Merge "Move policy enforcement into REST API layer for v2.1 suspend/resume server"

2015-02-24 11:27:16 +00:00 · 2015-02-24 11:27:16 +00:00 · 223986d7d0
commit 223986d7d0
parent 5eb3f97d23 c145dc7976
2 changed files with 36 additions and 6 deletions
--- a/nova/api/openstack/compute/plugins/v3/suspend_server.py
+++ b/nova/api/openstack/compute/plugins/v3/suspend_server.py
@ -23,15 +23,13 @@ from nova import exception
 ALIAS = "os-suspend-server"


-def authorize(context, action_name):
-    action = 'v3:%s:%s' % (ALIAS, action_name)
-    extensions.extension_authorizer('compute', action)(context)
+authorize = extensions.os_compute_authorizer(ALIAS)


 class SuspendServerController(wsgi.Controller):
    def __init__(self, *args, **kwargs):
        super(SuspendServerController, self).__init__(*args, **kwargs)
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)

    @wsgi.response(202)
    @extensions.expected_errors((404, 409))
@ -39,7 +37,7 @@ class SuspendServerController(wsgi.Controller):
    def _suspend(self, req, id, body):
        """Permit admins to suspend the server."""
        context = req.environ['nova.context']
-        authorize(context, 'suspend')
+        authorize(context, action='suspend')
        try:
            server = common.get_instance(self.compute_api, context, id,
                                         want_objects=True)
@ -56,7 +54,7 @@ class SuspendServerController(wsgi.Controller):
    def _resume(self, req, id, body):
        """Permit admins to resume the server from suspend."""
        context = req.environ['nova.context']
-        authorize(context, 'resume')
+        authorize(context, action='resume')
        try:
            server = common.get_instance(self.compute_api, context, id,
                                         want_objects=True)
--- a/nova/tests/unit/api/openstack/compute/contrib/test_suspend_server.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_suspend_server.py
@ -16,6 +16,8 @@ from nova.api.openstack.compute.contrib import admin_actions as \
    suspend_server_v2
 from nova.api.openstack.compute.plugins.v3 import suspend_server as \
    suspend_server_v21
+from nova import exception
+from nova import test
 from nova.tests.unit.api.openstack.compute import admin_only_action_common
 from nova.tests.unit.api.openstack import fakes

@ -70,3 +72,33 @@ class SuspendServerTestsV2(SuspendServerTestsV21):
    def _get_app(self):
        return fakes.wsgi_app(init_only=('servers',),
            fake_auth_context=self.context)
+
+
+class SuspendServerPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(SuspendServerPolicyEnforcementV21, self).setUp()
+        self.controller = suspend_server_v21.SuspendServerController()
+        self.req = fakes.HTTPRequest.blank('')
+
+    def test_suspend_policy_failed(self):
+        rule_name = "compute_extension:v3:os-suspend-server:suspend"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller._suspend, self.req, fakes.FAKE_UUID,
+            body={'suspend': {}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
+
+    def test_resume_policy_failed(self):
+        rule_name = "compute_extension:v3:os-suspend-server:resume"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller._resume, self.req, fakes.FAKE_UUID,
+            body={'resume': {}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())