Merge "Add authorization checks to flavormanage extension"

etc/nova/policy.json

@@ -22,6 +22,7 @@
     "compute_extension:disk_config": [],
     "compute_extension:extended_status": [["rule:admin_api"]],
     "compute_extension:flavorextraspecs": [],
+    "compute_extension:flavormanage": [["rule:admin_api"]],
     "compute_extension:floating_ip_dns": [],
     "compute_extension:floating_ip_pools": [],
     "compute_extension:floating_ips": [],

nova/api/openstack/compute/contrib/flavormanage.py

@@ -12,20 +12,19 @@
 #    License for the specific language governing permissions and limitations
 #    under the License
 
-import urlparse
-
 import webob
 
-from nova.api.openstack import extensions
-from nova.api.openstack import wsgi
 from nova.api.openstack.compute import flavors as flavors_api
 from nova.api.openstack.compute.views import flavors as flavors_view
+from nova.api.openstack import extensions
+from nova.api.openstack import wsgi
 from nova.compute import instance_types
-from nova import log as logging
 from nova import exception
+from nova import log as logging
 
 
 LOG = logging.getLogger('nova.api.openstack.compute.contrib.flavormanage')
+authorize = extensions.extension_authorizer('compute', 'flavormanage')
 
 
 class FlavorManageController(wsgi.Controller):
@@ -40,9 +39,7 @@ class FlavorManageController(wsgi.Controller):
     @wsgi.action("delete")
     def _delete(self, req, id):
         context = req.environ['nova.context']
-
-        if not context.is_admin:
-            return webob.Response(status_int=403)
+        authorize(context)
 
         try:
             flavor = instance_types.get_instance_type_by_flavor_id(id)
@@ -57,9 +54,7 @@ class FlavorManageController(wsgi.Controller):
     @wsgi.serializers(xml=flavors_api.FlavorTemplate)
     def _create(self, req, body):
         context = req.environ['nova.context']
-
-        if not context.is_admin:
-            return webob.Response(status_int=403)
+        authorize(context)
 
         vals = body['flavor']
         name = vals['name']

nova/tests/api/openstack/compute/contrib/test_flavor_manage.py

@@ -85,23 +85,14 @@ class FlavorManageTest(test.TestCase):
         super(FlavorManageTest, self).tearDown()
 
     def test_delete(self):
-        req = fakes.HTTPRequest.blank(
-              '/v2/123/flavor/delete/1234',
-              use_admin_context=True)
-
+        req = fakes.HTTPRequest.blank('/v2/123/flavors/1234')
         res = self.controller._delete(req, id)
         self.assertEqual(res.status_int, 202)
 
+        # subsequent delete should fail
         self.assertRaises(webob.exc.HTTPNotFound,
                           self.controller._delete, req, "failtest")
 
-        req = fakes.HTTPRequest.blank(
-              '/v2/123/flavor/delete/1234',
-              use_admin_context=False)
-
-        res = self.controller._delete(req, id)
-        self.assertEqual(res.status_int, 403)
-
     def test_create(self):
         body = {
             "flavor": {
@@ -115,16 +106,7 @@ class FlavorManageTest(test.TestCase):
             }
         }
 
-        req = fakes.HTTPRequest.blank(
-              '/v2/123/flavor/create/',
-              use_admin_context=True)
-
+        req = fakes.HTTPRequest.blank('/v2/123/flavors')
         res = self.controller._create(req, body)
         for key in body["flavor"]:
             self.assertEquals(res["flavor"][key], body["flavor"][key])
-
-        req = fakes.HTTPRequest.blank(
-              '/v2/123/flavor/create/',
-              use_admin_context=False)
-        res = self.controller._create(req, body)
-        self.assertEqual(res.status_int, 403)

nova/tests/policy.json

@@ -81,6 +81,7 @@
     "compute_extension:disk_config": [],
     "compute_extension:extended_status": [],
     "compute_extension:flavorextraspecs": [],
+    "compute_extension:flavormanage": [],
     "compute_extension:floating_ip_dns": [],
     "compute_extension:floating_ip_pools": [],
     "compute_extension:floating_ips": [],