Improve test coverage for flavor_access nova policies
This commit improves test coverage for flavor_access policies, achieving
the the most amount of coverage in Patrole for these policies that is
currently possible.
The base policy "os_compute_api:os-flavor-access" is covered by
4 separate APIs, but currently Patrole only tests 1 one of those
APIs. This commit extends the existing tests to achieve almost
full test coverage, with the exception of this endpoint:
POST /flavors
At present, it is impossible to test os-flavor-access for that
endpoint since it also enforces os-flavor-manage:create
(or os-flavor-manage) both of which require admin.
In addition, this commit fixes test_show_flavor always passing.
While policy enforcement happens in Nova when calling
`self.flavors_client.show_flavor`, no Forbidden exception
is raised following failure. Instead, the attribute
"os-flavor-access:is_public" is injected into the response
body following successful policy enforcement. So Patrole
checks for the attribute and, if not found, raises an
appropriate RbacMalformedResponse exception.
Reference: https://github.com/openstack/nova/blob/master/nova/policies/flavor_access.py
Change-Id: Icaf516f996ec088ce48bbfc768116b2d6994c336
1 file changed