From a9009f4eb1696b856f9214b8e5a361cdf0b9c212 Mon Sep 17 00:00:00 2001 From: Dan Smith Date: Wed, 18 Aug 2021 10:02:25 -0700 Subject: [PATCH] Refactor gateway auth layer for image factory Change-Id: Ibe33dff25782a48b90bccb3f99472fcec0f2f5c2 Partially-Implements: blueprint policy-refactor --- glance/gateway.py | 34 +++++++++++++++---------------- glance/tests/unit/test_gateway.py | 24 ++++++++++++++++++++++ 2 files changed, 40 insertions(+), 18 deletions(-) diff --git a/glance/gateway.py b/glance/gateway.py index 34fa7e2c0b..30fd781d6a 100644 --- a/glance/gateway.py +++ b/glance/gateway.py @@ -36,26 +36,24 @@ class Gateway(object): self.notifier = notifier or glance.notifier.Notifier() self.policy = policy_enforcer or policy.Enforcer() - def get_image_factory(self, context): - image_factory = glance.domain.ImageFactory() - store_image_factory = glance.location.ImageFactoryProxy( - image_factory, context, self.store_api, self.store_utils) - quota_image_factory = glance.quota.ImageFactoryProxy( - store_image_factory, context, self.db_api, self.store_utils) - policy_image_factory = policy.ImageFactoryProxy( - quota_image_factory, context, self.policy) - notifier_image_factory = glance.notifier.ImageFactoryProxy( - policy_image_factory, context, self.notifier) + def get_image_factory(self, context, authorization_layer=True): + factory = glance.domain.ImageFactory() + factory = glance.location.ImageFactoryProxy( + factory, context, self.store_api, self.store_utils) + factory = glance.quota.ImageFactoryProxy( + factory, context, self.db_api, self.store_utils) + if authorization_layer: + factory = policy.ImageFactoryProxy(factory, context, self.policy) + factory = glance.notifier.ImageFactoryProxy( + factory, context, self.notifier) if property_utils.is_property_protection_enabled(): property_rules = property_utils.PropertyRules(self.policy) - pif = property_protections.ProtectedImageFactoryProxy( - notifier_image_factory, context, property_rules) - authorized_image_factory = authorization.ImageFactoryProxy( - pif, context) - else: - authorized_image_factory = authorization.ImageFactoryProxy( - notifier_image_factory, context) - return authorized_image_factory + factory = property_protections.ProtectedImageFactoryProxy( + factory, context, property_rules) + if authorization_layer: + factory = authorization.ImageFactoryProxy( + factory, context) + return factory def get_image_member_factory(self, context, authorization_layer=True): factory = glance.domain.ImageMemberFactory() diff --git a/glance/tests/unit/test_gateway.py b/glance/tests/unit/test_gateway.py index bbc70a5df5..0810602403 100644 --- a/glance/tests/unit/test_gateway.py +++ b/glance/tests/unit/test_gateway.py @@ -94,6 +94,30 @@ class TestGateway(test_utils.BaseTestCase): self.assertIsInstance(repo, property_protections.ProtectedImageRepoProxy) + def test_get_image_factory(self): + factory = self.gateway.get_image_factory(self.context) + self.assertIsInstance(factory, authorization.ImageFactoryProxy) + + def test_get_image_factory_without_auth(self): + factory = self.gateway.get_image_factory(self.context, + authorization_layer=False) + self.assertIsInstance(factory, notifier.ImageFactoryProxy) + + @mock.patch('glance.common.property_utils.PropertyRules._load_rules') + def test_get_image_factory_without_auth_with_pp(self, mock_load): + self.config(property_protection_file='foo') + factory = self.gateway.get_image_factory(self.context, + authorization_layer=False) + self.assertIsInstance(factory, + property_protections.ProtectedImageFactoryProxy) + + @mock.patch('glance.api.policy.ImageFactoryProxy') + def test_get_image_factory_policy_layer(self, mock_pif): + self.gateway.get_image_factory(self.context, authorization_layer=False) + mock_pif.assert_not_called() + self.gateway.get_image_factory(self.context) + self.assertTrue(mock_pif.called) + def test_get_repo_member_property(self): """Test that the image.member property is propagated all the way from the DB to the top of the gateway repo stack.