)]}'
{"neutron/tests/unit/conf/policies/test_agent.py":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"341d5b46edb45d37d3b3f0f6281cdc3e0b400317","unresolved":true,"context_lines":[{"line_number":28,"context_line":"        self.project_id \u003d uuidutils.generate_uuid()"},{"line_number":29,"context_line":"        self.target \u003d {}"},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"        self.admin_context \u003d context.get_admin_context()"},{"line_number":32,"context_line":"        self.admin_context.roles \u003d [\u0027admin\u0027]"},{"line_number":33,"context_line":"        self.admin_context.system_scope \u003d \u0027all\u0027"},{"line_number":34,"context_line":"        self.admin_reader_context \u003d context.get_admin_context()"}],"source_content_type":"text/x-python","patch_set":1,"id":"16e340b5_bee6c30b","line":31,"range":{"start_line":31,"start_character":37,"end_line":31,"end_character":54},"updated":"2021-02-01 20:07:46.000000000","message":"The different scope types kind of highlight the issues in defining `is_admin` as a valid way to escalate privileges. For example, we can now have project administrators, domain administrators, and system administrators and they may or may not be able to do the same things.\n\nI\u0027d recommend building context objects to be more representative of the tokens we\u0027re modeling.\n\n  self.system_admin_context \u003d context.Context(\n      user\u003dfake_user_id,\n      roles\u003d[\u0027admin\u0027, \u0027member\u0027, \u0027reader\u0027],\n      system_scope\u003d\u0027all\u0027\n  )\n  self.system_member_context \u003d context.Context(\n      user\u003dfake_user_id,\n      roles\u003d[\u0027member\u0027, \u0027reader\u0027],\n      system_scope\u003d\u0027all\u0027\n  )\n  self.system_reader_context \u003d context.Context(\n      user\u003dfake_user_id,\n      roles\u003d[\u0027reader\u0027],\n      system_scope\u003d\u0027all\u0027\n  )\n\n\nWe can take the same approach with project personas:\n\n  self.project_admin_context \u003d context.Context(\n      user\u003dfake_user_id,\n      roles\u003d[\u0027admin\u0027, \u0027member\u0027, \u0027reader\u0027],\n      project_id\u003dself.project_id\n  )\n  self.project_member_context \u003d context.Context(\n      user\u003dfake_user_id,\n      roles\u003d[\u0027member\u0027, \u0027reader\u0027],\n      project_id\u003dself.project_id\n  )\n  self.project_reader_context \u003d context.Context(\n      user\u003dfake_user_id,\n      roles\u003d[\u0027reader\u0027],\n      project_id\u003dself.project_id\n  )\n\nI\u0027ve modified the above roles to include a list, which is realistic of what will happen if you get a token from keystone, process it with keystonemiddleware, and then create a context object from the request environment.\n\n[0] https://opendev.org/openstack/neutron-lib/src/commit/8c626fe039a5c32e26710b8e8b6d53a4ac6a11b7/neutron_lib/context.py","commit_id":"4577791cc6bbb12592845f3d861c1ca1ff23e24f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"341d5b46edb45d37d3b3f0f6281cdc3e0b400317","unresolved":true,"context_lines":[{"line_number":47,"context_line":"            policy.enforce(self.admin_context, \"get_agent\", self.target))"},{"line_number":48,"context_line":"        self.assertTrue("},{"line_number":49,"context_line":"            policy.enforce(self.admin_reader_context,"},{"line_number":50,"context_line":"                           \"get_agent\", self.target))"},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"    def test_project_users_can_not_get_agent(self):"},{"line_number":53,"context_line":"        self.assertRaises("}],"source_content_type":"text/x-python","patch_set":1,"id":"e0448ef5_1f1a95e1","line":50,"updated":"2021-02-01 20:07:46.000000000","message":"This testing approach will work fine for exercising situations that don\u0027t require modified API code. For example, if neutron\u0027s API filters ports by project ID, then a more comprehensive test might be a functional API test.","commit_id":"4577791cc6bbb12592845f3d861c1ca1ff23e24f"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"bd3f02721dcc7224a147e10762054638d6b44f4d","unresolved":true,"context_lines":[{"line_number":27,"context_line":""},{"line_number":28,"context_line":"    def test_system_admin_can_get_agent(self):"},{"line_number":29,"context_line":"        self.assertTrue("},{"line_number":30,"context_line":"            policy.enforce(self.system_admin_ctx, \"get_agent\", self.target))"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"    def test_system_member_can_get_agent(self):"},{"line_number":33,"context_line":"        self.assertTrue("}],"source_content_type":"text/x-python","patch_set":3,"id":"809b0e1b_468818ec","line":30,"updated":"2021-03-18 01:48:28.000000000","message":"This might be a naive question, but does neutron have any code elsewhere in the API that handles authorization outcomes? \n\nFor example, a project user only expects to see networks accessible to their network when they list networks. How much of that behavior is driven by the oslo.policy engine and policies themselves?\n\nI know neutron-lib has some database-layer scoping logic based on the context object, but is that it?","commit_id":"72ebc659c9f91007e72a3b504ff64c62a4925a69"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a7829dead5b2114d2f15bd813d4cd92f68d5a150","unresolved":true,"context_lines":[{"line_number":89,"context_line":"                           \"get_l3-agents\", self.target))"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"class SystemMemberTests(AgentAPITestCase):"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"    def setUp(self):"},{"line_number":95,"context_line":"        super(SystemMemberTests, self).setUp()"}],"source_content_type":"text/x-python","patch_set":11,"id":"ad594050_e8aca139","line":92,"range":{"start_line":92,"start_character":24,"end_line":92,"end_character":40},"updated":"2021-04-05 18:40:35.000000000","message":"nit: Several tests below are exactly the same as some of the tests above, since system-members and system-readers are allowed to do the same things system-admins can do.\n\nWe can reduce some of the duplication by inheriting the SystemAdminTests and then overriding only the tests that will fail because the persona won\u0027t be authorized (e.g., test_delete_agent).","commit_id":"2c7f325db697662bd77cc02509eb921ed7535a06"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"f765c6e6bc4ad2146ea9061a5fb9151bd0567974","unresolved":false,"context_lines":[{"line_number":89,"context_line":"                           \"get_l3-agents\", self.target))"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"class SystemMemberTests(AgentAPITestCase):"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":"    def setUp(self):"},{"line_number":95,"context_line":"        super(SystemMemberTests, self).setUp()"}],"source_content_type":"text/x-python","patch_set":11,"id":"7594ba00_bb888a69","line":92,"range":{"start_line":92,"start_character":24,"end_line":92,"end_character":40},"in_reply_to":"ad594050_e8aca139","updated":"2021-04-12 15:05:06.000000000","message":"Done","commit_id":"2c7f325db697662bd77cc02509eb921ed7535a06"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"a7829dead5b2114d2f15bd813d4cd92f68d5a150","unresolved":true,"context_lines":[{"line_number":236,"context_line":"            self.context, \"get_l3-agents\", self.target)"},{"line_number":237,"context_line":""},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"class ProjectMemberTests(ProjectAdminTests):"},{"line_number":240,"context_line":""},{"line_number":241,"context_line":"    def setUp(self):"},{"line_number":242,"context_line":"        super(ProjectMemberTests, self).setUp()"}],"source_content_type":"text/x-python","patch_set":11,"id":"f5ea7cdb_614e44c8","line":239,"range":{"start_line":239,"start_character":25,"end_line":239,"end_character":42},"updated":"2021-04-05 18:40:35.000000000","message":"++","commit_id":"2c7f325db697662bd77cc02509eb921ed7535a06"}]}