policy check for pod

add policy check for pod Change-Id: I6f0526d0339f59f5842d4d66914e5f208f50f857 Partial-implements: blueprint policy-enforce
2015-07-13 16:37:57 +08:00 · 2015-07-13 16:37:57 +08:00 · 7566f1304e
commit 7566f1304e
parent aebafe3dfd
4 changed files with 66 additions and 2 deletions
--- a/etc/magnum/policy.json
+++ b/etc/magnum/policy.json
@ -23,5 +23,13 @@
    "node:detail": "rule:default",
    "node:get": "rule:default",
    "node:get_all": "rule:default",
-    "node:update": "rule:default"
+    "node:update": "rule:default",
+
+    "pod:create": "rule:default",
+    "pod:delete": "rule:default",
+    "pod:detail": "rule:default",
+    "pod:get": "rule:default",
+    "pod:get_all": "rule:default",
+    "pod:update": "rule:default"
+
 }
--- a/magnum/api/controllers/v1/pod.py
+++ b/magnum/api/controllers/v1/pod.py
@ -27,6 +27,7 @@ from magnum.api import expose
 from magnum.api import validation
 from magnum.common import exception
 from magnum.common import k8s_manifest
+from magnum.common import policy
 from magnum import objects


@ -195,6 +196,7 @@ class PodsController(rest.RestController):
                                                sort_key=sort_key,
                                                sort_dir=sort_dir)

+    @policy.enforce_wsgi("pod")
    @expose.expose(PodCollection, types.uuid,
                   types.uuid, int, wtypes.text, wtypes.text)
    def get_all(self, pod_uuid=None, marker=None, limit=None,
@ -209,6 +211,7 @@ class PodsController(rest.RestController):
        return self._get_pods_collection(marker, limit, sort_key,
                                         sort_dir)

+    @policy.enforce_wsgi("pod")
    @expose.expose(PodCollection, types.uuid,
                   types.uuid, int, wtypes.text, wtypes.text)
    def detail(self, pod_uuid=None, marker=None, limit=None,
@ -232,6 +235,7 @@ class PodsController(rest.RestController):
                                         sort_key, sort_dir, expand,
                                         resource_url)

+    @policy.enforce_wsgi("pod", "get")
    @expose.expose(Pod, types.uuid_or_name)
    def get_one(self, pod_ident):
        """Retrieve information about the given pod.
@ -242,6 +246,7 @@ class PodsController(rest.RestController):

        return Pod.convert_with_links(rpc_pod)

+    @policy.enforce_wsgi("pod", "create")
    @expose.expose(Pod, body=Pod, status_code=201)
    @validation.enforce_bay_types('kubernetes')
    def post(self, pod):
@ -261,6 +266,7 @@ class PodsController(rest.RestController):
        pecan.response.location = link.build_url('pods', new_pod.uuid)
        return Pod.convert_with_links(new_pod)

+    @policy.enforce_wsgi("pod", "update")
    @wsme.validate(types.uuid, [PodPatchType])
    @expose.expose(Pod, types.uuid_or_name, body=[PodPatchType])
    def patch(self, pod_ident, patch):
@ -300,6 +306,7 @@ class PodsController(rest.RestController):
            rpc_pod.save()
        return Pod.convert_with_links(rpc_pod)

+    @policy.enforce_wsgi("pod")
    @expose.expose(None, types.uuid_or_name, status_code=204)
    def delete(self, pod_ident):
        """Delete a pod.
--- a/magnum/tests/fake_policy.py
+++ b/magnum/tests/fake_policy.py
@ -39,7 +39,14 @@ policy_data = """
    "node:detail": "",
    "node:get": "",
    "node:get_all": "",
-    "node:update": ""
+    "node:update": "",
+
+    "pod:create": "",
+    "pod:delete": "",
+    "pod:detail": "",
+    "pod:get": "",
+    "pod:get_all": "",
+    "pod:update": ""
 }
 """

--- a/magnum/tests/unit/api/controllers/v1/test_pod.py
+++ b/magnum/tests/unit/api/controllers/v1/test_pod.py
@ -14,6 +14,7 @@ import datetime

 import mock
 from oslo_config import cfg
+from oslo_policy import policy
 from oslo_utils import timeutils
 from six.moves.urllib import parse as urlparse
 from wsme import types as wtypes
@ -512,3 +513,44 @@ class TestDelete(api_base.FunctionalTest):
        self.assertEqual(404, response.status_int)
        self.assertEqual('application/json', response.content_type)
        self.assertTrue(response.json['error_message'])
+
+
+class TestPodPolicyEnforcement(api_base.FunctionalTest):
+
+    def _common_policy_check(self, rule, func, *arg, **kwarg):
+        self.policy.set_rules({rule: 'project:non_fake'})
+        exc = self.assertRaises(policy.PolicyNotAuthorized,
+                                func, *arg, **kwarg)
+        self.assertTrue(exc.message.startswith(rule))
+        self.assertTrue(exc.message.endswith('disallowed by policy'))
+
+    def test_policy_disallow_get_all(self):
+        self._common_policy_check(
+            'pod:get_all', self.get_json, '/pods')
+
+    def test_policy_disallow_get_one(self):
+        self._common_policy_check(
+            'pod:get', self.get_json, '/pods/111-222-333')
+
+    def test_policy_disallow_update(self):
+        pod = obj_utils.create_test_pod(self.context,
+                                        desc='test pod',
+                                        uuid=utils.generate_uuid())
+
+        self._common_policy_check(
+            'pod:update', self.patch_json,
+            '/pods/%s' % pod.uuid,
+            [{'path': '/desc', 'value': 'new test pod', 'op': 'replace'}])
+
+    def test_policy_disallow_create(self):
+        pdict = apiutils.pod_post_data()
+        self._common_policy_check(
+            'pod:create', self.post_json, '/pods', pdict)
+
+    def test_policy_disallow_delete(self):
+        pod = obj_utils.create_test_pod(self.context,
+                                        name='test_pod',
+                                        uuid=utils.generate_uuid())
+        self._common_policy_check(
+            'pod:delete', self.delete,
+            '/pods/%s' % pod.uuid)