Merge "Add policy check for extension_info"
This commit is contained in:
commit
a5e67c643b
|
@ -247,6 +247,7 @@
|
|||
"os_compute_api:os-extended-status:discoverable": "",
|
||||
"os_compute_api:os-extended-availability-zone": "",
|
||||
"os_compute_api:os-extended-availability-zone:discoverable": "",
|
||||
"os_compute_api:extensions": "",
|
||||
"os_compute_api:extension_info:discoverable": "",
|
||||
"os_compute_api:os-extended-volumes": "",
|
||||
"os_compute_api:os-extended-volumes:discoverable": "",
|
||||
|
|
|
@ -23,6 +23,7 @@ from nova.api.openstack import wsgi
|
|||
|
||||
ALIAS = 'extensions'
|
||||
LOG = logging.getLogger(__name__)
|
||||
authorize = extensions.os_compute_authorizer(ALIAS)
|
||||
|
||||
# NOTE(cyeoh): The following mappings are currently incomplete
|
||||
# Having a v2.1 extension loaded can imply that several v2 extensions
|
||||
|
@ -172,6 +173,7 @@ class ExtensionInfoController(wsgi.Controller):
|
|||
@extensions.expected_errors(())
|
||||
def index(self, req):
|
||||
context = req.environ['nova.context']
|
||||
authorize(context)
|
||||
|
||||
sorted_ext_list = sorted(
|
||||
six.iteritems(self._get_extensions(context)))
|
||||
|
@ -185,6 +187,7 @@ class ExtensionInfoController(wsgi.Controller):
|
|||
@extensions.expected_errors(404)
|
||||
def show(self, req, id):
|
||||
context = req.environ['nova.context']
|
||||
authorize(context)
|
||||
try:
|
||||
# NOTE(dprince): the extensions alias is used as the 'id' for show
|
||||
ext = self._get_extensions(context)[id]
|
||||
|
|
|
@ -184,3 +184,30 @@ class ExtensionInfoV21Test(test.NoDBTestCase):
|
|||
req = fakes.HTTPRequest.blank('/extensions/servers')
|
||||
self.assertRaises(webob.exc.HTTPNotFound, self.controller.show,
|
||||
req, 'servers')
|
||||
|
||||
|
||||
class ExtensionInfoPolicyEnforcementV21(test.NoDBTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(ExtensionInfoPolicyEnforcementV21, self).setUp()
|
||||
ext_info = plugins.LoadedExtensionInfo()
|
||||
ext_info.extensions = fake_extensions
|
||||
self.controller = extension_info.ExtensionInfoController(ext_info)
|
||||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
def _test_extension_policy_failed(self, action, *args):
|
||||
rule_name = "os_compute_api:extensions"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
getattr(self.controller, action), self.req, *args)
|
||||
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
||||
def test_extension_index_policy_failed(self):
|
||||
self._test_extension_policy_failed('index')
|
||||
|
||||
def test_extension_show_policy_failed(self):
|
||||
self._test_extension_policy_failed('show', 1)
|
||||
|
|
|
@ -206,6 +206,7 @@ policy_data = """
|
|||
"os_compute_api:ips:index": "",
|
||||
"os_compute_api:ips:show": "",
|
||||
"os_compute_api:os-extended-volumes": "",
|
||||
"os_compute_api:extensions": "",
|
||||
"os_compute_api:extensions:discoverable": "",
|
||||
"compute_extension:fixed_ips": "",
|
||||
"os_compute_api:os-fixed-ips": "",
|
||||
|
|
Loading…
Reference in New Issue