Require authz for service CRUD (bug 1006822)

Change-Id: Ia90f0aa2b856b9a9874d4865fb92ee913e8125c5
2012-06-03 11:00:54 -05:00 · 2012-06-03 11:00:54 -05:00 · 1d146f5c32
parent 4bfa203ac4
commit 1d146f5c32
2 changed files with 40 additions and 0 deletions
--- a/keystone/catalog/core.py
+++ b/keystone/catalog/core.py
@ -116,29 +116,36 @@ class Driver(object):
 class ServiceController(wsgi.Application):
    def __init__(self):
        self.catalog_api = Manager()
+        self.identity_api = identity.Manager()
+        self.policy_api = policy.Manager()
+        self.token_api = token.Manager()
        super(ServiceController, self).__init__()

    # CRUD extensions
    # NOTE(termie): this OS-KSADM stuff is not very consistent
    def get_services(self, context):
+        self.assert_admin(context)
        service_list = self.catalog_api.list_services(context)
        service_refs = [self.catalog_api.get_service(context, x)
                        for x in service_list]
        return {'OS-KSADM:services': service_refs}

    def get_service(self, context, service_id):
+        self.assert_admin(context)
        service_ref = self.catalog_api.get_service(context, service_id)
        if not service_ref:
            raise exception.ServiceNotFound(service_id=service_id)
        return {'OS-KSADM:service': service_ref}

    def delete_service(self, context, service_id):
+        self.assert_admin(context)
        service_ref = self.catalog_api.get_service(context, service_id)
        if not service_ref:
            raise exception.ServiceNotFound(service_id=service_id)
        self.catalog_api.delete_service(context, service_id)

    def create_service(self, context, OS_KSADM_service):
+        self.assert_admin(context)
        service_id = uuid.uuid4().hex
        service_ref = OS_KSADM_service.copy()
        service_ref['id'] = service_id
--- a/tests/test_content_types.py
+++ b/tests/test_content_types.py
@ -16,6 +16,7 @@

 import httplib
 import json
+import uuid

 from lxml import etree
 import nose.exc
@ -554,6 +555,38 @@ class JsonTestCase(RestfulTestCase, CoreApiTests):
    def assertValidVersionResponse(self, r):
        self.assertValidVersion(r.body.get('version'))

+    def test_service_crud_requires_auth(self):
+        """Service CRUD should 401 without an X-Auth-Token (bug 1006822)."""
+        # values here don't matter because we should 401 before they're checked
+        service_path = '/v2.0/OS-KSADM/services/%s' % uuid.uuid4().hex
+        service_body = {
+                'OS-KSADM:service': {
+                    'name': uuid.uuid4().hex,
+                    'type': uuid.uuid4().hex,
+                    },
+                }
+
+        r = self.admin_request(method='GET',
+                               path='/v2.0/OS-KSADM/services',
+                               expected_status=401)
+        self.assertValidErrorResponse(r)
+
+        r = self.admin_request(method='POST',
+                               path='/v2.0/OS-KSADM/services',
+                               body=service_body,
+                               expected_status=401)
+        self.assertValidErrorResponse(r)
+
+        r = self.admin_request(method='GET',
+                               path=service_path,
+                               expected_status=401)
+        self.assertValidErrorResponse(r)
+
+        r = self.admin_request(method='DELETE',
+                               path=service_path,
+                               expected_status=401)
+        self.assertValidErrorResponse(r)
+

 class XmlTestCase(RestfulTestCase, CoreApiTests):
    xmlns = 'http://docs.openstack.org/identity/api/v2.0'