Merge "Add policy check for extension_info"

etc/nova/policy.json

@@ -247,6 +247,7 @@
     "os_compute_api:os-extended-status:discoverable": "",
     "os_compute_api:os-extended-availability-zone": "",
     "os_compute_api:os-extended-availability-zone:discoverable": "",
+    "os_compute_api:extensions": "",
     "os_compute_api:extension_info:discoverable": "",
     "os_compute_api:os-extended-volumes": "",
     "os_compute_api:os-extended-volumes:discoverable": "",

nova/api/openstack/compute/plugins/v3/extension_info.py

@@ -23,6 +23,7 @@ from nova.api.openstack import wsgi
 
 ALIAS = 'extensions'
 LOG = logging.getLogger(__name__)
+authorize = extensions.os_compute_authorizer(ALIAS)
 
 # NOTE(cyeoh): The following mappings are currently incomplete
 # Having a v2.1 extension loaded can imply that several v2 extensions
@@ -172,6 +173,7 @@ class ExtensionInfoController(wsgi.Controller):
     @extensions.expected_errors(())
     def index(self, req):
         context = req.environ['nova.context']
+        authorize(context)
 
         sorted_ext_list = sorted(
             six.iteritems(self._get_extensions(context)))
@@ -185,6 +187,7 @@ class ExtensionInfoController(wsgi.Controller):
     @extensions.expected_errors(404)
     def show(self, req, id):
         context = req.environ['nova.context']
+        authorize(context)
         try:
             # NOTE(dprince): the extensions alias is used as the 'id' for show
             ext = self._get_extensions(context)[id]

nova/tests/unit/api/openstack/compute/contrib/test_extension_info.py

@@ -184,3 +184,30 @@ class ExtensionInfoV21Test(test.NoDBTestCase):
         req = fakes.HTTPRequest.blank('/extensions/servers')
         self.assertRaises(webob.exc.HTTPNotFound, self.controller.show,
                           req, 'servers')
+
+
+class ExtensionInfoPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(ExtensionInfoPolicyEnforcementV21, self).setUp()
+        ext_info = plugins.LoadedExtensionInfo()
+        ext_info.extensions = fake_extensions
+        self.controller = extension_info.ExtensionInfoController(ext_info)
+        self.req = fakes.HTTPRequest.blank('')
+
+    def _test_extension_policy_failed(self, action, *args):
+        rule_name = "os_compute_api:extensions"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            getattr(self.controller, action), self.req, *args)
+
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
+
+    def test_extension_index_policy_failed(self):
+        self._test_extension_policy_failed('index')
+
+    def test_extension_show_policy_failed(self):
+        self._test_extension_policy_failed('show', 1)

nova/tests/unit/fake_policy.py

@@ -206,6 +206,7 @@ policy_data = """
     "os_compute_api:ips:index": "",
     "os_compute_api:ips:show": "",
     "os_compute_api:os-extended-volumes": "",
+    "os_compute_api:extensions": "",
     "os_compute_api:extensions:discoverable": "",
     "compute_extension:fixed_ips": "",
     "os_compute_api:os-fixed-ips": "",