Add test coverage of volumes policies

gmaanos · gmaanos · commit 136fc7a93671 · 2020-07-23T20:14:57.000-05:00
Current tests do not have good test coverage of existing policies.
Either tests for policies do not exist or if they exist then they
do not cover the actual negative and positive testing.

To adopt the keystone's scope_type and new defaults in deprecated
API policies, we need to first write test coverage for the same to
know the complete effect of policies changes.

Partial implement blueprint policy-defaults-refresh-deprecated-apis

Change-Id: Id456ec736e22361362afb33c4254b20bfd7671aa
diff --git a/nova/tests/unit/policies/test_volumes.py b/nova/tests/unit/policies/test_volumes.py
@@ -312,3 +312,140 @@ def setUp(self):
             self.project_foo_context,
             self.other_project_member_context
         ]
+
+
+class VolumesPolicyTest(base.BasePolicyTest):
+    """Test Volumes APIs policies with all possible context.
+
+    This class defines the set of context with different roles
+    which are allowed and not allowed to pass the policy checks.
+    With those set of context, it will call the API operation and
+    verify the expected behaviour.
+    """
+
+    def setUp(self):
+        super(VolumesPolicyTest, self).setUp()
+        self.controller = volumes_v21.VolumeController()
+        self.snapshot_ctlr = volumes_v21.SnapshotController()
+        self.req = fakes.HTTPRequest.blank('')
+        self.controller._translate_volume_summary_view = mock.MagicMock()
+        # Check that everyone is able to perform crud operations
+        # on volume and volume snapshots.
+        # NOTE: Nova cannot verify the volume/snapshot owner during nova policy
+        # enforcement so will be passing context's project_id as target to
+        # policy and always pass. If requester is not admin or owner
+        # of volume/snapshot then cinder will be returning the appropriate
+        # error.
+        self.everyone_authorized_contexts = [
+            self.legacy_admin_context, self.system_admin_context,
+            self.project_admin_context, self.project_member_context,
+            self.project_reader_context, self.project_foo_context,
+            self.other_project_reader_context,
+            self.system_member_context, self.system_reader_context,
+            self.system_foo_context,
+            self.other_project_member_context
+        ]
+        self.everyone_unauthorized_contexts = []
+
+    @mock.patch('nova.volume.cinder.API.get_all')
+    def test_list_volumes_policy(self, mock_get):
+        rule_name = "os_compute_api:os-volumes"
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.controller.index,
+                                 self.req)
+
+    @mock.patch('nova.volume.cinder.API.get_all')
+    def test_list_detail_volumes_policy(self, mock_get):
+        rule_name = "os_compute_api:os-volumes"
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.controller.detail,
+                                 self.req)
+
+    @mock.patch('nova.volume.cinder.API.get')
+    def test_show_volume_policy(self, mock_get):
+        rule_name = "os_compute_api:os-volumes"
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.controller.show,
+                                 self.req, uuids.fake_id)
+
+    @mock.patch('nova.api.openstack.compute.volumes.'
+        '_translate_volume_detail_view')
+    @mock.patch('nova.volume.cinder.API.create')
+    def test_create_volumes_policy(self, mock_create, mock_view):
+        rule_name = "os_compute_api:os-volumes"
+        body = {"volume": {"size": 100,
+               "display_name": "Volume Test Name",
+               "display_description": "Volume Test Desc",
+               "availability_zone": "zone1:host1"}}
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.controller.create,
+                                 self.req, body=body)
+
+    @mock.patch('nova.volume.cinder.API.delete')
+    def test_delete_volume_policy(self, mock_delete):
+        rule_name = "os_compute_api:os-volumes"
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.controller.delete,
+                                 self.req, uuids.fake_id)
+
+    @mock.patch('nova.volume.cinder.API.get_all_snapshots')
+    def test_list_snapshots_policy(self, mock_get):
+        rule_name = "os_compute_api:os-volumes"
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.snapshot_ctlr.index,
+                                 self.req)
+
+    @mock.patch('nova.volume.cinder.API.get_all_snapshots')
+    def test_list_detail_snapshots_policy(self, mock_get):
+        rule_name = "os_compute_api:os-volumes"
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.snapshot_ctlr.detail,
+                                 self.req)
+
+    @mock.patch('nova.volume.cinder.API.get_snapshot')
+    def test_show_snapshot_policy(self, mock_get):
+        rule_name = "os_compute_api:os-volumes"
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.snapshot_ctlr.show,
+                                 self.req, uuids.fake_id)
+
+    @mock.patch('nova.volume.cinder.API.create_snapshot')
+    def test_create_snapshot_policy(self, mock_create):
+        rule_name = "os_compute_api:os-volumes"
+        body = {"snapshot": {"volume_id": uuids.fake_id}}
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.snapshot_ctlr.create,
+                                 self.req, body=body)
+
+    @mock.patch('nova.volume.cinder.API.delete_snapshot')
+    def test_delete_snapshot_policy(self, mock_delete):
+        rule_name = "os_compute_api:os-volumes"
+        self.common_policy_check(self.everyone_authorized_contexts,
+                                 self.everyone_unauthorized_contexts,
+                                 rule_name, self.snapshot_ctlr.delete,
+                                 self.req, uuids.fake_id)
+
+
+class VolumesScopeTypePolicyTest(VolumesPolicyTest):
+    """Test Volumes APIs policies with system scope enabled.
+
+    This class set the nova.conf [oslo_policy] enforce_scope to True
+    so that we can switch on the scope checking on oslo policy side.
+    It defines the set of context with scoped token
+    which are allowed and not allowed to pass the policy checks.
+    With those set of context, it will run the API operation and
+    verify the expected behaviour.
+    """
+
+    def setUp(self):
+        super(VolumesScopeTypePolicyTest, self).setUp()
+        self.flags(enforce_scope=True, group="oslo_policy")
