Merge "Move policy enforcement into REST API layer for v2.1 lock server"
This commit is contained in:
commit
bcc900577f
@ -20,16 +20,13 @@ from nova import compute
|
||||
|
||||
ALIAS = "os-lock-server"
|
||||
|
||||
|
||||
def authorize(context, action_name):
|
||||
action = 'v3:%s:%s' % (ALIAS, action_name)
|
||||
extensions.extension_authorizer('compute', action)(context)
|
||||
authorize = extensions.os_compute_authorizer(ALIAS)
|
||||
|
||||
|
||||
class LockServerController(wsgi.Controller):
|
||||
def __init__(self, *args, **kwargs):
|
||||
super(LockServerController, self).__init__(*args, **kwargs)
|
||||
self.compute_api = compute.API()
|
||||
self.compute_api = compute.API(skip_policy_check=True)
|
||||
|
||||
@wsgi.response(202)
|
||||
@extensions.expected_errors(404)
|
||||
@ -37,7 +34,7 @@ class LockServerController(wsgi.Controller):
|
||||
def _lock(self, req, id, body):
|
||||
"""Lock a server instance."""
|
||||
context = req.environ['nova.context']
|
||||
authorize(context, 'lock')
|
||||
authorize(context, action='lock')
|
||||
instance = common.get_instance(self.compute_api, context, id,
|
||||
want_objects=True)
|
||||
self.compute_api.lock(context, instance)
|
||||
@ -48,7 +45,7 @@ class LockServerController(wsgi.Controller):
|
||||
def _unlock(self, req, id, body):
|
||||
"""Unlock a server instance."""
|
||||
context = req.environ['nova.context']
|
||||
authorize(context, 'unlock')
|
||||
authorize(context, action='unlock')
|
||||
instance = common.get_instance(self.compute_api, context, id,
|
||||
want_objects=True)
|
||||
self.compute_api.unlock(context, instance)
|
||||
|
@ -13,11 +13,12 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from nova.api.openstack.compute.contrib import admin_actions as \
|
||||
lock_server_v2
|
||||
from nova.api.openstack.compute.plugins.v3 import lock_server as \
|
||||
lock_server_v21
|
||||
from nova.api.openstack.compute.contrib import (admin_actions as
|
||||
lock_server_v2)
|
||||
from nova.api.openstack.compute.plugins.v3 import (lock_server as
|
||||
lock_server_v21)
|
||||
from nova import exception
|
||||
from nova import test
|
||||
from nova.tests.unit.api.openstack.compute import admin_only_action_common
|
||||
from nova.tests.unit.api.openstack import fakes
|
||||
|
||||
@ -79,3 +80,35 @@ class LockServerTestsV2(LockServerTestsV21):
|
||||
def _get_app(self):
|
||||
return fakes.wsgi_app(init_only=('servers',),
|
||||
fake_auth_context=self.context)
|
||||
|
||||
|
||||
class LockServerPolicyEnforcementV21(test.NoDBTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(LockServerPolicyEnforcementV21, self).setUp()
|
||||
self.controller = lock_server_v21.LockServerController()
|
||||
self.req = fakes.HTTPRequest.blank('')
|
||||
|
||||
def test_lock_policy_failed(self):
|
||||
rule_name = "compute_extension:v3:os-lock-server:lock"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller._lock, self.req,
|
||||
fakes.FAKE_UUID,
|
||||
body={'lock': {}})
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
||||
def test_unlock_policy_failed(self):
|
||||
rule_name = "compute_extension:v3:os-lock-server:unlock"
|
||||
self.policy.set_rules({rule_name: "project:non_fake"})
|
||||
exc = self.assertRaises(
|
||||
exception.PolicyNotAuthorized,
|
||||
self.controller._unlock, self.req,
|
||||
fakes.FAKE_UUID,
|
||||
body={'unlock': {}})
|
||||
self.assertEqual(
|
||||
"Policy doesn't allow %s to be performed." % rule_name,
|
||||
exc.format_message())
|
||||
|
Loading…
Reference in New Issue
Block a user