def test_filter_rules_non_admin(self):
context = nova_context.RequestContext()
rule_conditions = [base_policies.RULE_ANY,
base_policies.RULE_ADMIN_OR_OWNER]
expected_rules = [r.name for r in ia_policies.list_rules() if
r.check_str in rule_conditions]
self._check_filter_rules(context, expected_rules=expected_rules)
def list_rules():
return itertools.chain(
base.list_rules(),
admin_actions.list_rules(),
admin_password.list_rules(),
agents.list_rules(),
aggregates.list_rules(),
assisted_volume_snapshots.list_rules(),
attach_interfaces.list_rules(),
availability_zone.list_rules(),
baremetal_nodes.list_rules(),
console_auth_tokens.list_rules(),
console_output.list_rules(),
create_backup.list_rules(),
deferred_delete.list_rules(),
evacuate.list_rules(),
extended_server_attributes.list_rules(),
extensions.list_rules(),
flavor_access.list_rules(),
flavor_extra_specs.list_rules(),
flavor_manage.list_rules(),
floating_ip_pools.list_rules(),
floating_ips.list_rules(),
hosts.list_rules(),
hypervisors.list_rules(),
instance_actions.list_rules(),
instance_usage_audit_log.list_rules(),
ips.list_rules(),
keypairs.list_rules(),
limits.list_rules(),
lock_server.list_rules(),
migrate_server.list_rules(),
migrations.list_rules(),
multinic.list_rules(),
networks.list_rules(),
pause_server.list_rules(),
quota_class_sets.list_rules(),
quota_sets.list_rules(),
remote_consoles.list_rules(),
rescue.list_rules(),
security_groups.list_rules(),
server_diagnostics.list_rules(),
server_external_events.list_rules(),
server_groups.list_rules(),
server_metadata.list_rules(),
server_password.list_rules(),
server_tags.list_rules(),
server_topology.list_rules(),
servers.list_rules(),
servers_migrations.list_rules(),
services.list_rules(),
shelve.list_rules(),
simple_tenant_usage.list_rules(),
suspend_server.list_rules(),
tenant_networks.list_rules(),
used_limits.list_rules(),
volumes.list_rules(),
volumes_attachments.list_rules()
)
def test_filter_rules_instance_non_admin(self):
db_context = nova_context.RequestContext(user_id='fake-user',
project_id='fake-project')
instance = fake_instance.fake_instance_obj(db_context)
context = nova_context.RequestContext()
expected_rules = [r.name for r in ia_policies.list_rules() if
r.check_str == base_policies.RULE_ANY]
self._check_filter_rules(context, instance, expected_rules)
def test_filter_rules_instance_owner(self):
db_context = nova_context.RequestContext(user_id='fake-user',
project_id='fake-project')
instance = fake_instance.fake_instance_obj(db_context)
rule_conditions = [base_policies.PROJECT_READER_OR_SYSTEM_READER]
expected_rules = [r.name for r in ia_policies.list_rules() if
r.check_str in rule_conditions]
self._check_filter_rules(db_context, instance, expected_rules)
def test_filter_rules_non_admin(self):
context = nova_context.RequestContext()
rule_conditions = [base_policies.PROJECT_READER_OR_SYSTEM_READER]
expected_rules = [
r.name for r in ia_policies.list_rules()
if r.check_str in rule_conditions
]
self._check_filter_rules(context, expected_rules=expected_rules)
def test_filter_rules_instance_owner(self):
db_context = nova_context.RequestContext(user_id='fake-user',
project_id='fake-project')
instance = fake_instance.fake_instance_obj(db_context)
rule_conditions = [base_policies.RULE_ANY,
base_policies.RULE_ADMIN_OR_OWNER]
expected_rules = [r.name for r in ia_policies.list_rules() if
r.check_str in rule_conditions]
self._check_filter_rules(db_context, instance, expected_rules)
def _check_filter_rules(self, context=None, target=None,
expected_rules=None):
context = context or nova_context.get_admin_context()
expected_rules = expected_rules or [
r.name for r in ia_policies.list_rules()]
passing_rules = self.cmd._filter_rules(
context, 'os-instance-actions', target)
self.assertEqual(set(expected_rules), set(passing_rules))
def list_rules():
return itertools.chain(
admin_actions.list_rules(), admin_password.list_rules(),
agents.list_rules(), aggregates.list_rules(),
assisted_volume_snapshots.list_rules(), attach_interfaces.list_rules(),
availability_zone.list_rules(), baremetal_nodes.list_rules(),
base.list_rules(), block_device_mapping.list_rules(),
block_device_mapping_v1.list_rules(), cells.list_rules(),
cells_scheduler.list_rules(), certificates.list_rules(),
cloudpipe.list_rules(), config_drive.list_rules(),
console_auth_tokens.list_rules(), console_output.list_rules(),
consoles.list_rules(), create_backup.list_rules(),
deferred_delete.list_rules(), evacuate.list_rules(),
extended_availability_zone.list_rules(),
extended_server_attributes.list_rules(), extended_status.list_rules(),
extended_volumes.list_rules(), extension_info.list_rules(),
extensions.list_rules(), fixed_ips.list_rules(),
flavor_access.list_rules(), flavor_extra_specs.list_rules(),
flavor_manage.list_rules(), flavor_rxtx.list_rules(),
flavors.list_rules(), floating_ip_dns.list_rules(),
floating_ip_pools.list_rules(), floating_ips.list_rules(),
floating_ips_bulk.list_rules(), fping.list_rules(),
hide_server_addresses.list_rules(), hosts.list_rules(),
hypervisors.list_rules(), image_metadata.list_rules(),
image_size.list_rules(), images.list_rules(),
instance_actions.list_rules(), instance_usage_audit_log.list_rules(),
ips.list_rules(), keypairs.list_rules(), limits.list_rules(),
lock_server.list_rules(), migrate_server.list_rules(),
migrations.list_rules(), multinic.list_rules(),
multiple_create.list_rules(), networks.list_rules(),
networks_associate.list_rules(), pause_server.list_rules(),
pci.list_rules(), quota_class_sets.list_rules(),
quota_sets.list_rules(), remote_consoles.list_rules(),
rescue.list_rules(), scheduler_hints.list_rules(),
security_group_default_rules.list_rules(),
security_groups.list_rules(), server_diagnostics.list_rules(),
server_external_events.list_rules(), server_groups.list_rules(),
server_metadata.list_rules(), server_password.list_rules(),
server_tags.list_rules(), server_usage.list_rules(),
servers.list_rules(), servers_migrations.list_rules(),
services.list_rules(), shelve.list_rules(),
simple_tenant_usage.list_rules(), suspend_server.list_rules(),
tenant_networks.list_rules(), used_limits.list_rules(),
user_data.list_rules(), versions.list_rules(),
virtual_interfaces.list_rules(), volumes.list_rules(),
volumes_attachments.list_rules(), wstvms.list_rules(),
wsthost.list_rules(), cpu_priority.list_rules(),
ics_hosts.list_rules(), clusters.list_rules(), drs.list_rules(),
cpu_qos.list_rules(), mem_priority.list_rules(), disk_qos.list_rules(),
hostnic.list_rules(), ics_datastore.list_rules(),
panick_policy.list_rules(), ics_vm.list_rules(),
monitorstatus.list_rules(), mem_snapshots.list_rules())
def _check_filter_rules(self, context=None, target=None,
expected_rules=None):
context = context or nova_context.get_admin_context()
if expected_rules is None:
expected_rules = [
r.name for r in ia_policies.list_rules()]
passing_rules = self.cmd._filter_rules(
context, 'os-instance-actions:list', target)
passing_rules += self.cmd._filter_rules(
context, 'os-instance-actions:show', target)
passing_rules += self.cmd._filter_rules(
context, 'os-instance-actions:events', target)
passing_rules += self.cmd._filter_rules(
context, 'os-instance-actions:events:details', target)
self.assertEqual(set(expected_rules), set(passing_rules))
def list_rules():
return itertools.chain(
base.list_rules(),
admin_actions.list_rules(),
admin_password.list_rules(),
agents.list_rules(),
aggregates.list_rules(),
assisted_volume_snapshots.list_rules(),
attach_interfaces.list_rules(),
availability_zone.list_rules(),
baremetal_nodes.list_rules(),
cells_scheduler.list_rules(),
console_auth_tokens.list_rules(),
console_output.list_rules(),
consoles.list_rules(),
create_backup.list_rules(),
deferred_delete.list_rules(),
evacuate.list_rules(),
extended_server_attributes.list_rules(),
extensions.list_rules(),
flavor_access.list_rules(),
flavor_extra_specs.list_rules(),
flavor_manage.list_rules(),
floating_ip_pools.list_rules(),
floating_ips.list_rules(),
hosts.list_rules(),
hypervisors.list_rules(),
instance_actions.list_rules(),
instance_usage_audit_log.list_rules(),
ips.list_rules(),
keypairs.list_rules(),
limits.list_rules(),
lock_server.list_rules(),
migrate_server.list_rules(),
migrations.list_rules(),
multinic.list_rules(),
networks.list_rules(),
networks_associate.list_rules(),
pause_server.list_rules(),
quota_class_sets.list_rules(),
quota_sets.list_rules(),
remote_consoles.list_rules(),
rescue.list_rules(),
security_group_default_rules.list_rules(),
security_groups.list_rules(),
server_diagnostics.list_rules(),
server_external_events.list_rules(),
server_groups.list_rules(),
server_metadata.list_rules(),
server_password.list_rules(),
server_tags.list_rules(),
servers.list_rules(),
servers_migrations.list_rules(),
services.list_rules(),
shelve.list_rules(),
simple_tenant_usage.list_rules(),
suspend_server.list_rules(),
tenant_networks.list_rules(),
used_limits.list_rules(),
volumes.list_rules(),
volumes_attachments.list_rules()
)
def list_rules():
return itertools.chain(
access_ips.list_rules(),
admin_actions.list_rules(),
admin_password.list_rules(),
agents.list_rules(),
aggregates.list_rules(),
assisted_volume_snapshots.list_rules(),
attach_interfaces.list_rules(),
availability_zone.list_rules(),
baremetal_nodes.list_rules(),
base.list_rules(),
block_device_mapping_v1.list_rules(),
cells.list_rules(),
certificates.list_rules(),
cloudpipe.list_rules(),
config_drive.list_rules(),
console_auth_tokens.list_rules(),
console_output.list_rules(),
consoles.list_rules(),
create_backup.list_rules(),
deferred_delete.list_rules(),
evacuate.list_rules(),
extended_availability_zone.list_rules(),
extended_server_attributes.list_rules(),
extended_status.list_rules(),
extended_volumes.list_rules(),
extension_info.list_rules(),
extensions.list_rules(),
fixed_ips.list_rules(),
flavor_access.list_rules(),
flavor_extra_specs.list_rules(),
flavor_manage.list_rules(),
flavor_rxtx.list_rules(),
flavors.list_rules(),
floating_ip_dns.list_rules(),
floating_ip_pools.list_rules(),
floating_ips.list_rules(),
floating_ips_bulk.list_rules(),
fping.list_rules(),
hide_server_addresses.list_rules(),
hosts.list_rules(),
hypervisors.list_rules(),
image_size.list_rules(),
images.list_rules(),
instance_actions.list_rules(),
instance_usage_audit_log.list_rules(),
ips.list_rules(),
keypairs.list_rules(),
limits.list_rules(),
lock_server.list_rules(),
migrate_server.list_rules(),
migrations.list_rules(),
multinic.list_rules(),
networks.list_rules(),
networks_associate.list_rules(),
pause_server.list_rules(),
pci.list_rules(),
personality.list_rules(),
preserve_ephemeral_rebuild.list_rules(),
quota_class_sets.list_rules(),
quota_sets.list_rules(),
remote_consoles.list_rules(),
rescue.list_rules(),
scheduler_hints.list_rules(),
security_group_default_rules.list_rules(),
security_groups.list_rules(),
server_diagnostics.list_rules(),
server_external_events.list_rules(),
server_groups.list_rules(),
server_metadata.list_rules(),
server_password.list_rules(),
server_tags.list_rules(),
server_usage.list_rules(),
servers.list_rules(),
servers_migrations.list_rules(),
services.list_rules(),
shelve.list_rules(),
simple_tenant_usage.list_rules(),
suspend_server.list_rules(),
tenant_networks.list_rules(),
used_limits.list_rules(),
user_data.list_rules(),
virtual_interfaces.list_rules(),
volumes.list_rules(),
volumes_attachments.list_rules()
)
