From 7566f1304e69bba9678f26e54e4ea4c55f78048d Mon Sep 17 00:00:00 2001 From: leizhang Date: Mon, 13 Jul 2015 16:37:57 +0800 Subject: [PATCH] policy check for pod add policy check for pod Change-Id: I6f0526d0339f59f5842d4d66914e5f208f50f857 Partial-implements: blueprint policy-enforce --- etc/magnum/policy.json | 10 ++++- magnum/api/controllers/v1/pod.py | 7 ++++ magnum/tests/fake_policy.py | 9 +++- .../tests/unit/api/controllers/v1/test_pod.py | 42 +++++++++++++++++++ 4 files changed, 66 insertions(+), 2 deletions(-) diff --git a/etc/magnum/policy.json b/etc/magnum/policy.json index 3e547a4963..23a920e3f4 100644 --- a/etc/magnum/policy.json +++ b/etc/magnum/policy.json @@ -23,5 +23,13 @@ "node:detail": "rule:default", "node:get": "rule:default", "node:get_all": "rule:default", - "node:update": "rule:default" + "node:update": "rule:default", + + "pod:create": "rule:default", + "pod:delete": "rule:default", + "pod:detail": "rule:default", + "pod:get": "rule:default", + "pod:get_all": "rule:default", + "pod:update": "rule:default" + } diff --git a/magnum/api/controllers/v1/pod.py b/magnum/api/controllers/v1/pod.py index f7e843a068..1d37e853b8 100644 --- a/magnum/api/controllers/v1/pod.py +++ b/magnum/api/controllers/v1/pod.py @@ -27,6 +27,7 @@ from magnum.api import expose from magnum.api import validation from magnum.common import exception from magnum.common import k8s_manifest +from magnum.common import policy from magnum import objects @@ -195,6 +196,7 @@ class PodsController(rest.RestController): sort_key=sort_key, sort_dir=sort_dir) + @policy.enforce_wsgi("pod") @expose.expose(PodCollection, types.uuid, types.uuid, int, wtypes.text, wtypes.text) def get_all(self, pod_uuid=None, marker=None, limit=None, @@ -209,6 +211,7 @@ class PodsController(rest.RestController): return self._get_pods_collection(marker, limit, sort_key, sort_dir) + @policy.enforce_wsgi("pod") @expose.expose(PodCollection, types.uuid, types.uuid, int, wtypes.text, wtypes.text) def detail(self, pod_uuid=None, marker=None, limit=None, @@ -232,6 +235,7 @@ class PodsController(rest.RestController): sort_key, sort_dir, expand, resource_url) + @policy.enforce_wsgi("pod", "get") @expose.expose(Pod, types.uuid_or_name) def get_one(self, pod_ident): """Retrieve information about the given pod. @@ -242,6 +246,7 @@ class PodsController(rest.RestController): return Pod.convert_with_links(rpc_pod) + @policy.enforce_wsgi("pod", "create") @expose.expose(Pod, body=Pod, status_code=201) @validation.enforce_bay_types('kubernetes') def post(self, pod): @@ -261,6 +266,7 @@ class PodsController(rest.RestController): pecan.response.location = link.build_url('pods', new_pod.uuid) return Pod.convert_with_links(new_pod) + @policy.enforce_wsgi("pod", "update") @wsme.validate(types.uuid, [PodPatchType]) @expose.expose(Pod, types.uuid_or_name, body=[PodPatchType]) def patch(self, pod_ident, patch): @@ -300,6 +306,7 @@ class PodsController(rest.RestController): rpc_pod.save() return Pod.convert_with_links(rpc_pod) + @policy.enforce_wsgi("pod") @expose.expose(None, types.uuid_or_name, status_code=204) def delete(self, pod_ident): """Delete a pod. diff --git a/magnum/tests/fake_policy.py b/magnum/tests/fake_policy.py index 6cfbdae73c..3ea3106f7b 100644 --- a/magnum/tests/fake_policy.py +++ b/magnum/tests/fake_policy.py @@ -39,7 +39,14 @@ policy_data = """ "node:detail": "", "node:get": "", "node:get_all": "", - "node:update": "" + "node:update": "", + + "pod:create": "", + "pod:delete": "", + "pod:detail": "", + "pod:get": "", + "pod:get_all": "", + "pod:update": "" } """ diff --git a/magnum/tests/unit/api/controllers/v1/test_pod.py b/magnum/tests/unit/api/controllers/v1/test_pod.py index 2fcd97ab8b..2e65f385c6 100644 --- a/magnum/tests/unit/api/controllers/v1/test_pod.py +++ b/magnum/tests/unit/api/controllers/v1/test_pod.py @@ -14,6 +14,7 @@ import datetime import mock from oslo_config import cfg +from oslo_policy import policy from oslo_utils import timeutils from six.moves.urllib import parse as urlparse from wsme import types as wtypes @@ -512,3 +513,44 @@ class TestDelete(api_base.FunctionalTest): self.assertEqual(404, response.status_int) self.assertEqual('application/json', response.content_type) self.assertTrue(response.json['error_message']) + + +class TestPodPolicyEnforcement(api_base.FunctionalTest): + + def _common_policy_check(self, rule, func, *arg, **kwarg): + self.policy.set_rules({rule: 'project:non_fake'}) + exc = self.assertRaises(policy.PolicyNotAuthorized, + func, *arg, **kwarg) + self.assertTrue(exc.message.startswith(rule)) + self.assertTrue(exc.message.endswith('disallowed by policy')) + + def test_policy_disallow_get_all(self): + self._common_policy_check( + 'pod:get_all', self.get_json, '/pods') + + def test_policy_disallow_get_one(self): + self._common_policy_check( + 'pod:get', self.get_json, '/pods/111-222-333') + + def test_policy_disallow_update(self): + pod = obj_utils.create_test_pod(self.context, + desc='test pod', + uuid=utils.generate_uuid()) + + self._common_policy_check( + 'pod:update', self.patch_json, + '/pods/%s' % pod.uuid, + [{'path': '/desc', 'value': 'new test pod', 'op': 'replace'}]) + + def test_policy_disallow_create(self): + pdict = apiutils.pod_post_data() + self._common_policy_check( + 'pod:create', self.post_json, '/pods', pdict) + + def test_policy_disallow_delete(self): + pod = obj_utils.create_test_pod(self.context, + name='test_pod', + uuid=utils.generate_uuid()) + self._common_policy_check( + 'pod:delete', self.delete, + '/pods/%s' % pod.uuid)