From e8defa6bdd5af85486d0d3acce8956670ca16882 Mon Sep 17 00:00:00 2001
From: Vishvananda Ishaya <vishvananda@gmail.com>
Date: Fri, 22 Jul 2011 20:41:46 +0000
Subject: fix test_access

---
 nova/api/ec2/__init__.py  |  7 ++++++-
 nova/auth/manager.py      |  9 +++++++++
 nova/tests/test_access.py | 19 +++++++++----------
 3 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index 0a743075c..1ea26fdeb 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -156,8 +156,9 @@ class Authenticate(wsgi.Middleware):
         auth_params.pop('Signature')
 
         # Authenticate the request.
+        authman = manager.AuthManager()
         try:
-            (user, project) = manager.AuthManager().authenticate(
+            (user, project) = authman.authenticate(
                     access,
                     signature,
                     auth_params,
@@ -173,9 +174,12 @@ class Authenticate(wsgi.Middleware):
         remote_address = req.remote_addr
         if FLAGS.use_forwarded_for:
             remote_address = req.headers.get('X-Forwarded-For', remote_address)
+        roles = authman.get_active_roles(user, project)
+        LOG.warn(roles)
         ctxt = context.RequestContext(user_id=user.id,
                                       project_id=project.id,
                                       is_admin=user.is_admin(),
+                                      roles=roles,
                                       remote_address=remote_address)
         req.environ['nova.context'] = ctxt
         uname = user.name
@@ -295,6 +299,7 @@ class Authorizer(wsgi.Middleware):
 
     def _matches_any_role(self, context, roles):
         """Return True if any role in roles is allowed in context."""
+        LOG.info(context.roles)
         if context.is_admin:
             return True
         if 'all' in roles:
diff --git a/nova/auth/manager.py b/nova/auth/manager.py
index 06af7e781..7f99d9016 100644
--- a/nova/auth/manager.py
+++ b/nova/auth/manager.py
@@ -518,6 +518,15 @@ class AuthManager(object):
             return drv.get_user_roles(User.safe_id(user),
                                       Project.safe_id(project))
 
+    def get_active_roles(self, user, project=None):
+        """Get all active roles for context"""
+        if project:
+            roles = FLAGS.allowed_roles
+            roles.append('projectmanager')
+        else:
+            roles = FLAGS.global_roles
+        return [role for role in roles if self.has_role(user, role, project)]
+
     def get_project(self, pid):
         """Get project object by id"""
         with self.driver() as drv:
diff --git a/nova/tests/test_access.py b/nova/tests/test_access.py
index 39558b1cf..3b54fc249 100644
--- a/nova/tests/test_access.py
+++ b/nova/tests/test_access.py
@@ -16,7 +16,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import unittest
 import webob
 
 from nova import context
@@ -93,7 +92,11 @@ class AccessTestCase(test.TestCase):
         super(AccessTestCase, self).tearDown()
 
     def response_status(self, user, methodName):
-        ctxt = context.RequestContext(user.id, self.project.id)
+        roles = manager.AuthManager().get_active_roles(user, self.project)
+        ctxt = context.RequestContext(user.id,
+                                      self.project.id,
+                                      is_admin=user.is_admin(),
+                                      roles=roles)
         environ = self._env_for(ctxt, methodName)
         req = webob.Request.blank('/', environ)
         resp = req.get_response(self.mw)
@@ -105,30 +108,26 @@ class AccessTestCase(test.TestCase):
     def shouldDeny(self, user, methodName):
         self.assertEqual(401, self.response_status(user, methodName))
 
-    def test_001_allow_all(self):
+    def test_allow_all(self):
         users = [self.testadmin, self.testpmsys, self.testnet, self.testsys]
         for user in users:
             self.shouldAllow(user, '_allow_all')
 
-    def test_002_allow_none(self):
+    def test_allow_none(self):
         self.shouldAllow(self.testadmin, '_allow_none')
         users = [self.testpmsys, self.testnet, self.testsys]
         for user in users:
             self.shouldDeny(user, '_allow_none')
 
-    def test_003_allow_project_manager(self):
+    def test_allow_project_manager(self):
         for user in [self.testadmin, self.testpmsys]:
             self.shouldAllow(user, '_allow_project_manager')
         for user in [self.testnet, self.testsys]:
             self.shouldDeny(user, '_allow_project_manager')
 
-    def test_004_allow_sys_and_net(self):
+    def test_allow_sys_and_net(self):
         for user in [self.testadmin, self.testnet, self.testsys]:
             self.shouldAllow(user, '_allow_sys_and_net')
         # denied because it doesn't have the per project sysadmin
         for user in [self.testpmsys]:
             self.shouldDeny(user, '_allow_sys_and_net')
-
-if __name__ == "__main__":
-    # TODO: Implement use_fake as an option
-    unittest.main()
-- 
cgit