From 005bd4c658153283b7a750935185af3205d6ad10 Mon Sep 17 00:00:00 2001 From: jichenjc Date: Tue, 2 Dec 2014 03:04:11 +0800 Subject: [PATCH] Add policy check for consoles There is no policy check consoles v3(v2.1) API. This patch adds policy check for each operations. Partially implements blueprint v3-api-policy Change-Id: Ia0aa260ac31eb359275273fdcdfbfde3cfc47d87 --- etc/nova/policy.d/00-os-compute-api.json | 4 ++ .../openstack/compute/plugins/v3/consoles.py | 13 +++++++ .../api/openstack/compute/test_consoles.py | 37 +++++++++++++++++++ nova/tests/unit/fake_policy.py | 5 +++ 4 files changed, 59 insertions(+) diff --git a/etc/nova/policy.d/00-os-compute-api.json b/etc/nova/policy.d/00-os-compute-api.json index c2e034ba0f01..376ccc81858e 100644 --- a/etc/nova/policy.d/00-os-compute-api.json +++ b/etc/nova/policy.d/00-os-compute-api.json @@ -38,6 +38,10 @@ "os_compute_api:os-cloudpipe": "rule:admin_api", "os_compute_api:os-cloudpipe:discoverable": "", "os_compute_api:os-consoles:discoverable": "", + "os_compute_api:os-consoles:create": "", + "os_compute_api:os-consoles:delete": "", + "os_compute_api:os-consoles:index": "", + "os_compute_api:os-consoles:show": "", "os_compute_api:os-console-output:discoverable": "", "os_compute_api:os-console-output": "", "os_compute_api:os-remote-consoles": "", diff --git a/nova/api/openstack/compute/plugins/v3/consoles.py b/nova/api/openstack/compute/plugins/v3/consoles.py index f0a624522e98..86b121ece0d5 100644 --- a/nova/api/openstack/compute/plugins/v3/consoles.py +++ b/nova/api/openstack/compute/plugins/v3/consoles.py @@ -22,6 +22,7 @@ from nova import exception ALIAS = 'os-consoles' +authorize = extensions.os_compute_authorizer(ALIAS) def _translate_keys(cons): @@ -53,6 +54,9 @@ class ConsolesController(wsgi.Controller): @extensions.expected_errors(()) def index(self, req, server_id): """Returns a list of consoles for this instance.""" + context = req.environ['nova.context'] + authorize(context, action='index') + consoles = self.console_api.get_consoles( req.environ['nova.context'], server_id) return dict(consoles=[_translate_keys(console) @@ -64,6 +68,9 @@ class ConsolesController(wsgi.Controller): @extensions.expected_errors(404) def create(self, req, server_id, body): """Creates a new console.""" + context = req.environ['nova.context'] + authorize(context, action='create') + try: self.console_api.create_console( req.environ['nova.context'], server_id) @@ -73,6 +80,9 @@ class ConsolesController(wsgi.Controller): @extensions.expected_errors(404) def show(self, req, server_id, id): """Shows in-depth information on a specific console.""" + context = req.environ['nova.context'] + authorize(context, action='show') + try: console = self.console_api.get_console( req.environ['nova.context'], @@ -86,6 +96,9 @@ class ConsolesController(wsgi.Controller): @extensions.expected_errors(404) def delete(self, req, server_id, id): """Deletes a console.""" + context = req.environ['nova.context'] + authorize(context, action='delete') + try: self.console_api.delete_console(req.environ['nova.context'], server_id, diff --git a/nova/tests/unit/api/openstack/compute/test_consoles.py b/nova/tests/unit/api/openstack/compute/test_consoles.py index ce1c01d8f159..04a82050e826 100644 --- a/nova/tests/unit/api/openstack/compute/test_consoles.py +++ b/nova/tests/unit/api/openstack/compute/test_consoles.py @@ -26,6 +26,8 @@ from nova.compute import vm_states from nova import console from nova import db from nova import exception +from nova.openstack.common import policy as common_policy +from nova import policy from nova import test from nova.tests.unit.api.openstack import fakes from nova.tests.unit import matchers @@ -263,7 +265,42 @@ class ConsolesControllerTestV21(test.NoDBTestCase): self.assertRaises(webob.exc.HTTPNotFound, self.controller.delete, req, self.uuid, '20') + def _test_fail_policy(self, rule, action, data=None): + rules = { + rule: common_policy.parse_rule("!"), + } + + policy.set_rules(rules) + req = fakes.HTTPRequest.blank(self.url + '/20') + + if data is not None: + self.assertRaises(exception.PolicyNotAuthorized, action, + req, self.uuid, data) + else: + self.assertRaises(exception.PolicyNotAuthorized, action, + req, self.uuid) + + def test_delete_console_fail_policy(self): + self._test_fail_policy("os_compute_api:os-consoles:delete", + self.controller.delete, data='20') + + def test_create_console_fail_policy(self): + self._test_fail_policy("os_compute_api:os-consoles:create", + self.controller.create, data='20') + + def test_index_console_fail_policy(self): + self._test_fail_policy("os_compute_api:os-consoles:index", + self.controller.index) + + def test_show_console_fail_policy(self): + self._test_fail_policy("os_compute_api:os-consoles:show", + self.controller.show, data='20') + class ConsolesControllerTestV2(ConsolesControllerTestV21): def _set_up_controller(self): self.controller = consoles_v2.Controller() + + def _test_fail_policy(self, rule, action, data=None): + # V2 API don't have policy + pass diff --git a/nova/tests/unit/fake_policy.py b/nova/tests/unit/fake_policy.py index 46d6cf25136e..34d023f3279b 100644 --- a/nova/tests/unit/fake_policy.py +++ b/nova/tests/unit/fake_policy.py @@ -178,6 +178,11 @@ policy_data = """ "os_compute_api:os-console-output": "", "compute_extension:consoles": "", "os_compute_api:os-remote-consoles": "", + "os_compute_api:os-consoles": "", + "os_compute_api:os-consoles:create": "", + "os_compute_api:os-consoles:delete": "", + "os_compute_api:os-consoles:index": "", + "os_compute_api:os-consoles:show": "", "compute_extension:createserverext": "", "os_compute_api:os-create-backup": "", "compute_extension:deferred_delete": "",