[S-RBAC] Fix policies for the l3_conntrack_helpers APIs

This patch updates l3_conntrack_helpers API policies so that POST, PUT and
DELETE actions are allowed for the PARENT_OWNER_MEMBER role and GET is
allowed for the PARENT_OWNER_READER.

Additionally this patch fixes unit tests for the api policies for that
APIs so that owner check is done during unit tests and issues like the
one mentioned above can be catched by unit tests.

Closes-bug: #2125660

Change-Id: I1dc6eabbb666e5923d9c18465d10cdf95e472915
Signed-off-by: Slawek Kaplonski <[email protected]>
(cherry picked from commit cb3331e)

Author: slawqo

neutron/conf/policies/l3_conntrack_helper.py

@@ -32,7 +32,7 @@
         name='create_router_conntrack_helper',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Create a router conntrack helper',
         operations=[
@@ -51,7 +51,7 @@
         name='get_router_conntrack_helper',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_READER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_READER),
         scope_types=['project'],
         description='Get a router conntrack helper',
         operations=[
@@ -74,7 +74,7 @@
         name='update_router_conntrack_helper',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Update a router conntrack helper',
         operations=[
@@ -93,7 +93,7 @@
         name='delete_router_conntrack_helper',
         check_str=neutron_policy.policy_or(
             base.ADMIN_OR_PROJECT_MEMBER,
-            base.RULE_PARENT_OWNER),
+            base.PARENT_OWNER_MEMBER),
         scope_types=['project'],
         description='Delete a router conntrack helper',
         operations=[

neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py

@@ -29,18 +29,29 @@ def setUp(self):
         self.router = {
             'id': uuidutils.generate_uuid(),
             'project_id': self.project_id}
+        self.alt_router = {
+            'id': uuidutils.generate_uuid(),
+            'project_id': self.alt_project_id}
+
         self.target = {
             'project_id': self.project_id,
             'router_id': self.router['id'],
             'ext_parent_router_id': self.router['id']}
-
         self.alt_target = {
             'project_id': self.alt_project_id,
-            'router_id': self.router['id'],
-            'ext_parent_router_id': self.router['id']}
+            'router_id': self.alt_router['id'],
+            'ext_parent_router_id': self.alt_router['id']}
+
+        routers = {
+            self.router['id']: self.router,
+            self.alt_router['id']: self.alt_router,
+        }
+
+        def get_router(context, router_id, fields=None):
+            return routers[router_id]
 
         self.plugin_mock = mock.Mock()
-        self.plugin_mock.get_router.return_value = self.router
+        self.plugin_mock.get_router.side_effect = get_router
         mock.patch(
             'neutron_lib.plugins.directory.get_plugin',
             return_value=self.plugin_mock).start()