u'vol_type_1',
'description': u'vol_type_desc_1'}
mock_destroy.side_effect = return_volume_types_destroy
req = fakes.HTTPRequest.blank('/v2/fake/types/1',
use_admin_context=False)
self.assertEqual(0, len(self.notifier.notifications))
self.controller._delete(req, 1)
self.assertEqual(1, len(self.notifier.notifications))
# non policy authorized user fails to delete type
mock_policy_enforce.side_effect = (exception.PolicyNotAuthorized(
action='type_delete'))
self.assertRaises(exception.PolicyNotAuthorized,
self.controller._delete, req, 1)
def test_volume_types_delete_with_non_admin(self, mock_policy_authorize,
mock_get, mock_destroy):
# allow policy authorized user to delete type
mock_policy_authorize.return_value = None
mock_get.return_value = \
{'extra_specs': {"key1": "value1"},
'id': DEFAULT_VOLUME_TYPE,
'name': 'vol_type_1',
'description': 'vol_type_desc_%s' % DEFAULT_VOLUME_TYPE}
mock_destroy.side_effect = return_volume_types_destroy
req = fakes.HTTPRequest.blank('/v3/%s/types/%s' %
(fake.PROJECT_ID, DEFAULT_VOLUME_TYPE),
use_admin_context=False)
self.assertEqual(0, len(self.notifier.notifications))
self.controller._delete(req, DEFAULT_VOLUME_TYPE)
self.assertEqual(1, len(self.notifier.notifications))
# non policy authorized user fails to delete type
mock_policy_authorize.side_effect = (
exception.PolicyNotAuthorized(action='type_delete'))
self.assertRaises(exception.PolicyNotAuthorized,
self.controller._delete,
req, DEFAULT_VOLUME_TYPE)
def fake_authorize(context, target=None, action=None):
raise exception.PolicyNotAuthorized(action='index')
