openstack/nova
Code Issues Proposed changes

Merge "Update policy check on each action for certificates"

Browse Source
This commit is contained in:
Jenkins 2014-02-12 08:45:25 +00:00 committed by Gerrit Code Review
commit 3528e80017
4 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/nova/policy.json
View File

@ -68,7 +68,8 @@
"compute_extension:v3:os-cells": "rule:admin_api", "compute_extension:v3:os-cells": "rule:admin_api",
"compute_extension:v3:os-cells:discoverable": "", "compute_extension:v3:os-cells:discoverable": "",
"compute_extension:certificates": "", "compute_extension:certificates": "",
"compute_extension:v3:os-certificates": "", "compute_extension:v3:os-certificates:create": "",
"compute_extension:v3:os-certificates:show": "",
"compute_extension:v3:os-certificates:discoverable": "", "compute_extension:v3:os-certificates:discoverable": "",
"compute_extension:cloudpipe": "rule:admin_api", "compute_extension:cloudpipe": "rule:admin_api",
"compute_extension:cloudpipe_update": "rule:admin_api", "compute_extension:cloudpipe_update": "rule:admin_api",

4
nova/api/openstack/compute/plugins/v3/certificates.py
View File

@ -44,7 +44,7 @@ class CertificatesController(object):
def show(self, req, id): def show(self, req, id):
"""Return certificate information.""" """Return certificate information."""
context = req.environ['nova.context'] context = req.environ['nova.context']
authorize(context) authorize(context, action='show')
if id != 'root': if id != 'root':
msg = _("Only root certificate can be retrieved.") msg = _("Only root certificate can be retrieved.")
raise webob.exc.HTTPNotImplemented(explanation=msg) raise webob.exc.HTTPNotImplemented(explanation=msg)
@ -60,7 +60,7 @@ class CertificatesController(object):
def create(self, req, body=None): def create(self, req, body=None):
"""Create a certificate.""" """Create a certificate."""
context = req.environ['nova.context'] context = req.environ['nova.context']
authorize(context) authorize(context, action='create')
pk, cert = self.cert_rpcapi.generate_x509_cert(context, pk, cert = self.cert_rpcapi.generate_x509_cert(context,
user_id=context.user_id, project_id=context.project_id) user_id=context.user_id, project_id=context.project_id)
return {'certificate': _translate_certificate_view(cert, pk)} return {'certificate': _translate_certificate_view(cert, pk)}

27
nova/tests/api/openstack/compute/plugins/v3/test_certificates.py
View File

@ -18,6 +18,8 @@ import mox
from nova.api.openstack.compute.plugins.v3 import certificates from nova.api.openstack.compute.plugins.v3 import certificates
from nova import context from nova import context
from nova import exception
from nova.openstack.common import policy as common_policy
from nova import test from nova import test
from nova.tests.api.openstack import fakes from nova.tests.api.openstack import fakes
@ -48,6 +50,18 @@ class CertificatesTest(test.NoDBTestCase):
response = {'certificate': {'data': 'fakeroot', 'private_key': None}} response = {'certificate': {'data': 'fakeroot', 'private_key': None}}
self.assertEqual(res_dict, response) self.assertEqual(res_dict, response)
def test_certificates_show_policy_failed(self):
rules = {
"compute_extension:v3:os-certificates:show":
common_policy.parse_rule("!")
}
common_policy.set_rules(common_policy.Rules(rules))
req = fakes.HTTPRequestV3.blank('/os-certificates/root')
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.show, req, 'root')
self.assertIn("compute_extension:v3:os-certificates:show",
exc.format_message())
def test_certificates_create_certificate(self): def test_certificates_create_certificate(self):
self.mox.StubOutWithMock(self.controller.cert_rpcapi, self.mox.StubOutWithMock(self.controller.cert_rpcapi,
'generate_x509_cert') 'generate_x509_cert')
@ -56,7 +70,6 @@ class CertificatesTest(test.NoDBTestCase):
mox.IgnoreArg(), mox.IgnoreArg(),
user_id='fake_user', user_id='fake_user',
project_id='fake').AndReturn(('fakepk', 'fakecert')) project_id='fake').AndReturn(('fakepk', 'fakecert'))
self.mox.ReplayAll() self.mox.ReplayAll()
req = fakes.HTTPRequest.blank('/v2/fake/os-certificates/') req = fakes.HTTPRequest.blank('/v2/fake/os-certificates/')
@ -68,3 +81,15 @@ class CertificatesTest(test.NoDBTestCase):
} }
self.assertEqual(res_dict, response) self.assertEqual(res_dict, response)
self.assertEqual(self.controller.create.wsgi_code, 201) self.assertEqual(self.controller.create.wsgi_code, 201)
def test_certificates_create_policy_failed(self):
rules = {
"compute_extension:v3:os-certificates:create":
common_policy.parse_rule("!")
}
common_policy.set_rules(common_policy.Rules(rules))
req = fakes.HTTPRequestV3.blank('/os-certificates/')
exc = self.assertRaises(exception.PolicyNotAuthorized,
self.controller.create, req)
self.assertIn("compute_extension:v3:os-certificates:create",
exc.format_message())

3
nova/tests/fake_policy.py
View File

@ -139,7 +139,8 @@ policy_data = """
"compute_extension:cells": "", "compute_extension:cells": "",
"compute_extension:v3:os-cells": "", "compute_extension:v3:os-cells": "",
"compute_extension:certificates": "", "compute_extension:certificates": "",
"compute_extension:v3:os-certificates": "", "compute_extension:v3:os-certificates:create": "",
"compute_extension:v3:os-certificates:show": "",
"compute_extension:cloudpipe": "", "compute_extension:cloudpipe": "",
"compute_extension:cloudpipe_update": "", "compute_extension:cloudpipe_update": "",
"compute_extension:config_drive": "", "compute_extension:config_drive": "",