Re: [PR] Fix being able to expunge a VM through destroyVirtualMachine even when role rule does not allow [cloudstack]

Mon, 25 Mar 2024 10:34:54 -0700 


gpordeus commented on code in PR #8689:
URL: https://github.com/apache/cloudstack/pull/8689#discussion_r1537971268


##########
test/integration/smoke/test_vm_life_cycle.py:
##########
@@ -955,6 +956,92 @@ def test_12_start_vm_multiple_volumes_allocated(self):
             "Check virtual machine is in running state"
         )
 
+    @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], 
required_hardware="false")
+    def test_13_destroy_and_expunge_vm(self):
+        """Test destroy virtual machine with expunge parameter depending on 
whether the caller's role has expunge permission.
+        """
+        # Setup steps:
+        # 1. Create role with DENY expunge permission.
+        # 2. Create account with said role.
+        # 3. Create a VM of said account.
+        # 4. Create a VM of cls.account
+        # Validation steps:
+        # 1. Destroy the VM with the created account and verify it was not 
destroyed.
+        # 1. Destroy the other VM with cls.account and verify it was expunged.
+
+        role = Role.importRole(
+            self.apiclient,
+            {
+                "name": "MarvinFake Import Role ",
+                "type": "DomainAdmin",
+                "description": "Fake Import Domain Admin Role created by 
Marvin test",
+                "rules" : [{"rule":"list*", 
"permission":"allow","description":"Listing apis"},
+                           {"rule":"get*", 
"permission":"allow","description":"Get apis"},
+                           {"rule":"update*", 
"permission":"allow","description":"Update apis"},
+                           {"rule":"queryAsyncJobResult", 
"permission":"allow","description":"Query async job result"},
+                           {"rule":"deployVirtualMachine", 
"permission":"allow","description":"Deploy virtual machine"},
+                           {"rule":"destroyVirtualMachine", 
"permission":"allow","description":"Destroy virtual machine"},
+                           {"rule":"expungeVirtualMachine", 
"permission":"deny","description":"Expunge virtual machine"}]
+            },
+        )
+
+        domadm = Account.create(
+            self.apiclient,
+            self.services["account"],
+            admin=True,
+            roleid=role.id,
+            domainid=self.domain.id
+        )
+
+        self.cleanup.append(domadm)
+        self.cleanup.append(role)

Review Comment:
   @DaanHoogland Yes, of course, you're right.
   
   I've added the comments and changed the testDeployVM tearDown/tearDownClass 
since it didn't have any cleanup order issues and it is the first test class 
one sees in the file.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to