Rename NotAuthorized exception to Forbidden
The NotAuthorized NovaException has an internal code of 403 which is actually Forbidden, so rename it appropriately. This patch doesn't change the external behavior, the status code in responses will still be 403 but the exception is just named properly. This is also necessary to create an actual Unauthorized NovaException with code 401 for use in some Neutron API bug fixes for more granular error handling from python-neutronclient. Related-Bug: #1298075 Change-Id: I691fac2e2c797f47c04da7965d7b1c8685c74edb
This commit is contained in:
parent
296f2fa183
commit
c75a15a489
@ -562,7 +562,7 @@ class Executor(wsgi.Application):
|
||||
exception.MissingParameter,
|
||||
exception.NoFloatingIpInterface,
|
||||
exception.NoMoreFixedIps,
|
||||
exception.NotAuthorized,
|
||||
exception.Forbidden,
|
||||
exception.QuotaError,
|
||||
exception.SecurityGroupExists,
|
||||
exception.SecurityGroupLimitExceeded,
|
||||
|
@ -1657,7 +1657,7 @@ class CloudController(object):
|
||||
return self.image_service.update(context, internal_id, image)
|
||||
except exception.ImageNotAuthorized:
|
||||
msg = _('Not allowed to modify attributes for image %s') % image_id
|
||||
raise exception.NotAuthorized(message=msg)
|
||||
raise exception.Forbidden(message=msg)
|
||||
|
||||
def update_image(self, context, image_id, **kwargs):
|
||||
internal_id = ec2utils.ec2_id_to_id(image_id)
|
||||
|
@ -91,7 +91,7 @@ def get_instance_by_floating_ip_addr(self, context, address):
|
||||
def disassociate_floating_ip(self, context, instance, address):
|
||||
try:
|
||||
self.network_api.disassociate_floating_ip(context, instance, address)
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
except exception.CannotDisassociateAutoAssignedFloatingIP:
|
||||
msg = _('Cannot disassociate auto assigned floating ip')
|
||||
@ -258,7 +258,7 @@ class FloatingIPActionController(wsgi.Controller):
|
||||
msg = _('l3driver call to add floating ip failed')
|
||||
raise webob.exc.HTTPBadRequest(explanation=msg)
|
||||
except (exception.FloatingIpNotFoundForAddress,
|
||||
exception.NotAuthorized):
|
||||
exception.Forbidden):
|
||||
msg = _('floating ip not found')
|
||||
raise webob.exc.HTTPNotFound(explanation=msg)
|
||||
except Exception:
|
||||
|
@ -103,7 +103,7 @@ class QuotaSetsController(wsgi.Controller):
|
||||
nova.context.authorize_project_context(context, id)
|
||||
return self._format_quota_set(id,
|
||||
self._get_quotas(context, id, user_id=user_id))
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
|
||||
@wsgi.serializers(xml=QuotaTemplate)
|
||||
@ -133,7 +133,7 @@ class QuotaSetsController(wsgi.Controller):
|
||||
try:
|
||||
settable_quotas = QUOTAS.get_settable_quotas(context, project_id,
|
||||
user_id=user_id)
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
|
||||
if not self.is_valid_body(body, 'quota_set'):
|
||||
@ -165,7 +165,7 @@ class QuotaSetsController(wsgi.Controller):
|
||||
try:
|
||||
quotas = self._get_quotas(context, id, user_id=user_id,
|
||||
usages=True)
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
|
||||
for key, value in quota_set.items():
|
||||
@ -227,7 +227,7 @@ class QuotaSetsController(wsgi.Controller):
|
||||
else:
|
||||
QUOTAS.destroy_all_by_project(context, id)
|
||||
return webob.Response(status_int=202)
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
raise webob.exc.HTTPNotFound()
|
||||
|
||||
|
@ -87,7 +87,7 @@ class QuotaSetsController(wsgi.Controller):
|
||||
nova.context.authorize_project_context(context, id)
|
||||
return self._format_quota_set(id,
|
||||
self._get_quotas(context, id, user_id=user_id))
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
|
||||
@extensions.expected_errors(403)
|
||||
@ -100,7 +100,7 @@ class QuotaSetsController(wsgi.Controller):
|
||||
return self._format_quota_set(id, self._get_quotas(context, id,
|
||||
user_id=user_id,
|
||||
usages=True))
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
|
||||
@extensions.expected_errors((400, 403))
|
||||
@ -142,13 +142,13 @@ class QuotaSetsController(wsgi.Controller):
|
||||
try:
|
||||
settable_quotas = QUOTAS.get_settable_quotas(context, project_id,
|
||||
user_id=user_id)
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
|
||||
try:
|
||||
quotas = self._get_quotas(context, id, user_id=user_id,
|
||||
usages=True)
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
|
||||
LOG.debug(_("Force update quotas: %s"), force_update)
|
||||
@ -214,7 +214,7 @@ class QuotaSetsController(wsgi.Controller):
|
||||
id, user_id)
|
||||
else:
|
||||
QUOTAS.destroy_all_by_project(context, id)
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
raise webob.exc.HTTPForbidden()
|
||||
|
||||
|
||||
|
@ -401,7 +401,7 @@ def soft_extension_authorizer(api_name, extension_name):
|
||||
try:
|
||||
hard_authorize(context, action=action)
|
||||
return True
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
return False
|
||||
return authorize
|
||||
|
||||
|
@ -677,7 +677,7 @@ class ResourceExceptionHandler(object):
|
||||
if not ex_value:
|
||||
return True
|
||||
|
||||
if isinstance(ex_value, exception.NotAuthorized):
|
||||
if isinstance(ex_value, exception.Forbidden):
|
||||
raise Fault(webob.exc.HTTPForbidden(
|
||||
explanation=ex_value.format_message()))
|
||||
elif isinstance(ex_value, exception.Invalid):
|
||||
|
@ -196,35 +196,35 @@ def require_admin_context(ctxt):
|
||||
|
||||
|
||||
def require_context(ctxt):
|
||||
"""Raise exception.NotAuthorized() if context is not a user or an
|
||||
"""Raise exception.Forbidden() if context is not a user or an
|
||||
admin context.
|
||||
"""
|
||||
if not ctxt.is_admin and not is_user_context(ctxt):
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
|
||||
def authorize_project_context(context, project_id):
|
||||
"""Ensures a request has permission to access the given project."""
|
||||
if is_user_context(context):
|
||||
if not context.project_id:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
elif context.project_id != project_id:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
|
||||
def authorize_user_context(context, user_id):
|
||||
"""Ensures a request has permission to access the given user."""
|
||||
if is_user_context(context):
|
||||
if not context.user_id:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
elif context.user_id != user_id:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
|
||||
def authorize_quota_class_context(context, class_name):
|
||||
"""Ensures a request has permission to access the given quota class."""
|
||||
if is_user_context(context):
|
||||
if not context.quota_class:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
elif context.quota_class != class_name:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
@ -161,17 +161,17 @@ class GlanceConnectionFailed(NovaException):
|
||||
"%(reason)s")
|
||||
|
||||
|
||||
class NotAuthorized(NovaException):
|
||||
class Forbidden(NovaException):
|
||||
ec2_code = 'AuthFailure'
|
||||
msg_fmt = _("Not authorized.")
|
||||
code = 403
|
||||
|
||||
|
||||
class AdminRequired(NotAuthorized):
|
||||
class AdminRequired(Forbidden):
|
||||
msg_fmt = _("User does not have admin privileges")
|
||||
|
||||
|
||||
class PolicyNotAuthorized(NotAuthorized):
|
||||
class PolicyNotAuthorized(Forbidden):
|
||||
msg_fmt = _("Policy doesn't allow %(action)s to be performed.")
|
||||
|
||||
|
||||
@ -625,7 +625,7 @@ class NetworkRequiresSubnet(Invalid):
|
||||
" instances on.")
|
||||
|
||||
|
||||
class ExternalNetworkAttachForbidden(NotAuthorized):
|
||||
class ExternalNetworkAttachForbidden(Forbidden):
|
||||
msg_fmt = _("It is not allowed to create an interface on "
|
||||
"external network %(network_uuid)s")
|
||||
|
||||
|
@ -571,7 +571,7 @@ def _translate_image_exception(image_id, exc_value):
|
||||
def _translate_plain_exception(exc_value):
|
||||
if isinstance(exc_value, (glanceclient.exc.Forbidden,
|
||||
glanceclient.exc.Unauthorized)):
|
||||
return exception.NotAuthorized(unicode(exc_value))
|
||||
return exception.Forbidden(unicode(exc_value))
|
||||
if isinstance(exc_value, glanceclient.exc.NotFound):
|
||||
return exception.NotFound(unicode(exc_value))
|
||||
if isinstance(exc_value, glanceclient.exc.BadRequest):
|
||||
|
@ -72,10 +72,10 @@ class MockKeyManager(key_mgr.KeyManager):
|
||||
"""Creates a key.
|
||||
|
||||
This implementation returns a UUID for the created key. A
|
||||
NotAuthorized exception is raised if the specified context is None.
|
||||
Forbidden exception is raised if the specified context is None.
|
||||
"""
|
||||
if ctxt is None:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
key = self._generate_key(**kwargs)
|
||||
return self.store_key(ctxt, key)
|
||||
@ -90,7 +90,7 @@ class MockKeyManager(key_mgr.KeyManager):
|
||||
def store_key(self, ctxt, key, **kwargs):
|
||||
"""Stores (i.e., registers) a key with the key manager."""
|
||||
if ctxt is None:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
key_id = self._generate_key_id()
|
||||
self.keys[key_id] = key
|
||||
@ -99,7 +99,7 @@ class MockKeyManager(key_mgr.KeyManager):
|
||||
|
||||
def copy_key(self, ctxt, key_id, **kwargs):
|
||||
if ctxt is None:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
copied_key_id = self._generate_key_id()
|
||||
self.keys[copied_key_id] = self.keys[key_id]
|
||||
@ -110,21 +110,21 @@ class MockKeyManager(key_mgr.KeyManager):
|
||||
"""Retrieves the key identified by the specified id.
|
||||
|
||||
This implementation returns the key that is associated with the
|
||||
specified UUID. A NotAuthorized exception is raised if the specified
|
||||
specified UUID. A Forbidden exception is raised if the specified
|
||||
context is None; a KeyError is raised if the UUID is invalid.
|
||||
"""
|
||||
if ctxt is None:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
return self.keys[key_id]
|
||||
|
||||
def delete_key(self, ctxt, key_id, **kwargs):
|
||||
"""Deletes the key identified by the specified id.
|
||||
|
||||
A NotAuthorized exception is raised if the context is None and a
|
||||
A Forbidden exception is raised if the context is None and a
|
||||
KeyError is raised if the UUID is invalid.
|
||||
"""
|
||||
if ctxt is None:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
del self.keys[key_id]
|
||||
|
@ -63,7 +63,7 @@ class SingleKeyManager(mock_key_mgr.MockKeyManager):
|
||||
|
||||
def delete_key(self, ctxt, key_id, **kwargs):
|
||||
if ctxt is None:
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
if key_id != self.key_id:
|
||||
raise exception.KeyManagerError(
|
||||
|
@ -199,13 +199,13 @@ class FloatingIP(object):
|
||||
if floating_ip.project_id is None:
|
||||
LOG.warn(_('Address |%(address)s| is not allocated'),
|
||||
{'address': floating_ip.address})
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
else:
|
||||
LOG.warn(_('Address |%(address)s| is not allocated to your '
|
||||
'project |%(project)s|'),
|
||||
{'address': floating_ip.address,
|
||||
'project': context.project_id})
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
def allocate_floating_ip(self, context, project_id, auto_assigned=False,
|
||||
pool=None):
|
||||
@ -532,7 +532,7 @@ class FloatingIP(object):
|
||||
def _is_stale_floating_ip_address(self, context, floating_ip):
|
||||
try:
|
||||
self._floating_ip_owned_by_project(context, floating_ip)
|
||||
except exception.NotAuthorized:
|
||||
except exception.Forbidden:
|
||||
return True
|
||||
return False if floating_ip.get('fixed_ip_id') else True
|
||||
|
||||
|
@ -111,7 +111,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
||||
|
||||
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' +
|
||||
'/key5')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.delete,
|
||||
self.assertRaises(exception.Forbidden, self.controller.delete,
|
||||
req, 1, 'key 5')
|
||||
|
||||
def test_delete_spec_not_found(self):
|
||||
@ -139,7 +139,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
||||
body = {"extra_specs": {"key1": "value1"}}
|
||||
|
||||
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.create,
|
||||
self.assertRaises(exception.Forbidden, self.controller.create,
|
||||
req, 1, body)
|
||||
|
||||
def _test_create_bad_request(self, body):
|
||||
@ -216,7 +216,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
||||
|
||||
req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' +
|
||||
'/key1')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.update,
|
||||
self.assertRaises(exception.Forbidden, self.controller.update,
|
||||
req, 1, 'key1', body)
|
||||
|
||||
def _test_update_item_bad_request(self, body):
|
||||
|
@ -406,7 +406,7 @@ class FloatingIpTest(test.TestCase):
|
||||
def fake_associate_floating_ip(self, context, instance,
|
||||
floating_address, fixed_address,
|
||||
affect_auto_assigned=False):
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
self.stubs.Set(network.api.API, "associate_floating_ip",
|
||||
fake_associate_floating_ip)
|
||||
floating_ip = '10.10.10.11'
|
||||
@ -544,7 +544,7 @@ class FloatingIpTest(test.TestCase):
|
||||
return 'test_inst'
|
||||
|
||||
def network_api_disassociate(self, context, instance, address):
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
self.stubs.Set(network.api.API, "get_floating_ip_by_address",
|
||||
fake_get_floating_ip_addr_auto_assigned)
|
||||
|
@ -58,7 +58,7 @@ class FpingTest(test.TestCase):
|
||||
|
||||
def test_fping_index_policy(self):
|
||||
req = fakes.HTTPRequest.blank("/v2/1234/os-fping?all_tenants=1")
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.index, req)
|
||||
self.assertRaises(exception.Forbidden, self.controller.index, req)
|
||||
req = fakes.HTTPRequest.blank("/v2/1234/os-fping?all_tenants=1")
|
||||
req.environ["nova.context"].is_admin = True
|
||||
res_dict = self.controller.index(req)
|
||||
|
@ -85,7 +85,7 @@ class InstanceActionsPolicyTest(test.NoDBTestCase):
|
||||
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-instance-actions')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.index, req,
|
||||
self.assertRaises(exception.Forbidden, self.controller.index, req,
|
||||
str(uuid.uuid4()))
|
||||
|
||||
def test_get_action_restricted_by_project(self):
|
||||
@ -104,7 +104,7 @@ class InstanceActionsPolicyTest(test.NoDBTestCase):
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequest.blank(
|
||||
'/v2/123/servers/12/os-instance-actions/1')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.show, req,
|
||||
self.assertRaises(exception.Forbidden, self.controller.show, req,
|
||||
str(uuid.uuid4()), '1')
|
||||
|
||||
|
||||
|
@ -384,7 +384,7 @@ class KeypairPolicyTest(test.TestCase):
|
||||
policy.parse_rule('role:admin')})
|
||||
policy.set_rules(rules)
|
||||
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.KeyPairController.index,
|
||||
req)
|
||||
|
||||
@ -401,7 +401,7 @@ class KeypairPolicyTest(test.TestCase):
|
||||
policy.parse_rule('role:admin')})
|
||||
policy.set_rules(rules)
|
||||
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.KeyPairController.show,
|
||||
req, 'FAKE')
|
||||
|
||||
@ -419,7 +419,7 @@ class KeypairPolicyTest(test.TestCase):
|
||||
policy.set_rules(rules)
|
||||
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs')
|
||||
req.method = 'POST'
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.KeyPairController.create,
|
||||
req, {})
|
||||
|
||||
@ -439,7 +439,7 @@ class KeypairPolicyTest(test.TestCase):
|
||||
policy.set_rules(rules)
|
||||
req = fakes.HTTPRequest.blank('/v2/fake/os-keypairs/FAKE')
|
||||
req.method = 'DELETE'
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.KeyPairController.delete,
|
||||
req, 'FAKE')
|
||||
|
||||
|
@ -46,7 +46,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
policy.set_rules(rules)
|
||||
|
||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
|
||||
self.assertRaises(exception.Forbidden, self.controller._shelve,
|
||||
req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_shelve_allowed(self):
|
||||
@ -57,7 +57,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
|
||||
self.assertRaises(exception.Forbidden, self.controller._shelve,
|
||||
req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_shelve_locked_server(self):
|
||||
@ -75,7 +75,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
policy.set_rules(rules)
|
||||
|
||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
|
||||
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||
req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_unshelve_allowed(self):
|
||||
@ -86,7 +86,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
|
||||
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||
req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_unshelve_locked_server(self):
|
||||
@ -104,7 +104,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
policy.set_rules(rules)
|
||||
|
||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_shelve_offload_allowed(self):
|
||||
@ -115,7 +115,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequest.blank('/v2/123/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_shelve_offload_locked_server(self):
|
||||
|
@ -41,7 +41,7 @@ def fake_policy_enforce(context, action, target, do_raise=True):
|
||||
|
||||
def fake_policy_enforce_selective(context, action, target, do_raise=True):
|
||||
if action == 'compute_extension:v3:ext1-alias:discoverable':
|
||||
raise exception.NotAuthorized
|
||||
raise exception.Forbidden
|
||||
else:
|
||||
return True
|
||||
|
||||
|
@ -109,7 +109,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
||||
delete_flavor_extra_specs)
|
||||
|
||||
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs/key5')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.delete,
|
||||
self.assertRaises(exception.Forbidden, self.controller.delete,
|
||||
req, 1, 'key 5')
|
||||
|
||||
def test_delete_spec_not_found(self):
|
||||
@ -138,7 +138,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
||||
body = {"extra_specs": {"key1": "value1"}}
|
||||
|
||||
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.create,
|
||||
self.assertRaises(exception.Forbidden, self.controller.create,
|
||||
req, 1, body)
|
||||
|
||||
def test_create_empty_body(self):
|
||||
@ -223,7 +223,7 @@ class FlavorsExtraSpecsTest(test.TestCase):
|
||||
body = {"key1": "value1"}
|
||||
|
||||
req = fakes.HTTPRequestV3.blank('/flavors/1/extra-specs/key1')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.update,
|
||||
self.assertRaises(exception.Forbidden, self.controller.update,
|
||||
req, 1, 'key1', body)
|
||||
|
||||
def test_update_item_empty_body(self):
|
||||
|
@ -89,7 +89,7 @@ class ServerActionsPolicyTest(test.NoDBTestCase):
|
||||
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-server-actions')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.index, req,
|
||||
self.assertRaises(exception.Forbidden, self.controller.index, req,
|
||||
str(uuid.uuid4()))
|
||||
|
||||
def test_get_action_restricted_by_project(self):
|
||||
@ -107,7 +107,7 @@ class ServerActionsPolicyTest(test.NoDBTestCase):
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequestV3.blank(
|
||||
'/servers/12/os-server-actions/1')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller.show, req,
|
||||
self.assertRaises(exception.Forbidden, self.controller.show, req,
|
||||
str(uuid.uuid4()), '1')
|
||||
|
||||
|
||||
|
@ -403,7 +403,7 @@ class KeypairPolicyTest(test.TestCase):
|
||||
policy.parse_rule('role:admin')})
|
||||
policy.set_rules(rules)
|
||||
req = fakes.HTTPRequestV3.blank('/keypairs')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.KeyPairController.index,
|
||||
req)
|
||||
|
||||
@ -420,7 +420,7 @@ class KeypairPolicyTest(test.TestCase):
|
||||
policy.parse_rule('role:admin')})
|
||||
policy.set_rules(rules)
|
||||
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.KeyPairController.show,
|
||||
req, 'FAKE')
|
||||
|
||||
@ -438,7 +438,7 @@ class KeypairPolicyTest(test.TestCase):
|
||||
policy.set_rules(rules)
|
||||
req = fakes.HTTPRequestV3.blank('/keypairs')
|
||||
req.method = 'POST'
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.KeyPairController.create,
|
||||
req, body={'keypair': {'name': 'create_test'}})
|
||||
|
||||
@ -458,7 +458,7 @@ class KeypairPolicyTest(test.TestCase):
|
||||
policy.set_rules(rules)
|
||||
req = fakes.HTTPRequestV3.blank('/keypairs/FAKE')
|
||||
req.method = 'DELETE'
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.KeyPairController.delete,
|
||||
req, 'FAKE')
|
||||
|
||||
|
@ -46,7 +46,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
policy.set_rules(rules)
|
||||
|
||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
|
||||
self.assertRaises(exception.Forbidden, self.controller._shelve,
|
||||
req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_shelve_allowed(self):
|
||||
@ -57,7 +57,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller._shelve,
|
||||
self.assertRaises(exception.Forbidden, self.controller._shelve,
|
||||
req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_shelve_locked_server(self):
|
||||
@ -75,7 +75,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
policy.set_rules(rules)
|
||||
|
||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
|
||||
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||
req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_unshelve_allowed(self):
|
||||
@ -86,7 +86,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized, self.controller._unshelve,
|
||||
self.assertRaises(exception.Forbidden, self.controller._unshelve,
|
||||
req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_unshelve_locked_server(self):
|
||||
@ -104,7 +104,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
policy.set_rules(rules)
|
||||
|
||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_shelve_offload_allowed(self):
|
||||
@ -115,7 +115,7 @@ class ShelvePolicyTest(test.NoDBTestCase):
|
||||
|
||||
self.stubs.Set(db, 'instance_get_by_uuid', fake_instance_get_by_uuid)
|
||||
req = fakes.HTTPRequestV3.blank('/servers/12/os-shelve')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.controller._shelve_offload, req, str(uuid.uuid4()), {})
|
||||
|
||||
def test_shelve_offload_locked_server(self):
|
||||
|
@ -441,7 +441,7 @@ class ResourceTest(test.NoDBTestCase):
|
||||
def test_resource_not_authorized(self):
|
||||
class Controller(object):
|
||||
def index(self, req):
|
||||
raise exception.NotAuthorized()
|
||||
raise exception.Forbidden()
|
||||
|
||||
req = webob.Request.blank('/tests')
|
||||
app = fakes.TestRouter(Controller())
|
||||
|
@ -2702,7 +2702,7 @@ class ComputeTestCase(BaseTestCase):
|
||||
"""Ensure expected exception is raised if set_admin_password not
|
||||
authorized.
|
||||
"""
|
||||
exc = exception.NotAuthorized(_('Internal error'))
|
||||
exc = exception.Forbidden(_('Internal error'))
|
||||
expected_exception = exception.InstancePasswordSetFailed
|
||||
self._do_test_set_admin_password_driver_error(exc,
|
||||
vm_states.ERROR,
|
||||
|
@ -3545,7 +3545,7 @@ class FixedIPTestCase(BaseInstanceTypeTestCase):
|
||||
fixed_ip_id = db.fixed_ip_create(self.ctxt, param)
|
||||
|
||||
self.ctxt.is_admin = False
|
||||
self.assertRaises(exception.NotAuthorized, db.fixed_ip_get,
|
||||
self.assertRaises(exception.Forbidden, db.fixed_ip_get,
|
||||
self.ctxt, fixed_ip_id)
|
||||
|
||||
def test_fixed_ip_get_success(self):
|
||||
@ -3765,7 +3765,7 @@ class FloatingIpTestCase(test.TestCase, ModelsObjectComparatorMixin):
|
||||
def test_floating_ip_allocate_not_authorized(self):
|
||||
ctxt = context.RequestContext(user_id='a', project_id='abc',
|
||||
is_admin=False)
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
db.floating_ip_allocate_address,
|
||||
ctxt, 'other_project_id', 'any_pool')
|
||||
|
||||
@ -4011,7 +4011,7 @@ class FloatingIpTestCase(test.TestCase, ModelsObjectComparatorMixin):
|
||||
def test_floating_ip_get_all_by_project_not_authorized(self):
|
||||
ctxt = context.RequestContext(user_id='a', project_id='abc',
|
||||
is_admin=False)
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
db.floating_ip_get_all_by_project,
|
||||
ctxt, 'other_project')
|
||||
|
||||
|
@ -777,14 +777,14 @@ class TestDetail(test.NoDBTestCase):
|
||||
ext_query_mock, reraise_mock):
|
||||
params = {}
|
||||
ext_query_mock.return_value = params
|
||||
raised = exception.NotAuthorized()
|
||||
raised = exception.Forbidden()
|
||||
client = mock.MagicMock()
|
||||
client.call.side_effect = glanceclient.exc.Forbidden
|
||||
ctx = mock.sentinel.ctx
|
||||
reraise_mock.side_effect = raised
|
||||
service = glance.GlanceImageService(client)
|
||||
|
||||
with testtools.ExpectedException(exception.NotAuthorized):
|
||||
with testtools.ExpectedException(exception.Forbidden):
|
||||
service.detail(ctx, **params)
|
||||
|
||||
client.call.assert_called_once_with(ctx, 1, 'list')
|
||||
|
@ -49,7 +49,7 @@ class MockKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
|
||||
self.assertEqual(length / 8, len(key.get_encoded()))
|
||||
|
||||
def test_create_null_context(self):
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.key_mgr.create_key, None)
|
||||
|
||||
def test_store_key(self):
|
||||
@ -61,7 +61,7 @@ class MockKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
|
||||
self.assertEqual(_key, actual_key)
|
||||
|
||||
def test_store_null_context(self):
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.key_mgr.store_key, None, None)
|
||||
|
||||
def test_copy_key(self):
|
||||
@ -75,14 +75,14 @@ class MockKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
|
||||
self.assertEqual(key, copied_key)
|
||||
|
||||
def test_copy_null_context(self):
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.key_mgr.copy_key, None, None)
|
||||
|
||||
def test_get_key(self):
|
||||
pass
|
||||
|
||||
def test_get_null_context(self):
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.key_mgr.get_key, None, None)
|
||||
|
||||
def test_get_unknown_key(self):
|
||||
@ -95,7 +95,7 @@ class MockKeyManagerTestCase(test_key_mgr.KeyManagerTestCase):
|
||||
self.assertRaises(KeyError, self.key_mgr.get_key, self.ctxt, key_id)
|
||||
|
||||
def test_delete_null_context(self):
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.key_mgr.delete_key, None, None)
|
||||
|
||||
def test_delete_unknown_key(self):
|
||||
|
@ -51,7 +51,7 @@ class SingleKeyManagerTestCase(test_mock_key_mgr.MockKeyManagerTestCase):
|
||||
pass
|
||||
|
||||
def test_store_null_context(self):
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.key_mgr.store_key, None, self.key)
|
||||
|
||||
def test_copy_key(self):
|
||||
|
@ -909,7 +909,7 @@ class VlanNetworkTestCase(test.TestCase):
|
||||
# raises because floating_ip project_id is None
|
||||
floating_ip = floating_ip_obj.FloatingIP(address='10.0.0.1',
|
||||
project_id=None)
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.network._floating_ip_owned_by_project,
|
||||
ctxt,
|
||||
floating_ip)
|
||||
@ -917,7 +917,7 @@ class VlanNetworkTestCase(test.TestCase):
|
||||
# raises because floating_ip project_id is not equal to ctxt project_id
|
||||
floating_ip = floating_ip_obj.FloatingIP(
|
||||
address='10.0.0.1', project_id=ctxt.project_id + '1')
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.network._floating_ip_owned_by_project,
|
||||
ctxt,
|
||||
floating_ip)
|
||||
@ -1360,14 +1360,14 @@ class VlanNetworkTestCase(test.TestCase):
|
||||
**networks[1]))
|
||||
|
||||
# Associate the IP with non-admin user context
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.network.associate_floating_ip,
|
||||
context2,
|
||||
float_addr,
|
||||
fix_addr)
|
||||
|
||||
# Deallocate address from other project
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.network.deallocate_floating_ip,
|
||||
context2,
|
||||
float_addr)
|
||||
@ -1376,7 +1376,7 @@ class VlanNetworkTestCase(test.TestCase):
|
||||
self.network.associate_floating_ip(context1, float_addr, fix_addr)
|
||||
|
||||
# Now try dis-associating from other project
|
||||
self.assertRaises(exception.NotAuthorized,
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self.network.disassociate_floating_ip,
|
||||
context2,
|
||||
float_addr)
|
||||
|
Loading…
Reference in New Issue
Block a user