Rename NotAuthorized exception to Forbidden
The NotAuthorized NovaException has an internal code of 403 which is actually Forbidden, so rename it appropriately. This patch doesn't change the external behavior, the status code in responses will still be 403 but the exception is just named properly. This is also necessary to create an actual Unauthorized NovaException with code 401 for use in some Neutron API bug fixes for more granular error handling from python-neutronclient. Related-Bug: #1298075 Change-Id: I691fac2e2c797f47c04da7965d7b1c8685c74edb
This commit is contained in:
Matt Riedemann
parent
296f2fa183
commit
c75a15a489
@ -562,7 +562,7 @@ class Executor(wsgi.Application):
|
|||||||
exception.MissingParameter,
|
exception.MissingParameter,
|
||||||
exception.NoFloatingIpInterface,
|
exception.NoFloatingIpInterface,
|
||||||
exception.NoMoreFixedIps,
|
exception.NoMoreFixedIps,
|
||||||
exception.NotAuthorized,
|
exception.Forbidden,
|
||||||
exception.QuotaError,
|
exception.QuotaError,
|
||||||
exception.SecurityGroupExists,
|
exception.SecurityGroupExists,
|
||||||
exception.SecurityGroupLimitExceeded,
|
exception.SecurityGroupLimitExceeded,
|
||||||
|
|||||||
@ -1657,7 +1657,7 @@ class CloudController(object):
|
|||||||
return self.image_service.update(context, internal_id, image)
|
return self.image_service.update(context, internal_id, image)
|
||||||
except exception.ImageNotAuthorized:
|
except exception.ImageNotAuthorized:
|
||||||
msg = _('Not allowed to modify attributes for image %s') % image_id
|
msg = _('Not allowed to modify attributes for image %s') % image_id
|
||||||
raise exception.NotAuthorized(message=msg)
|
raise exception.Forbidden(message=msg)
|
||||||
|
|
||||||
def update_image(self, context, image_id, **kwargs):
|
def update_image(self, context, image_id, **kwargs):
|
||||||
internal_id = ec2utils.ec2_id_to_id(image_id)
|
internal_id = ec2utils.ec2_id_to_id(image_id)
|
||||||
|
|||||||
@ -91,7 +91,7 @@ def get_instance_by_floating_ip_addr(self, context, address):
|
|||||||
def disassociate_floating_ip(self, context, instance, address):
|
def disassociate_floating_ip(self, context, instance, address):
|
||||||
try:
|
try:
|
||||||
self.network_api.disassociate_floating_ip(context, instance, address)
|
self.network_api.disassociate_floating_ip(context, instance, address)
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
except exception.CannotDisassociateAutoAssignedFloatingIP:
|
except exception.CannotDisassociateAutoAssignedFloatingIP:
|
||||||
msg = _('Cannot disassociate auto assigned floating ip')
|
msg = _('Cannot disassociate auto assigned floating ip')
|
||||||
@ -258,7 +258,7 @@ class FloatingIPActionController(wsgi.Controller):
|
|||||||
msg = _('l3driver call to add floating ip failed')
|
msg = _('l3driver call to add floating ip failed')
|
||||||
raise webob.exc.HTTPBadRequest(explanation=msg)
|
raise webob.exc.HTTPBadRequest(explanation=msg)
|
||||||
except (exception.FloatingIpNotFoundForAddress,
|
except (exception.FloatingIpNotFoundForAddress,
|
||||||
exception.NotAuthorized):
|
exception.Forbidden):
|
||||||
msg = _('floating ip not found')
|
msg = _('floating ip not found')
|
||||||
raise webob.exc.HTTPNotFound(explanation=msg)
|
raise webob.exc.HTTPNotFound(explanation=msg)
|
||||||
except Exception:
|
except Exception:
|
||||||
|
|||||||
@ -103,7 +103,7 @@ class QuotaSetsController(wsgi.Controller):
|
|||||||
nova.context.authorize_project_context(context, id)
|
nova.context.authorize_project_context(context, id)
|
||||||
return self._format_quota_set(id,
|
return self._format_quota_set(id,
|
||||||
self._get_quotas(context, id, user_id=user_id))
|
self._get_quotas(context, id, user_id=user_id))
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
|
|
||||||
@wsgi.serializers(xml=QuotaTemplate)
|
@wsgi.serializers(xml=QuotaTemplate)
|
||||||
@ -133,7 +133,7 @@ class QuotaSetsController(wsgi.Controller):
|
|||||||
try:
|
try:
|
||||||
settable_quotas = QUOTAS.get_settable_quotas(context, project_id,
|
settable_quotas = QUOTAS.get_settable_quotas(context, project_id,
|
||||||
user_id=user_id)
|
user_id=user_id)
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
|
|
||||||
if not self.is_valid_body(body, 'quota_set'):
|
if not self.is_valid_body(body, 'quota_set'):
|
||||||
@ -165,7 +165,7 @@ class QuotaSetsController(wsgi.Controller):
|
|||||||
try:
|
try:
|
||||||
quotas = self._get_quotas(context, id, user_id=user_id,
|
quotas = self._get_quotas(context, id, user_id=user_id,
|
||||||
usages=True)
|
usages=True)
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
|
|
||||||
for key, value in quota_set.items():
|
for key, value in quota_set.items():
|
||||||
@ -227,7 +227,7 @@ class QuotaSetsController(wsgi.Controller):
|
|||||||
else:
|
else:
|
||||||
QUOTAS.destroy_all_by_project(context, id)
|
QUOTAS.destroy_all_by_project(context, id)
|
||||||
return webob.Response(status_int=202)
|
return webob.Response(status_int=202)
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
raise webob.exc.HTTPNotFound()
|
raise webob.exc.HTTPNotFound()
|
||||||
|
|
||||||
|
|||||||
@ -87,7 +87,7 @@ class QuotaSetsController(wsgi.Controller):
|
|||||||
nova.context.authorize_project_context(context, id)
|
nova.context.authorize_project_context(context, id)
|
||||||
return self._format_quota_set(id,
|
return self._format_quota_set(id,
|
||||||
self._get_quotas(context, id, user_id=user_id))
|
self._get_quotas(context, id, user_id=user_id))
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
|
|
||||||
@extensions.expected_errors(403)
|
@extensions.expected_errors(403)
|
||||||
@ -100,7 +100,7 @@ class QuotaSetsController(wsgi.Controller):
|
|||||||
return self._format_quota_set(id, self._get_quotas(context, id,
|
return self._format_quota_set(id, self._get_quotas(context, id,
|
||||||
user_id=user_id,
|
user_id=user_id,
|
||||||
usages=True))
|
usages=True))
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
|
|
||||||
@extensions.expected_errors((400, 403))
|
@extensions.expected_errors((400, 403))
|
||||||
@ -142,13 +142,13 @@ class QuotaSetsController(wsgi.Controller):
|
|||||||
try:
|
try:
|
||||||
settable_quotas = QUOTAS.get_settable_quotas(context, project_id,
|
settable_quotas = QUOTAS.get_settable_quotas(context, project_id,
|
||||||
user_id=user_id)
|
user_id=user_id)
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
|
|
||||||
try:
|
try:
|
||||||
quotas = self._get_quotas(context, id, user_id=user_id,
|
quotas = self._get_quotas(context, id, user_id=user_id,
|
||||||
usages=True)
|
usages=True)
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
|
|
||||||
LOG.debug(_("Force update quotas: %s"), force_update)
|
LOG.debug(_("Force update quotas: %s"), force_update)
|
||||||
@ -214,7 +214,7 @@ class QuotaSetsController(wsgi.Controller):
|
|||||||
id, user_id)
|
id, user_id)
|
||||||
else:
|
else:
|
||||||
QUOTAS.destroy_all_by_project(context, id)
|
QUOTAS.destroy_all_by_project(context, id)
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
raise webob.exc.HTTPForbidden()
|
raise webob.exc.HTTPForbidden()
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -401,7 +401,7 @@ def soft_extension_authorizer(api_name, extension_name):
|
|||||||
try:
|
try:
|
||||||
hard_authorize(context, action=action)
|
hard_authorize(context, action=action)
|
||||||
return True
|
return True
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
return False
|
return False
|
||||||
return authorize
|
return authorize
|
||||||
|
|
||||||
|
|||||||
@ -677,7 +677,7 @@ class ResourceExceptionHandler(object):
|
|||||||
if not ex_value:
|
if not ex_value:
|
||||||
return True
|
return True
|
||||||
|
|
||||||
if isinstance(ex_value, exception.NotAuthorized):
|
if isinstance(ex_value, exception.Forbidden):
|
||||||
raise Fault(webob.exc.HTTPForbidden(
|
raise Fault(webob.exc.HTTPForbidden(
|
||||||
explanation=ex_value.format_message()))
|
explanation=ex_value.format_message()))
|
||||||
elif isinstance(ex_value, exception.Invalid):
|
elif isinstance(ex_value, exception.Invalid):
|
||||||
|
|||||||
@ -196,35 +196,35 @@ def require_admin_context(ctxt):
|
|||||||
|
|
||||||
|
|
||||||
def require_context(ctxt):
|
def require_context(ctxt):
|
||||||
"""Raise exception.NotAuthorized() if context is not a user or an
|
"""Raise exception.Forbidden() if context is not a user or an
|
||||||
admin context.
|
admin context.
|
||||||
"""
|
"""
|
||||||
if not ctxt.is_admin and not is_user_context(ctxt):
|
if not ctxt.is_admin and not is_user_context(ctxt):
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
|
|
||||||
def authorize_project_context(context, project_id):
|
def authorize_project_context(context, project_id):
|
||||||
"""Ensures a request has permission to access the given project."""
|
"""Ensures a request has permission to access the given project."""
|
||||||
if is_user_context(context):
|
if is_user_context(context):
|
||||||
if not context.project_id:
|
if not context.project_id:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
elif context.project_id != project_id:
|
elif context.project_id != project_id:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
|
|
||||||
def authorize_user_context(context, user_id):
|
def authorize_user_context(context, user_id):
|
||||||
"""Ensures a request has permission to access the given user."""
|
"""Ensures a request has permission to access the given user."""
|
||||||
if is_user_context(context):
|
if is_user_context(context):
|
||||||
if not context.user_id:
|
if not context.user_id:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
elif context.user_id != user_id:
|
elif context.user_id != user_id:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
|
|
||||||
def authorize_quota_class_context(context, class_name):
|
def authorize_quota_class_context(context, class_name):
|
||||||
"""Ensures a request has permission to access the given quota class."""
|
"""Ensures a request has permission to access the given quota class."""
|
||||||
if is_user_context(context):
|
if is_user_context(context):
|
||||||
if not context.quota_class:
|
if not context.quota_class:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
elif context.quota_class != class_name:
|
elif context.quota_class != class_name:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|||||||
@ -161,17 +161,17 @@ class GlanceConnectionFailed(NovaException):
|
|||||||
"%(reason)s")
|
"%(reason)s")
|
||||||
|
|
||||||
|
|
||||||
class NotAuthorized(NovaException):
|
class Forbidden(NovaException):
|
||||||
ec2_code = 'AuthFailure'
|
ec2_code = 'AuthFailure'
|
||||||
msg_fmt = _("Not authorized.")
|
msg_fmt = _("Not authorized.")
|
||||||
code = 403
|
code = 403
|
||||||
|
|
||||||
|
|
||||||
class AdminRequired(NotAuthorized):
|
class AdminRequired(Forbidden):
|
||||||
msg_fmt = _("User does not have admin privileges")
|
msg_fmt = _("User does not have admin privileges")
|
||||||
|
|
||||||
|
|
||||||
class PolicyNotAuthorized(NotAuthorized):
|
class PolicyNotAuthorized(Forbidden):
|
||||||
msg_fmt = _("Policy doesn't allow %(action)s to be performed.")
|
msg_fmt = _("Policy doesn't allow %(action)s to be performed.")
|
||||||
|
|
||||||
|
|
||||||
@ -625,7 +625,7 @@ class NetworkRequiresSubnet(Invalid):
|
|||||||
" instances on.")
|
" instances on.")
|
||||||
|
|
||||||
|
|
||||||
class ExternalNetworkAttachForbidden(NotAuthorized):
|
class ExternalNetworkAttachForbidden(Forbidden):
|
||||||
msg_fmt = _("It is not allowed to create an interface on "
|
msg_fmt = _("It is not allowed to create an interface on "
|
||||||
"external network %(network_uuid)s")
|
"external network %(network_uuid)s")
|
||||||
|
|
||||||
|
|||||||
@ -571,7 +571,7 @@ def _translate_image_exception(image_id, exc_value):
|
|||||||
def _translate_plain_exception(exc_value):
|
def _translate_plain_exception(exc_value):
|
||||||
if isinstance(exc_value, (glanceclient.exc.Forbidden,
|
if isinstance(exc_value, (glanceclient.exc.Forbidden,
|
||||||
glanceclient.exc.Unauthorized)):
|
glanceclient.exc.Unauthorized)):
|
||||||
return exception.NotAuthorized(unicode(exc_value))
|
return exception.Forbidden(unicode(exc_value))
|
||||||
if isinstance(exc_value, glanceclient.exc.NotFound):
|
if isinstance(exc_value, glanceclient.exc.NotFound):
|
||||||
return exception.NotFound(unicode(exc_value))
|
return exception.NotFound(unicode(exc_value))
|
||||||
if isinstance(exc_value, glanceclient.exc.BadRequest):
|
if isinstance(exc_value, glanceclient.exc.BadRequest):
|
||||||
|
|||||||
@ -72,10 +72,10 @@ class MockKeyManager(key_mgr.KeyManager):
|
|||||||
"""Creates a key.
|
"""Creates a key.
|
||||||
|
|
||||||
This implementation returns a UUID for the created key. A
|
This implementation returns a UUID for the created key. A
|
||||||
NotAuthorized exception is raised if the specified context is None.
|
Forbidden exception is raised if the specified context is None.
|
||||||
"""
|
"""
|
||||||
if ctxt is None:
|
if ctxt is None:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
key = self._generate_key(**kwargs)
|
key = self._generate_key(**kwargs)
|
||||||
return self.store_key(ctxt, key)
|
return self.store_key(ctxt, key)
|
||||||
@ -90,7 +90,7 @@ class MockKeyManager(key_mgr.KeyManager):
|
|||||||
def store_key(self, ctxt, key, **kwargs):
|
def store_key(self, ctxt, key, **kwargs):
|
||||||
"""Stores (i.e., registers) a key with the key manager."""
|
"""Stores (i.e., registers) a key with the key manager."""
|
||||||
if ctxt is None:
|
if ctxt is None:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
key_id = self._generate_key_id()
|
key_id = self._generate_key_id()
|
||||||
self.keys[key_id] = key
|
self.keys[key_id] = key
|
||||||
@ -99,7 +99,7 @@ class MockKeyManager(key_mgr.KeyManager):
|
|||||||
|
|
||||||
def copy_key(self, ctxt, key_id, **kwargs):
|
def copy_key(self, ctxt, key_id, **kwargs):
|
||||||
if ctxt is None:
|
if ctxt is None:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
copied_key_id = self._generate_key_id()
|
copied_key_id = self._generate_key_id()
|
||||||
self.keys[copied_key_id] = self.keys[key_id]
|
self.keys[copied_key_id] = self.keys[key_id]
|
||||||
@ -110,21 +110,21 @@ class MockKeyManager(key_mgr.KeyManager):
|
|||||||
"""Retrieves the key identified by the specified id.
|
"""Retrieves the key identified by the specified id.
|
||||||
|
|
||||||
This implementation returns the key that is associated with the
|
This implementation returns the key that is associated with the
|
||||||
specified UUID. A NotAuthorized exception is raised if the specified
|
specified UUID. A Forbidden exception is raised if the specified
|
||||||
context is None; a KeyError is raised if the UUID is invalid.
|
context is None; a KeyError is raised if the UUID is invalid.
|
||||||
"""
|
"""
|
||||||
if ctxt is None:
|
if ctxt is None:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
return self.keys[key_id]
|
return self.keys[key_id]
|
||||||
|
|
||||||
def delete_key(self, ctxt, key_id, **kwargs):
|
def delete_key(self, ctxt, key_id, **kwargs):
|
||||||
"""Deletes the key identified by the specified id.
|
"""Deletes the key identified by the specified id.
|
||||||
|
|
||||||
A NotAuthorized exception is raised if the context is None and a
|
A Forbidden exception is raised if the context is None and a
|
||||||
KeyError is raised if the UUID is invalid.
|
KeyError is raised if the UUID is invalid.
|
||||||
"""
|
"""
|
||||||
if ctxt is None:
|
if ctxt is None:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
del self.keys[key_id]
|
del self.keys[key_id]
|
||||||
|
|||||||
@ -63,7 +63,7 @@ class SingleKeyManager(mock_key_mgr.MockKeyManager):
|
|||||||
|
|
||||||
def delete_key(self, ctxt, key_id, **kwargs):
|
def delete_key(self, ctxt, key_id, **kwargs):
|
||||||
if ctxt is None:
|
if ctxt is None:
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
if key_id != self.key_id:
|
if key_id != self.key_id:
|
||||||
raise exception.KeyManagerError(
|
raise exception.KeyManagerError(
|
||||||
|
|||||||
@ -199,13 +199,13 @@ class FloatingIP(object):
|
|||||||
if floating_ip.project_id is None:
|
if floating_ip.project_id is None:
|
||||||
LOG.warn(_('Address |%(address)s| is not allocated'),
|
LOG.warn(_('Address |%(address)s| is not allocated'),
|
||||||
{'address': floating_ip.address})
|
{'address': floating_ip.address})
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
else:
|
else:
|
||||||
LOG.warn(_('Address |%(address)s| is not allocated to your '
|
LOG.warn(_('Address |%(address)s| is not allocated to your '
|
||||||
'project |%(project)s|'),
|
'project |%(project)s|'),
|
||||||
{'address': floating_ip.address,
|
{'address': floating_ip.address,
|
||||||
'project': context.project_id})
|
'project': context.project_id})
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
def allocate_floating_ip(self, context, project_id, auto_assigned=False,
|
def allocate_floating_ip(self, context, project_id, auto_assigned=False,
|
||||||
pool=None):
|
pool=None):
|
||||||
@ -532,7 +532,7 @@ class FloatingIP(object):
|
|||||||
def _is_stale_floating_ip_address(self, context, floating_ip):
|
def _is_stale_floating_ip_address(self, context, floating_ip):
|
||||||
try:
|
try:
|
||||||
self._floating_ip_owned_by_project(context, floating_ip)
|
self._floating_ip_owned_by_project(context, floating_ip)
|
||||||
except exception.NotAuthorized:
|
except exception.Forbidden:
|
||||||
return True
|
return True
|
||||||
return False if floating_ip.get('fixed_ip_id') else True
|
return False if floating_ip.get('fixed_ip_id') else True
|
||||||
|
|
||||||
|
|||||||
@ -111,7 +111,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
|||||||
|
|
||||||
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' +
|
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' +
|
||||||
'/key5')
|
'/key5')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.delete,
|
self.assertRaises(exception.Forbidden, self.controller.delete,
|
||||||
req, 1, 'key 5')
|
req, 1, 'key 5')
|
||||||
|
|
||||||
def test_delete_spec_not_found(self):
|
def test_delete_spec_not_found(self):
|
||||||
@ -139,7 +139,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
|||||||
body = {"extra_specs": {"key1": "value1"}}
|
body = {"extra_specs": {"key1": "value1"}}
|
||||||
|
|
||||||
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs')
|
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.create,
|
self.assertRaises(exception.Forbidden, self.controller.create,
|
||||||
req, 1, body)
|
req, 1, body)
|
||||||
|
|
||||||
def _test_create_bad_request(self, body):
|
def _test_create_bad_request(self, body):
|
||||||
@ -216,7 +216,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
|||||||
|
|
||||||
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' +
|
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' +
|
||||||
'/key1')
|
'/key1')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.update,
|
self.assertRaises(exception.Forbidden, self.controller.update,
|
||||||
req, 1, 'key1', body)
|
req, 1, 'key1', body)
|
||||||
|
|
||||||
def _test_update_item_bad_request(self, body):
|
def _test_update_item_bad_request(self, body):
|
||||||
|
|||||||
@ -406,7 +406,7 @@ class FloatingIpTest(test.TestCase):
|
|||||||
def fake_associate_floating_ip(self, context, instance,
|
def fake_associate_floating_ip(self, context, instance,
|
||||||
floating_address, fixed_address,
|
floating_address, fixed_address,
|
||||||
affect_auto_assigned=False):
|
affect_auto_assigned=False):
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
self.stubs.Set(network.api.API, "associate_floating_ip",
|
self.stubs.Set(network.api.API, "associate_floating_ip",
|
||||||
fake_associate_floating_ip)
|
fake_associate_floating_ip)
|
||||||
floating_ip = '10.10.10.11'
|
floating_ip = '10.10.10.11'
|
||||||
@ -544,7 +544,7 @@ class FloatingIpTest(test.TestCase):
|
|||||||
return 'test_inst'
|
return 'test_inst'
|
||||||
|
|
||||||
def network_api_disassociate(self, context, instance, address):
|
def network_api_disassociate(self, context, instance, address):
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
self.stubs.Set(network.api.API, "get_floating_ip_by_address",
|
self.stubs.Set(network.api.API, "get_floating_ip_by_address",
|
||||||
fake_get_floating_ip_addr_auto_assigned)
|
fake_get_floating_ip_addr_auto_assigned)
|
||||||
|
|||||||
@ -58,7 +58,7 @@ class FpingTest(test.TestCase):
|
|||||||
|
|
||||||
def test_fping_index_policy(self):
|
def test_fping_index_policy(self):
|
||||||
req = fakes.HTTPRequest.blank("/v2/1234/os-fping?all_tenants=1")
|
req = fakes.HTTPRequest.blank("/v2/1234/os-fping?all_tenants=1")
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.index, req)
|
self.assertRaises(exception.Forbidden, self.controller.index, req)
|
||||||
req = fakes.HTTPRequest.blank("/v2/1234/os-fping?all_tenants=1")
|
req = fakes.HTTPRequest.blank("/v2/1234/os-fping?all_tenants=1")
|
||||||
req.environ["nova.context"].is_admin = True
|
req.environ["nova.context"].is_admin = True
|
||||||
res_dict = self.controller.index(req)
|
res_dict = self.controller.index(req)
|
||||||
|
|||||||
@ -85,7 +85,7 @@ class InstanceActionsPolicyTest(test.NoDBTestCase):
|
|||||||
|
|
||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-instance-actions')
|
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-instance-actions')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.index, req,
|
self.assertRaises(exception.Forbidden, self.controller.index, req,
|
||||||
str(uuid.uuid4()))
|
str(uuid.uuid4()))
|
||||||
|
|
||||||
def test_get_action_restricted_by_project(self):
|
def test_get_action_restricted_by_project(self):
|
||||||
@ -104,7 +104,7 @@ class InstanceActionsPolicyTest(test.NoDBTestCase):
|
|||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequest.blank(
|
req = fakes.HTTPRequest.blank(
|
||||||
'/v2/123/servers/12/os-instance-actions/1')
|
'/v2/123/servers/12/os-instance-actions/1')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.show, req,
|
self.assertRaises(exception.Forbidden, self.controller.show, req,
|
||||||
str(uuid.uuid4()), '1')
|
str(uuid.uuid4()), '1')
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -384,7 +384,7 @@ class KeypairPolicyTest(test.TestCase):
|
|||||||
policy.parse_rule('role:admin')})
|
policy.parse_rule('role:admin')})
|
||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
|
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.KeyPairController.index,
|
self.KeyPairController.index,
|
||||||
req)
|
req)
|
||||||
|
|
||||||
@ -401,7 +401,7 @@ class KeypairPolicyTest(test.TestCase):
|
|||||||
policy.parse_rule('role:admin')})
|
policy.parse_rule('role:admin')})
|
||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
|
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.KeyPairController.show,
|
self.KeyPairController.show,
|
||||||
req, 'FAKE')
|
req, 'FAKE')
|
||||||
|
|
||||||
@ -419,7 +419,7 @@ class KeypairPolicyTest(test.TestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
|
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
|
||||||
req.method = 'POST'
|
req.method = 'POST'
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.KeyPairController.create,
|
self.KeyPairController.create,
|
||||||
req, {})
|
req, {})
|
||||||
|
|
||||||
@ -439,7 +439,7 @@ class KeypairPolicyTest(test.TestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
|
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
|
||||||
req.method = 'DELETE'
|
req.method = 'DELETE'
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.KeyPairController.delete,
|
self.KeyPairController.delete,
|
||||||
req, 'FAKE')
|
req, 'FAKE')
|
||||||
|
|
||||||
|
|||||||
@ -46,7 +46,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
|
|
||||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
|
self.assertRaises(exception.Forbidden, self.controller._shelve,
|
||||||
req, str(uuid.uuid4()), {})
|
req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_shelve_allowed(self):
|
def test_shelve_allowed(self):
|
||||||
@ -57,7 +57,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
|
|
||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
|
self.assertRaises(exception.Forbidden, self.controller._shelve,
|
||||||
req, str(uuid.uuid4()), {})
|
req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_shelve_locked_server(self):
|
def test_shelve_locked_server(self):
|
||||||
@ -75,7 +75,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
|
|
||||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
|
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||||
req, str(uuid.uuid4()), {})
|
req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_unshelve_allowed(self):
|
def test_unshelve_allowed(self):
|
||||||
@ -86,7 +86,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
|
|
||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
|
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||||
req, str(uuid.uuid4()), {})
|
req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_unshelve_locked_server(self):
|
def test_unshelve_locked_server(self):
|
||||||
@ -104,7 +104,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
|
|
||||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_shelve_offload_allowed(self):
|
def test_shelve_offload_allowed(self):
|
||||||
@ -115,7 +115,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
|
|
||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_shelve_offload_locked_server(self):
|
def test_shelve_offload_locked_server(self):
|
||||||
|
|||||||
@ -41,7 +41,7 @@ def fake_policy_enforce(context, action, target, do_raise=True):
|
|||||||
|
|
||||||
def fake_policy_enforce_selective(context, action, target, do_raise=True):
|
def fake_policy_enforce_selective(context, action, target, do_raise=True):
|
||||||
if action == 'compute_extension:v3:ext1-alias:discoverable':
|
if action == 'compute_extension:v3:ext1-alias:discoverable':
|
||||||
raise exception.NotAuthorized
|
raise exception.Forbidden
|
||||||
else:
|
else:
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|||||||
@ -109,7 +109,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
|||||||
delete_flavor_extra_specs)
|
delete_flavor_extra_specs)
|
||||||
|
|
||||||
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs/key5')
|
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs/key5')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.delete,
|
self.assertRaises(exception.Forbidden, self.controller.delete,
|
||||||
req, 1, 'key 5')
|
req, 1, 'key 5')
|
||||||
|
|
||||||
def test_delete_spec_not_found(self):
|
def test_delete_spec_not_found(self):
|
||||||
@ -138,7 +138,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
|||||||
body = {"extra_specs": {"key1": "value1"}}
|
body = {"extra_specs": {"key1": "value1"}}
|
||||||
|
|
||||||
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs')
|
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.create,
|
self.assertRaises(exception.Forbidden, self.controller.create,
|
||||||
req, 1, body)
|
req, 1, body)
|
||||||
|
|
||||||
def test_create_empty_body(self):
|
def test_create_empty_body(self):
|
||||||
@ -223,7 +223,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
|||||||
body = {"key1": "value1"}
|
body = {"key1": "value1"}
|
||||||
|
|
||||||
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs/key1')
|
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs/key1')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.update,
|
self.assertRaises(exception.Forbidden, self.controller.update,
|
||||||
req, 1, 'key1', body)
|
req, 1, 'key1', body)
|
||||||
|
|
||||||
def test_update_item_empty_body(self):
|
def test_update_item_empty_body(self):
|
||||||
|
|||||||
@ -89,7 +89,7 @@ class ServerActionsPolicyTest(test.NoDBTestCase):
|
|||||||
|
|
||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-server-actions')
|
req = fakes.HTTPRequestV3.blank('/servers/12/os-server-actions')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.index, req,
|
self.assertRaises(exception.Forbidden, self.controller.index, req,
|
||||||
str(uuid.uuid4()))
|
str(uuid.uuid4()))
|
||||||
|
|
||||||
def test_get_action_restricted_by_project(self):
|
def test_get_action_restricted_by_project(self):
|
||||||
@ -107,7 +107,7 @@ class ServerActionsPolicyTest(test.NoDBTestCase):
|
|||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequestV3.blank(
|
req = fakes.HTTPRequestV3.blank(
|
||||||
'/servers/12/os-server-actions/1')
|
'/servers/12/os-server-actions/1')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller.show, req,
|
self.assertRaises(exception.Forbidden, self.controller.show, req,
|
||||||
str(uuid.uuid4()), '1')
|
str(uuid.uuid4()), '1')
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -403,7 +403,7 @@ class KeypairPolicyTest(test.TestCase):
|
|||||||
policy.parse_rule('role:admin')})
|
policy.parse_rule('role:admin')})
|
||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
req = fakes.HTTPRequestV3.blank('/keypairs')
|
req = fakes.HTTPRequestV3.blank('/keypairs')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.KeyPairController.index,
|
self.KeyPairController.index,
|
||||||
req)
|
req)
|
||||||
|
|
||||||
@ -420,7 +420,7 @@ class KeypairPolicyTest(test.TestCase):
|
|||||||
policy.parse_rule('role:admin')})
|
policy.parse_rule('role:admin')})
|
||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
|
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.KeyPairController.show,
|
self.KeyPairController.show,
|
||||||
req, 'FAKE')
|
req, 'FAKE')
|
||||||
|
|
||||||
@ -438,7 +438,7 @@ class KeypairPolicyTest(test.TestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
req = fakes.HTTPRequestV3.blank('/keypairs')
|
req = fakes.HTTPRequestV3.blank('/keypairs')
|
||||||
req.method = 'POST'
|
req.method = 'POST'
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.KeyPairController.create,
|
self.KeyPairController.create,
|
||||||
req, body={'keypair': {'name': 'create_test'}})
|
req, body={'keypair': {'name': 'create_test'}})
|
||||||
|
|
||||||
@ -458,7 +458,7 @@ class KeypairPolicyTest(test.TestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
|
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
|
||||||
req.method = 'DELETE'
|
req.method = 'DELETE'
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.KeyPairController.delete,
|
self.KeyPairController.delete,
|
||||||
req, 'FAKE')
|
req, 'FAKE')
|
||||||
|
|
||||||
|
|||||||
@ -46,7 +46,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
|
|
||||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
|
self.assertRaises(exception.Forbidden, self.controller._shelve,
|
||||||
req, str(uuid.uuid4()), {})
|
req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_shelve_allowed(self):
|
def test_shelve_allowed(self):
|
||||||
@ -57,7 +57,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
|
|
||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
|
self.assertRaises(exception.Forbidden, self.controller._shelve,
|
||||||
req, str(uuid.uuid4()), {})
|
req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_shelve_locked_server(self):
|
def test_shelve_locked_server(self):
|
||||||
@ -75,7 +75,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
|
|
||||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
|
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||||
req, str(uuid.uuid4()), {})
|
req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_unshelve_allowed(self):
|
def test_unshelve_allowed(self):
|
||||||
@ -86,7 +86,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
|
|
||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
|
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||||
req, str(uuid.uuid4()), {})
|
req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_unshelve_locked_server(self):
|
def test_unshelve_locked_server(self):
|
||||||
@ -104,7 +104,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
policy.set_rules(rules)
|
policy.set_rules(rules)
|
||||||
|
|
||||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_shelve_offload_allowed(self):
|
def test_shelve_offload_allowed(self):
|
||||||
@ -115,7 +115,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
|||||||
|
|
||||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
||||||
|
|
||||||
def test_shelve_offload_locked_server(self):
|
def test_shelve_offload_locked_server(self):
|
||||||
|
|||||||
@ -441,7 +441,7 @@ class ResourceTest(test.NoDBTestCase):
|
|||||||
def test_resource_not_authorized(self):
|
def test_resource_not_authorized(self):
|
||||||
class Controller(object):
|
class Controller(object):
|
||||||
def index(self, req):
|
def index(self, req):
|
||||||
raise exception.NotAuthorized()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
req = webob.Request.blank('/tests')
|
req = webob.Request.blank('/tests')
|
||||||
app = fakes.TestRouter(Controller())
|
app = fakes.TestRouter(Controller())
|
||||||
|
|||||||
@ -2702,7 +2702,7 @@ class ComputeTestCase(BaseTestCase):
|
|||||||
"""Ensure expected exception is raised if set_admin_password not
|
"""Ensure expected exception is raised if set_admin_password not
|
||||||
authorized.
|
authorized.
|
||||||
"""
|
"""
|
||||||
exc = exception.NotAuthorized(_('Internal error'))
|
exc = exception.Forbidden(_('Internal error'))
|
||||||
expected_exception = exception.InstancePasswordSetFailed
|
expected_exception = exception.InstancePasswordSetFailed
|
||||||
self._do_test_set_admin_password_driver_error(exc,
|
self._do_test_set_admin_password_driver_error(exc,
|
||||||
vm_states.ERROR,
|
vm_states.ERROR,
|
||||||
|
|||||||
@ -3545,7 +3545,7 @@ class FixedIPTestCase(BaseInstanceTypeTestCase):
|
|||||||
fixed_ip_id = db.fixed_ip_create(self.ctxt, param)
|
fixed_ip_id = db.fixed_ip_create(self.ctxt, param)
|
||||||
|
|
||||||
self.ctxt.is_admin = False
|
self.ctxt.is_admin = False
|
||||||
self.assertRaises(exception.NotAuthorized, db.fixed_ip_get,
|
self.assertRaises(exception.Forbidden, db.fixed_ip_get,
|
||||||
self.ctxt, fixed_ip_id)
|
self.ctxt, fixed_ip_id)
|
||||||
|
|
||||||
def test_fixed_ip_get_success(self):
|
def test_fixed_ip_get_success(self):
|
||||||
@ -3765,7 +3765,7 @@ class FloatingIpTestCase(test.TestCase, ModelsObjectComparatorMixin):
|
|||||||
def test_floating_ip_allocate_not_authorized(self):
|
def test_floating_ip_allocate_not_authorized(self):
|
||||||
ctxt = context.RequestContext(user_id='a', project_id='abc',
|
ctxt = context.RequestContext(user_id='a', project_id='abc',
|
||||||
is_admin=False)
|
is_admin=False)
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
db.floating_ip_allocate_address,
|
db.floating_ip_allocate_address,
|
||||||
ctxt, 'other_project_id', 'any_pool')
|
ctxt, 'other_project_id', 'any_pool')
|
||||||
|
|
||||||
@ -4011,7 +4011,7 @@ class FloatingIpTestCase(test.TestCase, ModelsObjectComparatorMixin):
|
|||||||
def test_floating_ip_get_all_by_project_not_authorized(self):
|
def test_floating_ip_get_all_by_project_not_authorized(self):
|
||||||
ctxt = context.RequestContext(user_id='a', project_id='abc',
|
ctxt = context.RequestContext(user_id='a', project_id='abc',
|
||||||
is_admin=False)
|
is_admin=False)
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
db.floating_ip_get_all_by_project,
|
db.floating_ip_get_all_by_project,
|
||||||
ctxt, 'other_project')
|
ctxt, 'other_project')
|
||||||
|
|
||||||
|
|||||||
@ -777,14 +777,14 @@ class TestDetail(test.NoDBTestCase):
|
|||||||
ext_query_mock, reraise_mock):
|
ext_query_mock, reraise_mock):
|
||||||
params = {}
|
params = {}
|
||||||
ext_query_mock.return_value = params
|
ext_query_mock.return_value = params
|
||||||
raised = exception.NotAuthorized()
|
raised = exception.Forbidden()
|
||||||
client = mock.MagicMock()
|
client = mock.MagicMock()
|
||||||
client.call.side_effect = glanceclient.exc.Forbidden
|
client.call.side_effect = glanceclient.exc.Forbidden
|
||||||
ctx = mock.sentinel.ctx
|
ctx = mock.sentinel.ctx
|
||||||
reraise_mock.side_effect = raised
|
reraise_mock.side_effect = raised
|
||||||
service = glance.GlanceImageService(client)
|
service = glance.GlanceImageService(client)
|
||||||
|
|
||||||
with testtools.ExpectedException(exception.NotAuthorized):
|
with testtools.ExpectedException(exception.Forbidden):
|
||||||
service.detail(ctx, **params)
|
service.detail(ctx, **params)
|
||||||
|
|
||||||
client.call.assert_called_once_with(ctx, 1, 'list')
|
client.call.assert_called_once_with(ctx, 1, 'list')
|
||||||
|
|||||||
@ -49,7 +49,7 @@ class MockKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
|
|||||||
self.assertEqual(length / 8, len(key.get_encoded()))
|
self.assertEqual(length / 8, len(key.get_encoded()))
|
||||||
|
|
||||||
def test_create_null_context(self):
|
def test_create_null_context(self):
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.key_mgr.create_key, None)
|
self.key_mgr.create_key, None)
|
||||||
|
|
||||||
def test_store_key(self):
|
def test_store_key(self):
|
||||||
@ -61,7 +61,7 @@ class MockKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
|
|||||||
self.assertEqual(_key, actual_key)
|
self.assertEqual(_key, actual_key)
|
||||||
|
|
||||||
def test_store_null_context(self):
|
def test_store_null_context(self):
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.key_mgr.store_key, None, None)
|
self.key_mgr.store_key, None, None)
|
||||||
|
|
||||||
def test_copy_key(self):
|
def test_copy_key(self):
|
||||||
@ -75,14 +75,14 @@ class MockKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
|
|||||||
self.assertEqual(key, copied_key)
|
self.assertEqual(key, copied_key)
|
||||||
|
|
||||||
def test_copy_null_context(self):
|
def test_copy_null_context(self):
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.key_mgr.copy_key, None, None)
|
self.key_mgr.copy_key, None, None)
|
||||||
|
|
||||||
def test_get_key(self):
|
def test_get_key(self):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
def test_get_null_context(self):
|
def test_get_null_context(self):
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.key_mgr.get_key, None, None)
|
self.key_mgr.get_key, None, None)
|
||||||
|
|
||||||
def test_get_unknown_key(self):
|
def test_get_unknown_key(self):
|
||||||
@ -95,7 +95,7 @@ class MockKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
|
|||||||
self.assertRaises(KeyError, self.key_mgr.get_key, self.ctxt, key_id)
|
self.assertRaises(KeyError, self.key_mgr.get_key, self.ctxt, key_id)
|
||||||
|
|
||||||
def test_delete_null_context(self):
|
def test_delete_null_context(self):
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.key_mgr.delete_key, None, None)
|
self.key_mgr.delete_key, None, None)
|
||||||
|
|
||||||
def test_delete_unknown_key(self):
|
def test_delete_unknown_key(self):
|
||||||
|
|||||||
@ -51,7 +51,7 @@ class SingleKeyManagerTestCase(test_mock_key_mgr.MockKeyManagerTestCase):
|
|||||||
pass
|
pass
|
||||||
|
|
||||||
def test_store_null_context(self):
|
def test_store_null_context(self):
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.key_mgr.store_key, None, self.key)
|
self.key_mgr.store_key, None, self.key)
|
||||||
|
|
||||||
def test_copy_key(self):
|
def test_copy_key(self):
|
||||||
|
|||||||
@ -909,7 +909,7 @@ class VlanNetworkTestCase(test.TestCase):
|
|||||||
# raises because floating_ip project_id is None
|
# raises because floating_ip project_id is None
|
||||||
floating_ip = floating_ip_obj.FloatingIP(address='10.0.0.1',
|
floating_ip = floating_ip_obj.FloatingIP(address='10.0.0.1',
|
||||||
project_id=None)
|
project_id=None)
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.network._floating_ip_owned_by_project,
|
self.network._floating_ip_owned_by_project,
|
||||||
ctxt,
|
ctxt,
|
||||||
floating_ip)
|
floating_ip)
|
||||||
@ -917,7 +917,7 @@ class VlanNetworkTestCase(test.TestCase):
|
|||||||
# raises because floating_ip project_id is not equal to ctxt project_id
|
# raises because floating_ip project_id is not equal to ctxt project_id
|
||||||
floating_ip = floating_ip_obj.FloatingIP(
|
floating_ip = floating_ip_obj.FloatingIP(
|
||||||
address='10.0.0.1', project_id=ctxt.project_id + '1')
|
address='10.0.0.1', project_id=ctxt.project_id + '1')
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.network._floating_ip_owned_by_project,
|
self.network._floating_ip_owned_by_project,
|
||||||
ctxt,
|
ctxt,
|
||||||
floating_ip)
|
floating_ip)
|
||||||
@ -1360,14 +1360,14 @@ class VlanNetworkTestCase(test.TestCase):
|
|||||||
**networks[1]))
|
**networks[1]))
|
||||||
|
|
||||||
# Associate the IP with non-admin user context
|
# Associate the IP with non-admin user context
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.network.associate_floating_ip,
|
self.network.associate_floating_ip,
|
||||||
context2,
|
context2,
|
||||||
float_addr,
|
float_addr,
|
||||||
fix_addr)
|
fix_addr)
|
||||||
|
|
||||||
# Deallocate address from other project
|
# Deallocate address from other project
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.network.deallocate_floating_ip,
|
self.network.deallocate_floating_ip,
|
||||||
context2,
|
context2,
|
||||||
float_addr)
|
float_addr)
|
||||||
@ -1376,7 +1376,7 @@ class VlanNetworkTestCase(test.TestCase):
|
|||||||
self.network.associate_floating_ip(context1, float_addr, fix_addr)
|
self.network.associate_floating_ip(context1, float_addr, fix_addr)
|
||||||
|
|
||||||
# Now try dis-associating from other project
|
# Now try dis-associating from other project
|
||||||
self.assertRaises(exception.NotAuthorized,
|
self.assertRaises(exception.Forbidden,
|
||||||
self.network.disassociate_floating_ip,
|
self.network.disassociate_floating_ip,
|
||||||
context2,
|
context2,
|
||||||
float_addr)
|
float_addr)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user