policy check for service
add policy check for service Partial-implements: blueprint policy-enforce Change-Id: If2913657511d8c9c1da6992c4b694922c1d71fa6
This commit is contained in:
parent
ffb2840892
commit
959f2330d7
@ -37,6 +37,12 @@
|
|||||||
"rc:detail": "rule:default",
|
"rc:detail": "rule:default",
|
||||||
"rc:get": "rule:default",
|
"rc:get": "rule:default",
|
||||||
"rc:get_all": "rule:default",
|
"rc:get_all": "rule:default",
|
||||||
"rc:update": "rule:default"
|
"rc:update": "rule:default",
|
||||||
|
|
||||||
|
"service:create": "rule:default",
|
||||||
|
"service:delete": "rule:default",
|
||||||
|
"service:detail": "rule:default",
|
||||||
|
"service:get": "rule:default",
|
||||||
|
"service:get_all": "rule:default",
|
||||||
|
"service:update": "rule:default"
|
||||||
}
|
}
|
||||||
|
@ -26,6 +26,7 @@ from magnum.api import expose
|
|||||||
from magnum.api import validation
|
from magnum.api import validation
|
||||||
from magnum.common import exception
|
from magnum.common import exception
|
||||||
from magnum.common import k8s_manifest
|
from magnum.common import k8s_manifest
|
||||||
|
from magnum.common import policy
|
||||||
from magnum import objects
|
from magnum import objects
|
||||||
|
|
||||||
|
|
||||||
@ -205,6 +206,7 @@ class ServicesController(rest.RestController):
|
|||||||
sort_key=sort_key,
|
sort_key=sort_key,
|
||||||
sort_dir=sort_dir)
|
sort_dir=sort_dir)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("service")
|
||||||
@expose.expose(ServiceCollection, types.uuid,
|
@expose.expose(ServiceCollection, types.uuid,
|
||||||
types.uuid, int, wtypes.text, wtypes.text)
|
types.uuid, int, wtypes.text, wtypes.text)
|
||||||
def get_all(self, service_uuid=None, marker=None, limit=None,
|
def get_all(self, service_uuid=None, marker=None, limit=None,
|
||||||
@ -219,6 +221,7 @@ class ServicesController(rest.RestController):
|
|||||||
return self._get_services_collection(marker, limit, sort_key,
|
return self._get_services_collection(marker, limit, sort_key,
|
||||||
sort_dir)
|
sort_dir)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("service")
|
||||||
@expose.expose(ServiceCollection, types.uuid,
|
@expose.expose(ServiceCollection, types.uuid,
|
||||||
types.uuid, int, wtypes.text, wtypes.text)
|
types.uuid, int, wtypes.text, wtypes.text)
|
||||||
def detail(self, service_uuid=None, marker=None, limit=None,
|
def detail(self, service_uuid=None, marker=None, limit=None,
|
||||||
@ -243,6 +246,7 @@ class ServicesController(rest.RestController):
|
|||||||
sort_key, sort_dir, expand,
|
sort_key, sort_dir, expand,
|
||||||
resource_url)
|
resource_url)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("service", "get")
|
||||||
@expose.expose(Service, types.uuid_or_name)
|
@expose.expose(Service, types.uuid_or_name)
|
||||||
def get_one(self, service_ident):
|
def get_one(self, service_ident):
|
||||||
"""Retrieve information about the given service.
|
"""Retrieve information about the given service.
|
||||||
@ -253,6 +257,7 @@ class ServicesController(rest.RestController):
|
|||||||
|
|
||||||
return Service.convert_with_links(rpc_service)
|
return Service.convert_with_links(rpc_service)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("service", "create")
|
||||||
@expose.expose(Service, body=Service, status_code=201)
|
@expose.expose(Service, body=Service, status_code=201)
|
||||||
@validation.enforce_bay_types('kubernetes')
|
@validation.enforce_bay_types('kubernetes')
|
||||||
def post(self, service):
|
def post(self, service):
|
||||||
@ -275,6 +280,7 @@ class ServicesController(rest.RestController):
|
|||||||
pecan.response.location = link.build_url('services', new_service.uuid)
|
pecan.response.location = link.build_url('services', new_service.uuid)
|
||||||
return Service.convert_with_links(new_service)
|
return Service.convert_with_links(new_service)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("service", "update")
|
||||||
@wsme.validate(types.uuid, [ServicePatchType])
|
@wsme.validate(types.uuid, [ServicePatchType])
|
||||||
@expose.expose(Service, types.uuid_or_name, body=[ServicePatchType])
|
@expose.expose(Service, types.uuid_or_name, body=[ServicePatchType])
|
||||||
def patch(self, service_ident, patch):
|
def patch(self, service_ident, patch):
|
||||||
@ -314,6 +320,7 @@ class ServicesController(rest.RestController):
|
|||||||
rpc_service.save()
|
rpc_service.save()
|
||||||
return Service.convert_with_links(rpc_service)
|
return Service.convert_with_links(rpc_service)
|
||||||
|
|
||||||
|
@policy.enforce_wsgi("service")
|
||||||
@expose.expose(None, types.uuid_or_name, status_code=204)
|
@expose.expose(None, types.uuid_or_name, status_code=204)
|
||||||
def delete(self, service_ident):
|
def delete(self, service_ident):
|
||||||
"""Delete a service.
|
"""Delete a service.
|
||||||
|
@ -53,7 +53,14 @@ policy_data = """
|
|||||||
"rc:detail": "",
|
"rc:detail": "",
|
||||||
"rc:get": "",
|
"rc:get": "",
|
||||||
"rc:get_all": "",
|
"rc:get_all": "",
|
||||||
"rc:update": ""
|
"rc:update": "",
|
||||||
|
|
||||||
|
"service:create": "",
|
||||||
|
"service:delete": "",
|
||||||
|
"service:detail": "",
|
||||||
|
"service:get": "",
|
||||||
|
"service:get_all": "",
|
||||||
|
"service:update": ""
|
||||||
}
|
}
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@ -14,6 +14,7 @@ import datetime
|
|||||||
|
|
||||||
import mock
|
import mock
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
|
from oslo_policy import policy
|
||||||
from oslo_utils import timeutils
|
from oslo_utils import timeutils
|
||||||
from six.moves.urllib import parse as urlparse
|
from six.moves.urllib import parse as urlparse
|
||||||
from wsme import types as wtypes
|
from wsme import types as wtypes
|
||||||
@ -448,3 +449,50 @@ class TestDelete(api_base.FunctionalTest):
|
|||||||
self.assertEqual(409, response.status_int)
|
self.assertEqual(409, response.status_int)
|
||||||
self.assertEqual('application/json', response.content_type)
|
self.assertEqual('application/json', response.content_type)
|
||||||
self.assertTrue(response.json['error_message'])
|
self.assertTrue(response.json['error_message'])
|
||||||
|
|
||||||
|
|
||||||
|
class TestServiceEnforcement(api_base.FunctionalTest):
|
||||||
|
|
||||||
|
def _common_policy_check(self, rule, func, *arg, **kwarg):
|
||||||
|
self.policy.set_rules({rule: 'project:non_fake'})
|
||||||
|
exc = self.assertRaises(policy.PolicyNotAuthorized,
|
||||||
|
func, *arg, **kwarg)
|
||||||
|
self.assertTrue(exc.message.startswith(rule))
|
||||||
|
self.assertTrue(exc.message.endswith('disallowed by policy'))
|
||||||
|
|
||||||
|
def test_policy_disallow_get_all(self):
|
||||||
|
self._common_policy_check(
|
||||||
|
'service:get_all', self.get_json, '/services')
|
||||||
|
|
||||||
|
def test_policy_disallow_get_one(self):
|
||||||
|
self._common_policy_check(
|
||||||
|
'service:get', self.get_json, '/services/111-222-333')
|
||||||
|
|
||||||
|
def test_policy_disallow_detail(self):
|
||||||
|
self._common_policy_check(
|
||||||
|
'service:detail', self.get_json, '/services/111-222-333/detail')
|
||||||
|
|
||||||
|
def test_policy_disallow_update(self):
|
||||||
|
service = obj_utils.create_test_service(self.context,
|
||||||
|
desc='test service',
|
||||||
|
uuid=utils.generate_uuid())
|
||||||
|
|
||||||
|
self._common_policy_check(
|
||||||
|
'service:update', self.patch_json,
|
||||||
|
'/services/%s' % service.uuid,
|
||||||
|
[{'path': '/bay_uuid',
|
||||||
|
'value': utils.generate_uuid(),
|
||||||
|
'op': 'replace'}])
|
||||||
|
|
||||||
|
def test_policy_disallow_create(self):
|
||||||
|
pdict = apiutils.service_post_data()
|
||||||
|
self._common_policy_check(
|
||||||
|
'service:create', self.post_json, '/services', pdict)
|
||||||
|
|
||||||
|
def test_policy_disallow_delete(self):
|
||||||
|
service = obj_utils.create_test_service(self.context,
|
||||||
|
desc='test_service',
|
||||||
|
uuid=utils.generate_uuid())
|
||||||
|
self._common_policy_check(
|
||||||
|
'service:delete', self.delete,
|
||||||
|
'/services/%s' % service.uuid)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user