def test_attachment_operations_not_authorized(self, mock_get, mock_synch):
mock_get.return_value = self.attachment1
req = fakes.HTTPRequest.blank('/v3/%s/attachments/%s' %
(fake.PROJECT2_ID, self.attachment1.id),
version=mv.NEW_ATTACH,
use_admin_context=False)
body = {
"attachment": {
"connector": {
'fake_key': 'fake_value',
'host': 'somehost'
},
},
}
rules = {
attachments_policies.UPDATE_POLICY: base_policy.RULE_ADMIN_OR_OWNER
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.addCleanup(policy.reset)
self.assertRaises(exception.NotAuthorized,
self.controller.update,
req,
self.attachment1.id,
body=body)
self.assertRaises(exception.NotAuthorized, self.controller.delete, req,
self.attachment1.id)
def test_delete_image_metadata_policy_not_authorized(self, fake_get):
rules = {
metadata_policy.IMAGE_METADATA_POLICY: base_policy.RULE_ADMIN_API
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.addCleanup(policy.reset)
fake_get.return_value = {}
req = fakes.HTTPRequest.blank('/v2/%s/volumes/%s/action' %
(fake.PROJECT_ID, fake.VOLUME_ID),
use_admin_context=False)
req.method = 'POST'
req.content_type = "application/json"
body = {
"os-unset_image_metadata": {
"metadata": {
"image_name": "fake"
}
}
}
req.body = jsonutils.dump_as_bytes(body)
self.assertRaises(exception.ValidationError,
self.controller.delete,
req,
fake.VOLUME_ID,
body=None)
def test_attachment_create_bootable_multiattach_policy(self):
"""Test attachment_create no connector."""
volume_params = {'status': 'available'}
vref = tests_utils.create_volume(self.context, **volume_params)
vref.multiattach = True
vref.bootable = True
vref.status = 'in-use'
rules = {
attachment_policy.MULTIATTACH_BOOTABLE_VOLUME_POLICY:
base_policy.RULE_ADMIN_API # noqa
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.addCleanup(policy.reset)
self.assertRaises(exception.PolicyNotAuthorized,
self.volume_api.attachment_create, self.user_context,
vref, fake.UUID2)
def test_delete_group_snapshot_policy_not_authorized(self):
group_snapshot = utils.create_group_snapshot(
self.context,
group_id=self.group.id,
status=fields.GroupSnapshotStatus.AVAILABLE)
req = fakes.HTTPRequest.blank('/v3/%s/group_snapshots/%s/' %
(fake.PROJECT_ID, group_snapshot.id),
version=mv.GROUP_SNAPSHOTS,
use_admin_context=False)
rules = {
group_snapshots_policy.DELETE_POLICY: base_policy.RULE_ADMIN_API
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.addCleanup(policy.reset)
self.assertRaises(exception.PolicyNotAuthorized,
self.controller.delete, req, group_snapshot.id)
def test_attachment_create_bootable_multiattach_policy(self):
"""Test attachment_create no connector."""
volume_params = {'status': 'available'}
vref = tests_utils.create_volume(self.context, **volume_params)
vref.multiattach = True
vref.bootable = True
vref.status = 'in-use'
rules = {
attachment_policy.MULTIATTACH_BOOTABLE_VOLUME_POLICY: base_policy.RULE_ADMIN_API # noqa
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.addCleanup(policy.reset)
self.assertRaises(exception.PolicyNotAuthorized,
self.volume_api.attachment_create,
self.user_context,
vref,
fake.UUID2)
def test_delete_image_metadata_policy_not_authorized(self, fake_get):
rules = {
metadata_policy.IMAGE_METADATA_POLICY: base_policy.RULE_ADMIN_API
}
policy.set_rules(oslo_policy.Rules.from_dict(rules))
self.addCleanup(policy.reset)
fake_get.return_value = {}
req = fakes.HTTPRequest.blank('/v2/%s/volumes/%s/action' % (
fake.PROJECT_ID, fake.VOLUME_ID), use_admin_context=False)
req.method = 'POST'
req.content_type = "application/json"
body = {"os-unset_image_metadata": {
"metadata": {"image_name": "fake"}}
}
req.body = jsonutils.dump_as_bytes(body)
self.assertRaises(exception.ValidationError,
self.controller.delete, req, fake.VOLUME_ID,
body=None)
def set_rules(self, rules, overwrite=True):
policy = cinder.policy._ENFORCER
policy.set_rules(oslo_policy.Rules.from_dict(rules),
overwrite=overwrite)
