Merge "Move policy enforcement into REST API layer for v2.1 deferred_delete"

2015-02-12 19:39:45 +00:00 · 2015-02-12 19:39:45 +00:00 · 026322c6d8
commit 026322c6d8
parent ddee1da6c3 56d0da73c1
2 changed files with 32 additions and 3 deletions
--- a/nova/api/openstack/compute/plugins/v3/deferred_delete.py
+++ b/nova/api/openstack/compute/plugins/v3/deferred_delete.py
@ -24,14 +24,13 @@ from nova import compute
 from nova import exception

 ALIAS = 'os-deferred-delete'
-authorize = extensions.extension_authorizer('compute',
-                                            'v3:' + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)


 class DeferredDeleteController(wsgi.Controller):
    def __init__(self, *args, **kwargs):
        super(DeferredDeleteController, self).__init__(*args, **kwargs)
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)

    @wsgi.response(202)
    @extensions.expected_errors((404, 409, 403))
--- a/nova/tests/unit/api/openstack/compute/contrib/test_deferred_delete.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_deferred_delete.py
@ -145,3 +145,33 @@ class DeferredDeleteExtensionTestV21(test.NoDBTestCase):

 class DeferredDeleteExtensionTestV2(DeferredDeleteExtensionTestV21):
    ext_ver = deferred_delete.DeferredDeleteController
+
+
+class DeferredDeletePolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(DeferredDeletePolicyEnforcementV21, self).setUp()
+        self.controller = dd_v21.DeferredDeleteController()
+        self.req = fakes.HTTPRequest.blank('')
+
+    def test_restore_policy_failed(self):
+        rule_name = "compute_extension:v3:os-deferred-delete"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller._restore, self.req, fakes.FAKE_UUID,
+            body={'restore': {}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
+
+    def test_force_delete_policy_failed(self):
+        rule_name = "compute_extension:v3:os-deferred-delete"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller._force_delete, self.req, fakes.FAKE_UUID,
+            body={'forceDelete': {}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())