Merge "Move policy enforcement into REST API layer for v2.1 lock server"

nova/api/openstack/compute/plugins/v3/lock_server.py

@@ -20,16 +20,13 @@ from nova import compute
 
 ALIAS = "os-lock-server"
 
-
+authorize = extensions.os_compute_authorizer(ALIAS)
-def authorize(context, action_name):
-    action = 'v3:%s:%s' % (ALIAS, action_name)
-    extensions.extension_authorizer('compute', action)(context)
 
 
 class LockServerController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
         super(LockServerController, self).__init__(*args, **kwargs)
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)
 
     @wsgi.response(202)
     @extensions.expected_errors(404)
@@ -37,7 +34,7 @@ class LockServerController(wsgi.Controller):
     def _lock(self, req, id, body):
         """Lock a server instance."""
         context = req.environ['nova.context']
-        authorize(context, 'lock')
+        authorize(context, action='lock')
         instance = common.get_instance(self.compute_api, context, id,
                                        want_objects=True)
         self.compute_api.lock(context, instance)
@@ -48,7 +45,7 @@ class LockServerController(wsgi.Controller):
     def _unlock(self, req, id, body):
         """Unlock a server instance."""
         context = req.environ['nova.context']
-        authorize(context, 'unlock')
+        authorize(context, action='unlock')
         instance = common.get_instance(self.compute_api, context, id,
                                        want_objects=True)
         self.compute_api.unlock(context, instance)

nova/tests/unit/api/openstack/compute/contrib/test_lock_server.py

@@ -13,11 +13,12 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from nova.api.openstack.compute.contrib import admin_actions as \
+from nova.api.openstack.compute.contrib import (admin_actions as
-    lock_server_v2
+                                                lock_server_v2)
-from nova.api.openstack.compute.plugins.v3 import lock_server as \
+from nova.api.openstack.compute.plugins.v3 import (lock_server as
-    lock_server_v21
+                                                   lock_server_v21)
 from nova import exception
+from nova import test
 from nova.tests.unit.api.openstack.compute import admin_only_action_common
 from nova.tests.unit.api.openstack import fakes
 
@@ -79,3 +80,35 @@ class LockServerTestsV2(LockServerTestsV21):
     def _get_app(self):
         return fakes.wsgi_app(init_only=('servers',),
                                  fake_auth_context=self.context)
+
+
+class LockServerPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(LockServerPolicyEnforcementV21, self).setUp()
+        self.controller = lock_server_v21.LockServerController()
+        self.req = fakes.HTTPRequest.blank('')
+
+    def test_lock_policy_failed(self):
+        rule_name = "compute_extension:v3:os-lock-server:lock"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+                                exception.PolicyNotAuthorized,
+                                self.controller._lock, self.req,
+                                fakes.FAKE_UUID,
+                                body={'lock': {}})
+        self.assertEqual(
+                      "Policy doesn't allow %s to be performed." % rule_name,
+                      exc.format_message())
+
+    def test_unlock_policy_failed(self):
+        rule_name = "compute_extension:v3:os-lock-server:unlock"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+                                exception.PolicyNotAuthorized,
+                                self.controller._unlock, self.req,
+                                fakes.FAKE_UUID,
+                                body={'unlock': {}})
+        self.assertEqual(
+                      "Policy doesn't allow %s to be performed." % rule_name,
+                      exc.format_message())