Add policy check for consoles

There is no policy check consoles v3(v2.1) API. This patch adds policy check for each operations. Partially implements blueprint v3-api-policy Change-Id: Ia0aa260ac31eb359275273fdcdfbfde3cfc47d87
2014-12-02 03:04:11 +08:00 · 2014-12-02 03:04:11 +08:00 · 005bd4c658
commit 005bd4c658
parent 37a6c601f3
4 changed files with 59 additions and 0 deletions
--- a/etc/nova/policy.d/00-os-compute-api.json
+++ b/etc/nova/policy.d/00-os-compute-api.json
@ -38,6 +38,10 @@
    "os_compute_api:os-cloudpipe": "rule:admin_api",
    "os_compute_api:os-cloudpipe:discoverable": "",
    "os_compute_api:os-consoles:discoverable": "",
+    "os_compute_api:os-consoles:create": "",
+    "os_compute_api:os-consoles:delete": "",
+    "os_compute_api:os-consoles:index": "",
+    "os_compute_api:os-consoles:show": "",
    "os_compute_api:os-console-output:discoverable": "",
    "os_compute_api:os-console-output": "",
    "os_compute_api:os-remote-consoles": "",
--- a/nova/api/openstack/compute/plugins/v3/consoles.py
+++ b/nova/api/openstack/compute/plugins/v3/consoles.py
@ -22,6 +22,7 @@ from nova import exception


 ALIAS = 'os-consoles'
+authorize = extensions.os_compute_authorizer(ALIAS)


 def _translate_keys(cons):
@ -53,6 +54,9 @@ class ConsolesController(wsgi.Controller):
    @extensions.expected_errors(())
    def index(self, req, server_id):
        """Returns a list of consoles for this instance."""
+        context = req.environ['nova.context']
+        authorize(context, action='index')
+
        consoles = self.console_api.get_consoles(
                req.environ['nova.context'], server_id)
        return dict(consoles=[_translate_keys(console)
@ -64,6 +68,9 @@ class ConsolesController(wsgi.Controller):
    @extensions.expected_errors(404)
    def create(self, req, server_id, body):
        """Creates a new console."""
+        context = req.environ['nova.context']
+        authorize(context, action='create')
+
        try:
            self.console_api.create_console(
                req.environ['nova.context'], server_id)
@ -73,6 +80,9 @@ class ConsolesController(wsgi.Controller):
    @extensions.expected_errors(404)
    def show(self, req, server_id, id):
        """Shows in-depth information on a specific console."""
+        context = req.environ['nova.context']
+        authorize(context, action='show')
+
        try:
            console = self.console_api.get_console(
                                        req.environ['nova.context'],
@ -86,6 +96,9 @@ class ConsolesController(wsgi.Controller):
    @extensions.expected_errors(404)
    def delete(self, req, server_id, id):
        """Deletes a console."""
+        context = req.environ['nova.context']
+        authorize(context, action='delete')
+
        try:
            self.console_api.delete_console(req.environ['nova.context'],
                                            server_id,
--- a/nova/tests/unit/api/openstack/compute/test_consoles.py
+++ b/nova/tests/unit/api/openstack/compute/test_consoles.py
@ -26,6 +26,8 @@ from nova.compute import vm_states
 from nova import console
 from nova import db
 from nova import exception
+from nova.openstack.common import policy as common_policy
+from nova import policy
 from nova import test
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import matchers
@ -263,7 +265,42 @@ class ConsolesControllerTestV21(test.NoDBTestCase):
        self.assertRaises(webob.exc.HTTPNotFound, self.controller.delete,
                          req, self.uuid, '20')

+    def _test_fail_policy(self, rule, action, data=None):
+        rules = {
+            rule: common_policy.parse_rule("!"),
+        }
+
+        policy.set_rules(rules)
+        req = fakes.HTTPRequest.blank(self.url + '/20')
+
+        if data is not None:
+            self.assertRaises(exception.PolicyNotAuthorized, action,
+                              req, self.uuid, data)
+        else:
+            self.assertRaises(exception.PolicyNotAuthorized, action,
+                              req, self.uuid)
+
+    def test_delete_console_fail_policy(self):
+        self._test_fail_policy("os_compute_api:os-consoles:delete",
+                               self.controller.delete, data='20')
+
+    def test_create_console_fail_policy(self):
+        self._test_fail_policy("os_compute_api:os-consoles:create",
+                               self.controller.create, data='20')
+
+    def test_index_console_fail_policy(self):
+        self._test_fail_policy("os_compute_api:os-consoles:index",
+                               self.controller.index)
+
+    def test_show_console_fail_policy(self):
+        self._test_fail_policy("os_compute_api:os-consoles:show",
+                               self.controller.show, data='20')
+

 class ConsolesControllerTestV2(ConsolesControllerTestV21):
    def _set_up_controller(self):
        self.controller = consoles_v2.Controller()
+
+    def _test_fail_policy(self, rule, action, data=None):
+        # V2 API don't have policy
+        pass
--- a/nova/tests/unit/fake_policy.py
+++ b/nova/tests/unit/fake_policy.py
@ -178,6 +178,11 @@ policy_data = """
    "os_compute_api:os-console-output": "",
    "compute_extension:consoles": "",
    "os_compute_api:os-remote-consoles": "",
+    "os_compute_api:os-consoles": "",
+    "os_compute_api:os-consoles:create": "",
+    "os_compute_api:os-consoles:delete": "",
+    "os_compute_api:os-consoles:index": "",
+    "os_compute_api:os-consoles:show": "",
    "compute_extension:createserverext": "",
    "os_compute_api:os-create-backup": "",
    "compute_extension:deferred_delete": "",