Zuul
2 months ago
committed by
Gerrit Code Review
Gerrit Code Review
5 changed files with 106 additions and 18 deletions
Split View
Diff Options
-
+2 -2nova/api/openstack/compute/server_password.py
-
+30 -5nova/policies/server_password.py
-
+2 -1nova/tests/unit/fake_policy.py
-
+70 -9nova/tests/unit/policies/test_server_password.py
-
+2 -1nova/tests/unit/test_policy.py
+ 2
- 2
nova/api/openstack/compute/server_password.py
View File
| @@ -32,7 +32,7 @@ class ServerPasswordController(wsgi.Controller): | |||
| def index(self, req, server_id): | |||
| context = req.environ['nova.context'] | |||
| instance = common.get_instance(self.compute_api, context, server_id) | |||
| context.can(sp_policies.BASE_POLICY_NAME, | |||
| context.can(sp_policies.BASE_POLICY_NAME % 'show', | |||
| target={'project_id': instance.project_id}) | |||
| passw = password.extract_password(instance) | |||
| @@ -49,7 +49,7 @@ class ServerPasswordController(wsgi.Controller): | |||
| context = req.environ['nova.context'] | |||
| instance = common.get_instance(self.compute_api, context, server_id) | |||
| context.can(sp_policies.BASE_POLICY_NAME, | |||
| context.can(sp_policies.BASE_POLICY_NAME % 'clear', | |||
| target={'project_id': instance.project_id}) | |||
| meta = password.convert_password(context, None) | |||
| instance.system_metadata.update(meta) | |||
+ 30
- 5
nova/policies/server_password.py
View File
| @@ -18,26 +18,51 @@ from oslo_policy import policy | |||
| from nova.policies import base | |||
| BASE_POLICY_NAME = 'os_compute_api:os-server-password' | |||
| BASE_POLICY_NAME = 'os_compute_api:os-server-password:%s' | |||
| DEPRECATED_POLICY = policy.DeprecatedRule( | |||
| 'os_compute_api:os-server-password', | |||
| base.RULE_ADMIN_OR_OWNER, | |||
| ) | |||
| DEPRECATED_REASON = """ | |||
| Nova API policies are introducing new default roles with scope_type | |||
| capabilities. Old policies are deprecated and silently going to be ignored | |||
| in nova 23.0.0 release. | |||
| """ | |||
| server_password_policies = [ | |||
| policy.DocumentedRuleDefault( | |||
| name=BASE_POLICY_NAME, | |||
| check_str=base.RULE_ADMIN_OR_OWNER, | |||
| description="Show and clear the encrypted administrative " | |||
| name=BASE_POLICY_NAME % 'show', | |||
| check_str=base.PROJECT_READER_OR_SYSTEM_READER, | |||
| description="Show the encrypted administrative " | |||
| "password of a server", | |||
| operations=[ | |||
| { | |||
| 'method': 'GET', | |||
| 'path': '/servers/{server_id}/os-server-password' | |||
| }, | |||
| ], | |||
| scope_types=['system', 'project'], | |||
| deprecated_rule=DEPRECATED_POLICY, | |||
| deprecated_reason=DEPRECATED_REASON, | |||
| deprecated_since='21.0.0'), | |||
| policy.DocumentedRuleDefault( | |||
| name=BASE_POLICY_NAME % 'clear', | |||
| check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, | |||
| description="Clear the encrypted administrative " | |||
| "password of a server", | |||
| operations=[ | |||
| { | |||
| 'method': 'DELETE', | |||
| 'path': '/servers/{server_id}/os-server-password' | |||
| } | |||
| ], | |||
| scope_types=['system', 'project']), | |||
| scope_types=['system', 'project'], | |||
| deprecated_rule=DEPRECATED_POLICY, | |||
| deprecated_reason=DEPRECATED_REASON, | |||
| deprecated_since='21.0.0'), | |||
| ] | |||
+ 2
- 1
nova/tests/unit/fake_policy.py
View File
| @@ -93,7 +93,8 @@ policy_data = """ | |||
| "os_compute_api:os-security-groups:add": "", | |||
| "os_compute_api:os-security-groups:remove": "", | |||
| "os_compute_api:os-server-diagnostics": "", | |||
| "os_compute_api:os-server-password": "", | |||
| "os_compute_api:os-server-password:show": "", | |||
| "os_compute_api:os-server-password:clear": "", | |||
| "os_compute_api:os-server-tags:index": "", | |||
| "os_compute_api:os-server-tags:show": "", | |||
| "os_compute_api:os-server-tags:update": "", | |||
+ 70
- 9
nova/tests/unit/policies/test_server_password.py
View File
| @@ -15,6 +15,7 @@ import mock | |||
| from oslo_utils.fixture import uuidsentinel as uuids | |||
| from nova.api.openstack.compute import server_password | |||
| from nova.policies import base as base_policy | |||
| from nova.policies import server_password as policies | |||
| from nova.tests.unit.api.openstack import fakes | |||
| from nova.tests.unit import fake_instance | |||
| @@ -41,32 +42,45 @@ class ServerPasswordPolicyTest(base.BasePolicyTest): | |||
| system_metadata={}, expected_attrs=['system_metadata']) | |||
| self.mock_get.return_value = self.instance | |||
| # Check that admin or and server owner is able to get | |||
| # and delete the server password. | |||
| # Check that admin or and server owner is able to | |||
| # delete the server password. | |||
| self.admin_or_owner_authorized_contexts = [ | |||
| self.legacy_admin_context, self.system_admin_context, | |||
| self.project_admin_context, self.project_member_context, | |||
| self.project_reader_context, self.project_foo_context] | |||
| # Check that non-admin/owner is not able to get and delete | |||
| # Check that non-admin/owner is not able to delete | |||
| # the server password. | |||
| self.admin_or_owner_unauthorized_contexts = [ | |||
| self.system_member_context, self.system_reader_context, | |||
| self.system_foo_context, | |||
| self.other_project_member_context | |||
| self.system_foo_context, self.other_project_member_context, | |||
| self.other_project_reader_context | |||
| ] | |||
| # Check that admin or and server owner is able to get | |||
| # the server password. | |||
| self.reader_authorized_contexts = [ | |||
| self.legacy_admin_context, self.system_admin_context, | |||
| self.system_member_context, self.system_reader_context, | |||
| self.project_admin_context, self.project_member_context, | |||
| self.project_reader_context, self.project_foo_context] | |||
| # Check that non-admin/owner is not able to get | |||
| # the server password. | |||
| self.reader_unauthorized_contexts = [ | |||
| self.system_foo_context, self.other_project_member_context, | |||
| self.other_project_reader_context | |||
| ] | |||
| @mock.patch('nova.api.metadata.password.extract_password') | |||
| def test_index_server_password_policy(self, mock_pass): | |||
| rule_name = policies.BASE_POLICY_NAME | |||
| self.common_policy_check(self.admin_or_owner_authorized_contexts, | |||
| self.admin_or_owner_unauthorized_contexts, | |||
| rule_name = policies.BASE_POLICY_NAME % 'show' | |||
| self.common_policy_check(self.reader_authorized_contexts, | |||
| self.reader_unauthorized_contexts, | |||
| rule_name, | |||
| self.controller.index, | |||
| self.req, self.instance.uuid) | |||
| @mock.patch('nova.api.metadata.password.convert_password') | |||
| def test_clear_server_password_policy(self, mock_pass): | |||
| rule_name = policies.BASE_POLICY_NAME | |||
| rule_name = policies.BASE_POLICY_NAME % 'clear' | |||
| self.common_policy_check(self.admin_or_owner_authorized_contexts, | |||
| self.admin_or_owner_unauthorized_contexts, | |||
| rule_name, | |||
| @@ -87,3 +101,50 @@ class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest): | |||
| def setUp(self): | |||
| super(ServerPasswordScopeTypePolicyTest, self).setUp() | |||
| self.flags(enforce_scope=True, group="oslo_policy") | |||
| class ServerPasswordNoLegacyPolicyTest(ServerPasswordScopeTypePolicyTest): | |||
| """Test Server Password APIs policies with system scope enabled, | |||
| and no more deprecated rules that allow the legacy admin API to | |||
| access system_admin_or_owner APIs. | |||
| """ | |||
| without_deprecated_rules = True | |||
| rules_without_deprecation = { | |||
| policies.BASE_POLICY_NAME % 'show': | |||
| base_policy.PROJECT_READER_OR_SYSTEM_READER, | |||
| policies.BASE_POLICY_NAME % 'clear': | |||
| base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN} | |||
| def setUp(self): | |||
| super(ServerPasswordNoLegacyPolicyTest, self).setUp() | |||
| # Check that system or projct admin or owner is able to clear | |||
| # server password. | |||
| self.admin_or_owner_authorized_contexts = [ | |||
| self.system_admin_context, | |||
| self.project_admin_context, self.project_member_context] | |||
| # Check that non-system and non-admin/owner is not able to clear | |||
| # server password. | |||
| self.admin_or_owner_unauthorized_contexts = [ | |||
| self.legacy_admin_context, self.project_reader_context, | |||
| self.project_foo_context, | |||
| self.system_member_context, self.system_reader_context, | |||
| self.system_foo_context, self.other_project_member_context, | |||
| self.other_project_reader_context] | |||
| # Check that system reader or projct owner is able to get | |||
| # server password. | |||
| self.reader_authorized_contexts = [ | |||
| self.system_admin_context, | |||
| self.project_admin_context, self.system_member_context, | |||
| self.system_reader_context, self.project_reader_context, | |||
| self.project_member_context, | |||
| ] | |||
| # Check that non-system reader nd non-admin/owner is not able to get | |||
| # server password. | |||
| self.reader_unauthorized_contexts = [ | |||
| self.legacy_admin_context, self.project_foo_context, | |||
| self.system_foo_context, self.other_project_member_context, | |||
| self.other_project_reader_context | |||
| ] | |||
+ 2
- 1
nova/tests/unit/test_policy.py
View File
| @@ -429,7 +429,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase): | |||
| "os_compute_api:os-security-groups", | |||
| "os_compute_api:os-security-groups:add", | |||
| "os_compute_api:os-security-groups:remove", | |||
| "os_compute_api:os-server-password", | |||
| "os_compute_api:os-server-password:clear", | |||
| "os_compute_api:os-server-tags:delete", | |||
| "os_compute_api:os-server-tags:delete_all", | |||
| "os_compute_api:os-server-tags:update", | |||
| @@ -479,6 +479,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase): | |||
| "os_compute_api:os-attach-interfaces:show", | |||
| "os_compute_api:os-instance-actions:list", | |||
| "os_compute_api:os-instance-actions:show", | |||
| "os_compute_api:os-server-password:show", | |||
| "os_compute_api:os-server-tags:index", | |||
| "os_compute_api:os-server-tags:show", | |||
| ) | |||