Add policy check for type show and type list

We don't have any policy check for type show and type list APIs. This patch adds them in code while set default rule to empty. Change-Id: Id2d72f1c6f24292ba354a53d2519faa348f3bb0f Closes-Bug: #1777748
2018-06-20 10:58:03 +08:00 · 2018-06-20 10:58:03 +08:00 · 44b4e5462a
commit 44b4e5462a
parent b229a9aded
4 changed files with 41 additions and 4 deletions
--- a/cinder/api/v2/types.py
+++ b/cinder/api/v2/types.py
@ -27,6 +27,7 @@ from cinder.api.openstack import wsgi
 from cinder.api.v2.views import types as views_types
 from cinder import exception
 from cinder.i18n import _
+from cinder.policies import volume_type as type_policy
 from cinder import utils
 from cinder.volume import volume_types

@ -40,7 +41,10 @@ class VolumeTypesController(wsgi.Controller):

    def index(self, req):
        """Returns the list of volume types."""
+        context = req.environ['cinder.context']
+        context.authorize(type_policy.GET_ALL_POLICY)
        limited_types = self._get_volume_types(req)
+
        req.cache_resource(limited_types, name='types')
        return self._view_builder.index(req, limited_types)

@ -59,7 +63,7 @@ class VolumeTypesController(wsgi.Controller):
            # Not found  exception will be handled at wsgi level
            vol_type = volume_types.get_volume_type(context, id)
            req.cache_resource(vol_type, name='types')
-
+        context.authorize(type_policy.GET_POLICY, target_obj=vol_type)
        return self._view_builder.show(req, vol_type)

    def _parse_is_public(self, is_public):
--- a/cinder/policies/volume_type.py
+++ b/cinder/policies/volume_type.py
@ -22,6 +22,8 @@ MANAGE_POLICY = "volume_extension:types_manage"
 ENCRYPTION_POLICY = "volume_extension:volume_type_encryption"
 QOS_POLICY = "volume_extension:access_types_qos_specs_id"
 EXTRA_SPEC_POLICY = "volume_extension:access_types_extra_specs"
+GET_POLICY = "volume_extension:type_get"
+GET_ALL_POLICY = "volume_extension:type_get_all"

 volume_type_policies = [
    policy.DocumentedRuleDefault(
@ -42,6 +44,26 @@ volume_type_policies = [
                'path': '/types'
            }
        ]),
+    policy.DocumentedRuleDefault(
+        name=GET_POLICY,
+        check_str="",
+        description="Get one specific volume type.",
+        operations=[
+            {
+                'method': 'GET',
+                'path': '/types/{type_id}'
+            }
+        ]),
+    policy.DocumentedRuleDefault(
+        name=GET_ALL_POLICY,
+        check_str="",
+        description="List volume types.",
+        operations=[
+            {
+                'method': 'GET',
+                'path': '/types/'
+            }
+        ]),
    policy.DocumentedRuleDefault(
        name=ENCRYPTION_POLICY,
        check_str=base.RULE_ADMIN_API,
--- a/cinder/tests/unit/api/v2/test_types.py
+++ b/cinder/tests/unit/api/v2/test_types.py
@ -24,6 +24,7 @@ from cinder.api.v2 import types
 from cinder.api.v2.views import types as views_types
 from cinder import context
 from cinder import exception
+from cinder.policies import volume_type as type_policy
 from cinder import test
 from cinder.tests.unit.api import fakes
 from cinder.tests.unit import fake_constants as fake
@ -91,6 +92,8 @@ class VolumeTypesApiTest(test.TestCase):
        self.ctxt = context.RequestContext(user_id=fake.USER_ID,
                                           project_id=fake.PROJECT_ID,
                                           is_admin=True)
+        self.mock_authorize = self.patch(
+            'cinder.context.RequestContext.authorize')
        self.type_id1 = self._create_volume_type('volume_type1',
                                                 {'key1': 'value1'})
        self.type_id2 = self._create_volume_type('volume_type2',
@ -114,6 +117,7 @@ class VolumeTypesApiTest(test.TestCase):
        self.assertEqual(set(expected_names), set(actual_names))
        for entry in res_dict['volume_types']:
            self.assertEqual('value1', entry['extra_specs']['key1'])
+        self.mock_authorize.assert_any_call(type_policy.GET_ALL_POLICY)

    def test_volume_types_index_no_data(self):
        self.mock_object(volume_types, 'get_all_types',
@ -242,6 +246,8 @@ class VolumeTypesApiTest(test.TestCase):
        self.assertEqual(type_id, res_dict['volume_type']['id'])
        type_name = 'vol_type_' + type_id
        self.assertEqual(type_name, res_dict['volume_type']['name'])
+        self.mock_authorize.assert_any_call(
+            type_policy.GET_POLICY, target_obj=mock.ANY)

    def test_volume_types_show_not_found(self):
        self.mock_object(volume_types, 'get_volume_type',
@ -275,7 +281,7 @@ class VolumeTypesApiTest(test.TestCase):

    def test_view_builder_show(self):
        view_builder = views_types.ViewBuilder()
-
+        self.mock_authorize.return_value = False
        now = timeutils.utcnow().isoformat()
        raw_volume_type = dict(
            name='new_type',
@ -304,7 +310,7 @@ class VolumeTypesApiTest(test.TestCase):

    def test_view_builder_show_admin(self):
        view_builder = views_types.ViewBuilder()
-
+        self.mock_authorize.return_value = True
        now = timeutils.utcnow().isoformat()
        raw_volume_type = dict(
            name='new_type',
@ -458,7 +464,7 @@ class VolumeTypesApiTest(test.TestCase):

    def test_view_builder_list(self):
        view_builder = views_types.ViewBuilder()
-
+        self.mock_authorize.return_value = False
        now = timeutils.utcnow().isoformat()
        raw_volume_types = []
        for i in range(0, 10):
--- a/releasenotes/notes/policy-for-type-list-and-show-apis-rt56uy78crt5e378.yaml
+++ b/releasenotes/notes/policy-for-type-list-and-show-apis-rt56uy78crt5e378.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - Two new policies "volume_extension:type_get" and
+    "volume_extension:type_get_all" have been added to
+    control type show and type list APIs.