Use soft authorize for 'extended_snapshot_attributes' policy

Cinder use soft authorize to control whether display snapshot's additional attributes, this is broken during policy in code changes. Change-Id: I4b1b3432275defafcfc60465d3079bc9d70c4f56 Closes-Bug: #1756002
2018-03-16 09:41:15 +08:00 · 2018-03-16 09:41:15 +08:00 · d9c9f84717
parent 7a6b7ca5eb
commit d9c9f84717
2 changed files with 15 additions and 4 deletions
--- a/cinder/api/contrib/extended_snapshot_attributes.py
+++ b/cinder/api/contrib/extended_snapshot_attributes.py
@ -29,7 +29,7 @@ class ExtendedSnapshotAttributesController(wsgi.Controller):
    @wsgi.extends
    def show(self, req, resp_obj, id):
        context = req.environ['cinder.context']
-        if context.authorize(policy.EXTEND_ATTRIBUTE):
+        if context.authorize(policy.EXTEND_ATTRIBUTE, fatal=False):
            # Attach our slave template to the response object
            snapshot = resp_obj.obj['snapshot']
            self._extend_snapshot(req, snapshot)
@ -37,7 +37,7 @@ class ExtendedSnapshotAttributesController(wsgi.Controller):
    @wsgi.extends
    def detail(self, req, resp_obj):
        context = req.environ['cinder.context']
-        if context.authorize(policy.EXTEND_ATTRIBUTE):
+        if context.authorize(policy.EXTEND_ATTRIBUTE, fatal=False):
            # Attach our slave template to the response object
            for snapshot in list(resp_obj.obj['snapshots']):
                self._extend_snapshot(req, snapshot)
--- a/cinder/tests/unit/api/contrib/test_extended_snapshot_attributes.py
+++ b/cinder/tests/unit/api/contrib/test_extended_snapshot_attributes.py
@ -21,6 +21,7 @@ import webob

 from cinder import context
 from cinder.objects import fields
+from cinder.policies import snapshots as snap_policy
 from cinder import test
 from cinder.tests.unit.api import fakes
 from cinder.tests.unit import fake_constants as fake
@ -85,13 +86,15 @@ class ExtendedSnapshotAttributesTest(test.TestCase):
    @mock.patch('cinder.db.snapshot_metadata_get', return_value=dict())
    @mock.patch('cinder.objects.Volume.get_by_id')
    @mock.patch('cinder.objects.Snapshot.get_by_id')
-    def test_show(self, snapshot_get_by_id, volume_get_by_id,
+    @mock.patch('cinder.context.RequestContext.authorize')
+    def test_show(self, mock_authorize, snapshot_get_by_id, volume_get_by_id,
                  snapshot_metadata_get):
        ctx = context.RequestContext(fake.USER_ID, fake.PROJECT_ID,
                                     auth_token=True)
        snapshot = _get_default_snapshot_param()
        snapshot_obj = fake_snapshot.fake_snapshot_obj(ctx, **snapshot)
        fake_volume_obj = fake_volume.fake_volume_obj(ctx)
+        mock_authorize.return_value = True
        snapshot_get_by_id.return_value = snapshot_obj
        volume_get_by_id.return_value = fake_volume_obj

@ -102,13 +105,21 @@ class ExtendedSnapshotAttributesTest(test.TestCase):
        self.assertSnapshotAttributes(self._get_snapshot(res.body),
                                      project_id=fake.PROJECT_ID,
                                      progress='0%')
+        calls = [mock.call(snap_policy.GET_POLICY), mock.call(
+            snap_policy.EXTEND_ATTRIBUTE, fatal=False)]
+        mock_authorize.assert_has_calls(calls)

-    def test_detail(self):
+    @mock.patch('cinder.context.RequestContext.authorize')
+    def test_detail(self, mock_authorize):
        url = '/v2/%s/snapshots/detail' % fake.PROJECT_ID
        res = self._make_request(url)
+        mock_authorize.return_value = False

        self.assertEqual(http_client.OK, res.status_int)
        for snapshot in self._get_snapshots(res.body):
            self.assertSnapshotAttributes(snapshot,
                                          project_id=fake.PROJECT_ID,
                                          progress='0%')
+        calls = [mock.call(snap_policy.GET_ALL_POLICY), mock.call(
+            snap_policy.EXTEND_ATTRIBUTE, fatal=False)]
+        mock_authorize.assert_has_calls(calls)