From c7f24e8ceb9b49ed0fcdc94353240f5c1cfa65e2 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Wed, 13 Jan 2021 22:30:27 +0000
Subject: [PATCH] Attempt to slim down protection test base class

This commit builds on an attempt to introduce a base class that we can
use for protection testing. I'm removing the majority of the fake tokens
and context objects, ultimately removing anything that
keystonemiddleware_authtoken middleware does.

Doing this allows us to set authorization headers directly in the test,
which makes the test case really clear from an input and outcome
perspective because we can see who is make the request and the intended
outcome.

It also removes any need to mock or understand keystonemiddleware
implementation details to implement protection testing in ironic.

Change-Id: I9a3eb62bb41e0623df9aa5c34fde6f343053dd76
---
 ironic/tests/unit/api/test_acl.py         | 49 +----------------------
 ironic/tests/unit/api/test_acl_basic.yaml | 29 ++++++--------
 2 files changed, 15 insertions(+), 63 deletions(-)

diff --git a/ironic/tests/unit/api/test_acl.py b/ironic/tests/unit/api/test_acl.py
index a312771194..aa9a74019c 100644
--- a/ironic/tests/unit/api/test_acl.py
+++ b/ironic/tests/unit/api/test_acl.py
@@ -18,39 +18,14 @@ are blocked or allowed to be processed.
 
 import abc
 from unittest import mock
-import uuid
 
 import ddt
-from keystoneauth1.fixture import v3 as v3_token
 from keystonemiddleware import auth_token
 from oslo_config import cfg
-from oslo_context import context as oslo_context
 
 from ironic.tests.unit.api import base
 from ironic.tests.unit.db import utils as db_utils
 
-cfg.CONF.import_opt('cache', 'keystonemiddleware.auth_token',
-                    group='keystone_authtoken')
-
-
-ADMIN_TOKEN = uuid.uuid4().hex
-MEMBER_TOKEN = uuid.uuid4().hex
-
-admin_context = oslo_context.RequestContext(
-    user_id=ADMIN_TOKEN,
-    roles=['admin', 'member', 'reader'],
-)
-
-member_context = oslo_context.RequestContext(
-    user_id=MEMBER_TOKEN,
-    roles=['member', 'reader'],
-)
-
-USERS = {
-    ADMIN_TOKEN: admin_context.to_dict(),
-    MEMBER_TOKEN: member_context.to_dict(),
-}
-
 
 class TestACLBase(base.BaseApiTest):
 
@@ -83,31 +58,13 @@ class TestACLBase(base.BaseApiTest):
         if kwargs.get('skip'):
             self.skipTest(kwargs.get('skip_reason', 'Not implemented'))
 
-    def _fake_process_request(self, request, meow):
-        if self.fake_token:
-            request.user_token_valid = True
-            request.user_token = True
-            # is this right?!?
-            request.token_info = self.fake_token
-            request.auth_token = v3_token.Token(
-                user_id=self.fake_token['user'])
-        else:
-            # Because of this, the user will always get a 403 in testing, even
-            # if the API would normally return a 401 if a token is valid
-            request.user_token_valid = False
+    def _fake_process_request(self, request, auth_token_request):
+        pass
 
     def _test_request(self, path, params=None, headers=None, method='get',
                       assert_status=None, assert_dict_contains=None):
         path = path.format(**self.format_data)
         self.mock_auth.side_effect = self._fake_process_request
-        if headers:
-            auth_token = headers.get('X-Auth-Token')
-            if auth_token:
-                auth_token = self.format_data[auth_token]
-                headers['X-Auth-Token'] = auth_token
-                self.fake_token = USERS[auth_token]
-                headers['X_ROLES'] = ','.join(USERS[auth_token]['roles'])
-                self.mock_auth.side_effect = self._fake_process_request
 
         if method == 'get':
             response = self.get_json(
@@ -141,8 +98,6 @@ class TestRBACBasic(TestACLBase):
     def _create_test_data(self):
         fake_db_node = db_utils.create_test_node(chassis_id=None)
         self.format_data['node_uuid'] = fake_db_node['uuid']
-        self.format_data['admin_token'] = ADMIN_TOKEN
-        self.format_data['member_token'] = MEMBER_TOKEN
 
     @ddt.file_data('test_acl_basic.yaml')
     @ddt.unpack
diff --git a/ironic/tests/unit/api/test_acl_basic.yaml b/ironic/tests/unit/api/test_acl_basic.yaml
index 08741c4491..52be09d8e2 100644
--- a/ironic/tests/unit/api/test_acl_basic.yaml
+++ b/ironic/tests/unit/api/test_acl_basic.yaml
@@ -1,31 +1,28 @@
 values:
   skip_reason: For value storage
-  admin_headers: &admin_headers
-    X-Auth-Token: 'admin_token'
-  member_headers: &member_headers
-    X-Auth-Token: 'member_token'
+  project_admin_headers: &project_admin_headers
+    X-Auth-Token: project-admin-token
+    X-Roles: admin,member,reader
+    X-Project-Id: 66140b35c7524c6da836ca834e3fd3f9
+  project_member_headers: &project_member_headers
+    X-Auth-Token: project-member-token
+    X-Roles: member,reader
+    X-Project-Id: 66140b35c7524c6da836ca834e3fd3f9
 
-non_authenticated:
+unauthenticated_user_cannot_get_node:
   path: &node_path '/v1/nodes/{node_uuid}'
   assert_status: 403
 
-authenticated:
+project_admin_can_get_node:
   path: *node_path
-  headers: *admin_headers
+  headers: *project_admin_headers
   assert_dict_contains:
     uuid: '{node_uuid}'
     driver: 'fake-hardware'
 
-non_admin:
+project_member_cannot_get_node:
   path: *node_path
-  headers: *member_headers
-  assert_status: 403
-
-non_admin_with_admin_header:
-  path: *node_path
-  headers:
-    X-Auth-Token: 'member_token'
-    X-Roles: admin
+  headers: *project_member_headers
   assert_status: 403
 
 public_api: