From 58701be6159fff33f1800f6047361176b74d512b Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Fri, 27 Mar 2020 07:43:16 -0500
Subject: [PATCH] Fix os-ips policy to be admin_or_owner

os-ips API policy is default to admin_or_owner[1] but API
is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/715477

This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]

This commit fix this policy by passing the server's project_id in policy
target.

Closes-bug: #1869396
[1] https://github.com/openstack/nova/blob/eaf08c0b7b8250408e5d10c6471f2e3155cc0edb/nova/policies/ips.py#L27

Change-Id: Ie7bcb6537f90813cc5b23d69c886037d25b15a42
---
 nova/api/openstack/compute/ips.py                        | 6 ++++--
 nova/tests/unit/api/openstack/compute/test_serversV21.py | 4 ++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/nova/api/openstack/compute/ips.py b/nova/api/openstack/compute/ips.py
index 858340435258..2809396c715f 100644
--- a/nova/api/openstack/compute/ips.py
+++ b/nova/api/openstack/compute/ips.py
@@ -38,16 +38,18 @@ class IPsController(wsgi.Controller):
     @wsgi.expected_errors(404)
     def index(self, req, server_id):
         context = req.environ["nova.context"]
-        context.can(ips_policies.POLICY_ROOT % 'index')
         instance = common.get_instance(self._compute_api, context, server_id)
+        context.can(ips_policies.POLICY_ROOT % 'index',
+                    target={'project_id': instance.project_id})
         networks = common.get_networks_for_instance(context, instance)
         return self._view_builder.index(networks)
 
     @wsgi.expected_errors(404)
     def show(self, req, server_id, id):
         context = req.environ["nova.context"]
-        context.can(ips_policies.POLICY_ROOT % 'show')
         instance = common.get_instance(self._compute_api, context, server_id)
+        context.can(ips_policies.POLICY_ROOT % 'show',
+                    target={'project_id': instance.project_id})
         networks = common.get_networks_for_instance(context, instance)
         if id not in networks:
             msg = _("Instance is not a member of specified network")
diff --git a/nova/tests/unit/api/openstack/compute/test_serversV21.py b/nova/tests/unit/api/openstack/compute/test_serversV21.py
index 712fd4d34c7f..05fee0109f84 100644
--- a/nova/tests/unit/api/openstack/compute/test_serversV21.py
+++ b/nova/tests/unit/api/openstack/compute/test_serversV21.py
@@ -8109,6 +8109,10 @@ class IPsPolicyEnforcementV21(test.NoDBTestCase):
         super(IPsPolicyEnforcementV21, self).setUp()
         self.controller = ips.IPsController()
         self.req = fakes.HTTPRequest.blank("/v2/%s" % fakes.FAKE_PROJECT_ID)
+        self.mock_get = self.useFixture(
+            fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock
+        self.mock_get.return_value = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'])
 
     def test_index_policy_failed(self):
         rule_name = "os_compute_api:ips:index"