Attempt to slim down protection test base class

This commit builds on an attempt to introduce a base class that we can use for protection testing. I'm removing the majority of the fake tokens and context objects, ultimately removing anything that keystonemiddleware_authtoken middleware does. Doing this allows us to set authorization headers directly in the test, which makes the test case really clear from an input and outcome perspective because we can see who is make the request and the intended outcome. It also removes any need to mock or understand keystonemiddleware implementation details to implement protection testing in ironic. Change-Id: I9a3eb62bb41e0623df9aa5c34fde6f343053dd76
2021-01-13 22:30:27 +00:00 · 2021-01-13 22:30:27 +00:00 · c7f24e8ceb
commit c7f24e8ceb
parent 36d819e2fb
2 changed files with 15 additions and 63 deletions
--- a/ironic/tests/unit/api/test_acl.py
+++ b/ironic/tests/unit/api/test_acl.py
@ -18,39 +18,14 @@ are blocked or allowed to be processed.

 import abc
 from unittest import mock
-import uuid

 import ddt
-from keystoneauth1.fixture import v3 as v3_token
 from keystonemiddleware import auth_token
 from oslo_config import cfg
-from oslo_context import context as oslo_context

 from ironic.tests.unit.api import base
 from ironic.tests.unit.db import utils as db_utils

-cfg.CONF.import_opt('cache', 'keystonemiddleware.auth_token',
-                    group='keystone_authtoken')
-
-
-ADMIN_TOKEN = uuid.uuid4().hex
-MEMBER_TOKEN = uuid.uuid4().hex
-
-admin_context = oslo_context.RequestContext(
-    user_id=ADMIN_TOKEN,
-    roles=['admin', 'member', 'reader'],
-)
-
-member_context = oslo_context.RequestContext(
-    user_id=MEMBER_TOKEN,
-    roles=['member', 'reader'],
-)
-
-USERS = {
-    ADMIN_TOKEN: admin_context.to_dict(),
-    MEMBER_TOKEN: member_context.to_dict(),
-}
-

 class TestACLBase(base.BaseApiTest):

@ -83,31 +58,13 @@ class TestACLBase(base.BaseApiTest):
        if kwargs.get('skip'):
            self.skipTest(kwargs.get('skip_reason', 'Not implemented'))

-    def _fake_process_request(self, request, meow):
-        if self.fake_token:
-            request.user_token_valid = True
-            request.user_token = True
-            # is this right?!?
-            request.token_info = self.fake_token
-            request.auth_token = v3_token.Token(
-                user_id=self.fake_token['user'])
-        else:
-            # Because of this, the user will always get a 403 in testing, even
-            # if the API would normally return a 401 if a token is valid
-            request.user_token_valid = False
+    def _fake_process_request(self, request, auth_token_request):
+        pass

    def _test_request(self, path, params=None, headers=None, method='get',
                      assert_status=None, assert_dict_contains=None):
        path = path.format(**self.format_data)
        self.mock_auth.side_effect = self._fake_process_request
-        if headers:
-            auth_token = headers.get('X-Auth-Token')
-            if auth_token:
-                auth_token = self.format_data[auth_token]
-                headers['X-Auth-Token'] = auth_token
-                self.fake_token = USERS[auth_token]
-                headers['X_ROLES'] = ','.join(USERS[auth_token]['roles'])
-                self.mock_auth.side_effect = self._fake_process_request

        if method == 'get':
            response = self.get_json(
@ -141,8 +98,6 @@ class TestRBACBasic(TestACLBase):
    def _create_test_data(self):
        fake_db_node = db_utils.create_test_node(chassis_id=None)
        self.format_data['node_uuid'] = fake_db_node['uuid']
-        self.format_data['admin_token'] = ADMIN_TOKEN
-        self.format_data['member_token'] = MEMBER_TOKEN

    @ddt.file_data('test_acl_basic.yaml')
    @ddt.unpack
--- a/ironic/tests/unit/api/test_acl_basic.yaml
+++ b/ironic/tests/unit/api/test_acl_basic.yaml
@ -1,31 +1,28 @@
 values:
  skip_reason: For value storage
-  admin_headers: &admin_headers
-    X-Auth-Token: 'admin_token'
-  member_headers: &member_headers
-    X-Auth-Token: 'member_token'
+  project_admin_headers: &project_admin_headers
+    X-Auth-Token: project-admin-token
+    X-Roles: admin,member,reader
+    X-Project-Id: 66140b35c7524c6da836ca834e3fd3f9
+  project_member_headers: &project_member_headers
+    X-Auth-Token: project-member-token
+    X-Roles: member,reader
+    X-Project-Id: 66140b35c7524c6da836ca834e3fd3f9

-non_authenticated:
+unauthenticated_user_cannot_get_node:
  path: &node_path '/v1/nodes/{node_uuid}'
  assert_status: 403

-authenticated:
+project_admin_can_get_node:
  path: *node_path
-  headers: *admin_headers
+  headers: *project_admin_headers
  assert_dict_contains:
    uuid: '{node_uuid}'
    driver: 'fake-hardware'

-non_admin:
+project_member_cannot_get_node:
  path: *node_path
-  headers: *member_headers
-  assert_status: 403
-
-non_admin_with_admin_header:
-  path: *node_path
-  headers:
-    X-Auth-Token: 'member_token'
-    X-Roles: admin
+  headers: *project_member_headers
  assert_status: 403

 public_api: