Move policy enforcement into REST API layer for v2.1 api attach_interfaces

This patch moves policy enforcement into REST API layer for v2.1 api attach_interfaces, and adds unit tests. Partially implements blueprint v3-api-policy Change-Id: Ia1f9769ab269751249e7765dbedda324c4b972c5
2015-01-23 14:52:42 +08:00 · 2015-01-23 14:52:42 +08:00 · 62842e5ae0
parent 4103a86f30
commit 62842e5ae0
2 changed files with 46 additions and 4 deletions
--- a/nova/api/openstack/compute/plugins/v3/attach_interfaces.py
+++ b/nova/api/openstack/compute/plugins/v3/attach_interfaces.py
@ -30,8 +30,7 @@ from nova import network


 ALIAS = 'os-attach-interfaces'
-authorize = extensions.extension_authorizer('compute',
-                                            'v3:' + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)


 def _translate_interface_attachment_view(port_info):
@ -49,8 +48,8 @@ class InterfaceAttachmentController(wsgi.Controller):
    """The interface attachment API controller for the OpenStack API."""

    def __init__(self):
-        self.compute_api = compute.API()
-        self.network_api = network.API()
+        self.compute_api = compute.API(skip_policy_check=True)
+        self.network_api = network.API(skip_policy_check=True)
        super(InterfaceAttachmentController, self).__init__()

    @extensions.expected_errors((404, 501))
--- a/nova/tests/unit/api/openstack/compute/contrib/test_attach_interfaces.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_attach_interfaces.py
@ -427,3 +427,46 @@ class InterfaceAttachTestsV2(InterfaceAttachTestsV21):

    def test_attach_interface_instance_with_non_array_fixed_ips(self):
        pass
+
+
+class AttachInterfacesPolicyEnforcementv21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(AttachInterfacesPolicyEnforcementv21, self).setUp()
+        self.controller = \
+            attach_interfaces_v21.InterfaceAttachmentController()
+        self.req = fakes.HTTPRequest.blank('')
+        self.rule_name = "compute_extension:v3:os-attach-interfaces"
+        self.policy.set_rules({self.rule_name: "project:non_fake"})
+
+    def test_index_attach_interfaces_policy_failed(self):
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.index, self.req, fakes.FAKE_UUID)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())
+
+    def test_show_attach_interfaces_policy_failed(self):
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.show, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())
+
+    def test_create_attach_interfaces_policy_failed(self):
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.create, self.req, fakes.FAKE_UUID, body={})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())
+
+    def test_delete_attach_interfaces_policy_failed(self):
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())