diff --git a/nexus/src/authz/policy_test/resources.rs b/nexus/src/authz/policy_test/resources.rs index 436a9b1a74f..56471d85ae5 100644 --- a/nexus/src/authz/policy_test/resources.rs +++ b/nexus/src/authz/policy_test/resources.rs @@ -183,10 +183,12 @@ async fn make_project( Uuid::new_v4(), LookupType::ByName(instance_name.clone()), ); + + let disk_name = format!("{}-disk1", project_name); builder.new_resource(authz::Disk::new( project.clone(), Uuid::new_v4(), - LookupType::ByName(format!("{}-disk1", project_name)), + LookupType::ByName(disk_name.clone()), )); builder.new_resource(instance.clone()); builder.new_resource(authz::NetworkInterface::new( @@ -201,6 +203,12 @@ async fn make_project( Uuid::new_v4(), LookupType::ByName(format!("{}-subnet1", vpc1_name)), )); + + builder.new_resource(authz::Snapshot::new( + project.clone(), + Uuid::new_v4(), + LookupType::ByName(format!("{}-snapshot1", disk_name)), + )); } /// Returns the set of authz classes exempted from the coverage test diff --git a/nexus/tests/integration_tests/snapshots.rs b/nexus/tests/integration_tests/snapshots.rs index 90b3763745b..aca31c9aa56 100644 --- a/nexus/tests/integration_tests/snapshots.rs +++ b/nexus/tests/integration_tests/snapshots.rs @@ -14,7 +14,6 @@ use nexus_test_utils::http_testing::RequestBuilder; use nexus_test_utils::resource_helpers::create_ip_pool; use nexus_test_utils::resource_helpers::create_organization; use nexus_test_utils::resource_helpers::create_project; -use nexus_test_utils::resource_helpers::create_silo; use nexus_test_utils::resource_helpers::object_create; use nexus_test_utils::resource_helpers::DiskTest; use nexus_test_utils::ControlPlaneTestContext; @@ -32,7 +31,6 @@ use omicron_nexus::db; use omicron_nexus::db::identity::Resource; use omicron_nexus::db::lookup::LookupPath; use omicron_nexus::external_api::params; -use omicron_nexus::external_api::shared; use omicron_nexus::external_api::views; use uuid::Uuid; @@ -385,18 +383,13 @@ async fn test_reject_creating_disk_from_snapshot( let nexus = &cptestctx.server.apictx.nexus; let datastore = nexus.datastore(); - const SILO_NAME: &str = "snapshot-silo"; - let silo = - create_silo(&client, SILO_NAME, true, shared::UserProvisionType::Fixed) - .await; - let project_id = create_org_and_project(&client).await; let opctx = OpContext::for_tests(cptestctx.logctx.log.new(o!()), datastore.clone()); let (authz_silo, ..) = LookupPath::new(&opctx, &datastore) - .silo_id(silo.identity.id) + .silo_id(*db::fixed_data::silo::SILO_ID) .fetch() .await .unwrap(); @@ -546,18 +539,13 @@ async fn test_reject_creating_disk_from_illegal_snapshot( let nexus = &cptestctx.server.apictx.nexus; let datastore = nexus.datastore(); - const SILO_NAME: &str = "snapshot-silo"; - let silo = - create_silo(&client, SILO_NAME, true, shared::UserProvisionType::Fixed) - .await; - let project_id = create_org_and_project(&client).await; let opctx = OpContext::for_tests(cptestctx.logctx.log.new(o!()), datastore.clone()); let (authz_silo, ..) = LookupPath::new(&opctx, &datastore) - .silo_id(silo.identity.id) + .silo_id(*db::fixed_data::silo::SILO_ID) .fetch() .await .unwrap(); @@ -649,11 +637,6 @@ async fn test_create_snapshot_record_idempotent( let nexus = &cptestctx.server.apictx.nexus; let datastore = nexus.datastore(); - const SILO_NAME: &str = "snapshot-silo"; - let silo = - create_silo(&client, SILO_NAME, true, shared::UserProvisionType::Fixed) - .await; - let project_id = create_org_and_project(&client).await; let snapshot = db::model::Snapshot { @@ -683,7 +666,7 @@ async fn test_create_snapshot_record_idempotent( OpContext::for_tests(cptestctx.logctx.log.new(o!()), datastore.clone()); let (authz_silo, ..) = LookupPath::new(&opctx, &datastore) - .silo_id(silo.identity.id) + .silo_id(*db::fixed_data::silo::SILO_ID) .fetch() .await .unwrap(); diff --git a/nexus/tests/output/authz-roles.out b/nexus/tests/output/authz-roles.out index 7bb51d39afb..37f4d4ec262 100644 --- a/nexus/tests/output/authz-roles.out +++ b/nexus/tests/output/authz-roles.out @@ -253,6 +253,23 @@ resource: VpcSubnet "silo1-org1-proj1-vpc1-subnet1" silo1-org1-proj1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ unauthenticated ! ! ! ! ! ! ! ! +resource: Snapshot "silo1-org1-proj1-disk1-snapshot1" + + USER Q R LC RP M MP CC D + fleet-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + fleet-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + fleet-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-admin ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-collaborator ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ + silo1-org1-admin ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-org1-collaborator ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-org1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ + silo1-org1-proj1-admin ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-org1-proj1-collaborator ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-org1-proj1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ + unauthenticated ! ! ! ! ! ! ! ! + resource: Project "silo1-org1-proj2" USER Q R LC RP M MP CC D @@ -355,6 +372,23 @@ resource: VpcSubnet "silo1-org1-proj2-vpc1-subnet1" silo1-org1-proj1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ unauthenticated ! ! ! ! ! ! ! ! +resource: Snapshot "silo1-org1-proj2-disk1-snapshot1" + + USER Q R LC RP M MP CC D + fleet-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + fleet-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + fleet-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-admin ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-collaborator ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ + silo1-org1-admin ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-org1-collaborator ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-org1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ + silo1-org1-proj1-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-proj1-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-proj1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + unauthenticated ! ! ! ! ! ! ! ! + resource: Organization "silo1-org2" USER Q R LC RP M MP CC D @@ -474,6 +508,23 @@ resource: VpcSubnet "silo1-org2-proj1-vpc1-subnet1" silo1-org1-proj1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ unauthenticated ! ! ! ! ! ! ! ! +resource: Snapshot "silo1-org2-proj1-disk1-snapshot1" + + USER Q R LC RP M MP CC D + fleet-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + fleet-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + fleet-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-admin ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-collaborator ✘ ✔ ✔ ✔ ✔ ✔ ✔ ✔ + silo1-viewer ✘ ✔ ✔ ✔ ✘ ✘ ✘ ✘ + silo1-org1-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-proj1-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-proj1-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-proj1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + unauthenticated ! ! ! ! ! ! ! ! + resource: Silo "silo2" USER Q R LC RP M MP CC D @@ -627,6 +678,23 @@ resource: VpcSubnet "silo2-org1-proj1-vpc1-subnet1" silo1-org1-proj1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ unauthenticated ! ! ! ! ! ! ! ! +resource: Snapshot "silo2-org1-proj1-disk1-snapshot1" + + USER Q R LC RP M MP CC D + fleet-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + fleet-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + fleet-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-proj1-admin ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-proj1-collaborator ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + silo1-org1-proj1-viewer ✘ ✘ ✘ ✘ ✘ ✘ ✘ ✘ + unauthenticated ! ! ! ! ! ! ! ! + resource: Rack id "c037e882-8b6d-c8b5-bef4-97e848eb0a50" USER Q R LC RP M MP CC D