From 4974d965c324df1f3d472b047dd97da32fd6e389 Mon Sep 17 00:00:00 2001 From: Ghanshyam Mann Date: Tue, 27 Aug 2024 22:03:45 -0700 Subject: [PATCH] Update horizon tests to use the RBAC new roles Horizon openstack dashboard rest API unit tests only pass the project_id to oslo.policy to vrify the service policy rule RBAC. This was passing till now as services allow 'owner' (which only check project_id) to pass the policy checks. As per new RBAC, project_id is not enough and proper role should be passed. For example 'owner' means in new RBAC is either 'member' or 'reader' role with project_id. oslo.policy 4.4.0 enable the new RBAC by default - https://review.opendev.org/c/openstack/releases/+/925032 and requirement change to use the oslo.policy 4.4.0 in upper-constraints is blocked with the horizon failure - https://review.opendev.org/c/openstack/requirements/+/925464 This commit fixes the test to use the right role along with the project_id so that policy rules can be checked correctly. Needed-By: https://review.opendev.org/c/openstack/requirements/+/925464 Change-Id: I840996fd2635bca853da02c630a7ab3761576821 --- openstack_auth/policy.py | 10 ++++++++++ openstack_dashboard/test/helpers.py | 8 +++++++- openstack_dashboard/test/unit/api/rest/test_policy.py | 4 ++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index 2b43ef3a51..74ca0aabb2 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -199,11 +199,21 @@ def check(actions, request, target=None): # the service APIs will correct us if we are too permissive. if target.get('project_id') is None: target['project_id'] = user.project_id + # (gmann): Keystone use some of the policy rule as + # 'target.project.id' so we need to set the project.id + # attribute also. + if target.get('project.id') is None: + target['project.id'] = user.project_id if target.get('tenant_id') is None: target['tenant_id'] = target['project_id'] # same for user_id if target.get('user_id') is None: target['user_id'] = user.id + # (gmann): Keystone use some of the policy rule as + # 'target.user.id' so we need to set the user.id + # attribute also. + if target.get('user.id') is None: + target['user.id'] = user.id domain_id_keys = [ 'domain_id', diff --git a/openstack_dashboard/test/helpers.py b/openstack_dashboard/test/helpers.py index 9fcc49ff45..f6b67539bb 100644 --- a/openstack_dashboard/test/helpers.py +++ b/openstack_dashboard/test/helpers.py @@ -236,7 +236,9 @@ class TestCase(horizon_helpers.TestCase): 'user_domain_name': self.domain.name, 'tenant_id': self.tenant.id, 'service_catalog': self.service_catalog, - 'authorized_tenants': tenants + 'authorized_tenants': tenants, + 'roles': [{'id': '2', 'name': 'member'}, + {'id': '3', 'name': 'reader'}] } base_kwargs.update(kwargs) self.setActiveUser(**base_kwargs) @@ -462,6 +464,8 @@ class BaseAdminViewTests(TestCase): def setActiveUser(self, *args, **kwargs): if "roles" not in kwargs: kwargs['roles'] = [self.roles.admin._info] + else: + kwargs['roles'].append(self.roles.admin._info) super().setActiveUser(*args, **kwargs) def setSessionValues(self, **kwargs): @@ -556,6 +560,8 @@ class SeleniumAdminTestCase(SeleniumTestCase): def setActiveUser(self, *args, **kwargs): if "roles" not in kwargs: kwargs['roles'] = [self.roles.admin._info] + else: + kwargs['roles'].append(self.roles.admin._info) super().setActiveUser(*args, **kwargs) diff --git a/openstack_dashboard/test/unit/api/rest/test_policy.py b/openstack_dashboard/test/unit/api/rest/test_policy.py index eb5b678742..bd70682556 100644 --- a/openstack_dashboard/test/unit/api/rest/test_policy.py +++ b/openstack_dashboard/test/unit/api/rest/test_policy.py @@ -86,6 +86,10 @@ class AdminPolicyRestTestCase(test.BaseAdminViewTests): super().setUp() mock.patch('horizon.utils.http.is_ajax', return_value=True).start() + def _setup_user(self, **kwargs): + kwargs.update({'roles': [{'name': 'admin'}]}) + super()._setup_user(**kwargs) + @override_settings(POLICY_CHECK_FUNCTION='openstack_auth.policy.check') def test_rule_with_target(self): body = json.dumps(