Fix authorization checks for simple_usage.show

* Normal users shouls be allowed to query their own usage info
 * Fixes bug 921327
 * Address bcwaldon's comment about using a default {} in authorize
 * Remove is_admin references
 * Rebase and change expected auth failure response from 401 to 403
 * Remove policy-related tests
 * Add back test_verify_show_cant_view_other_tenant, implemented with test policy

Change-Id: Ib0ce46419b7aedad34de957bfe2e60b10c5af11c

etc/nova/policy.json

@@ -33,7 +33,8 @@
     "compute_extension:security_groups": [],
     "compute_extension:server_action_list": [["rule:admin_api"]],
     "compute_extension:server_diagnostics": [["rule:admin_api"]],
-    "compute_extension:simple_tenant_usage": [["rule:admin_api"]],
+    "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
+    "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
     "compute_extension:users": [["rule:admin_api"]],
     "compute_extension:virtual_interfaces": [],
     "compute_extension:virtual_storage_arrays": [],

nova/api/openstack/compute/contrib/simple_tenant_usage.py

@@ -29,7 +29,10 @@ from nova import flags
 
 
 FLAGS = flags.FLAGS
-authorize = extensions.extension_authorizer('compute', 'simple_tenant_usage')
+authorize_show = extensions.extension_authorizer('compute',
+                                                 'simple_tenant_usage:show')
+authorize_list = extensions.extension_authorizer('compute',
+                                                 'simple_tenant_usage:list')
 
 
 def make_usage(elem):
@@ -110,8 +113,6 @@ class SimpleTenantUsageController(object):
                                                      period_start,
                                                      period_stop,
                                                      tenant_id)
-        from nova import log as logging
-        logging.info(instances)
         rval = {}
         flavors = {}
 
@@ -212,10 +213,8 @@ class SimpleTenantUsageController(object):
     def index(self, req):
         """Retrive tenant_usage for all tenants"""
         context = req.environ['nova.context']
-        authorize(context)
 
-        if not context.is_admin:
+        authorize_list(context)
-            return webob.Response(status_int=403)
 
         (period_start, period_stop, detailed) = self._get_datetime_range(req)
         usages = self._tenant_usages_for_period(context,
@@ -229,11 +228,8 @@ class SimpleTenantUsageController(object):
         """Retrive tenant_usage for a specified tenant"""
         tenant_id = id
         context = req.environ['nova.context']
-        authorize(context)
 
-        if not context.is_admin:
+        authorize_show(context, {'project_id': tenant_id})
-            if tenant_id != context.project_id:
-                return webob.Response(status_int=403)
 
         (period_start, period_stop, ignore) = self._get_datetime_range(req)
         usage = self._tenant_usages_for_period(context,

nova/api/openstack/extensions.py

@@ -379,9 +379,11 @@ def load_standard_extensions(ext_mgr, logger, path, package):
 
 
 def extension_authorizer(api_name, extension_name):
-    def authorize(context):
+    def authorize(context, target=None):
+        if target == None:
+            target = {}
         action = '%s_extension:%s' % (api_name, extension_name)
-        nova.policy.enforce(context, action, {})
+        nova.policy.enforce(context, action, target)
     return authorize
 
 

nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py

@@ -22,6 +22,8 @@ from lxml import etree
 import webob
 
 from nova.api.openstack.compute.contrib import simple_tenant_usage
+from nova import policy
+from nova.common import policy as common_policy
 from nova.compute import api
 from nova import context
 from nova import flags
@@ -133,18 +135,6 @@ class SimpleTenantUsageTest(test.TestCase):
             for j in xrange(SERVERS):
                 self.assertEqual(int(servers[j]['hours']), HOURS)
 
-    def test_verify_index_fails_for_nonadmin(self):
-        req = webob.Request.blank(
-                    '/v2/faketenant_0/os-simple-tenant-usage?'
-                    'detailed=1&start=%s&end=%s' %
-                    (START.isoformat(), STOP.isoformat()))
-        req.method = "GET"
-        req.headers["content-type"] = "application/json"
-
-        res = req.get_response(fakes.wsgi_app(
-                               fake_auth_context=self.user_context))
-        self.assertEqual(res.status_int, 403)
-
     def test_verify_show(self):
         req = webob.Request.blank(
                   '/v2/faketenant_0/os-simple-tenant-usage/'
@@ -175,9 +165,18 @@ class SimpleTenantUsageTest(test.TestCase):
         req.method = "GET"
         req.headers["content-type"] = "application/json"
 
-        res = req.get_response(fakes.wsgi_app(
+        rules = {
-                               fake_auth_context=self.alt_user_context))
+            "compute_extension:simple_tenant_usage:show":
-        self.assertEqual(res.status_int, 403)
+                [["role:admin"], ["project_id:%(project_id)s"]]
+        }
+        common_policy.set_brain(common_policy.HttpBrain(rules))
+
+        try:
+            res = req.get_response(fakes.wsgi_app(
+                                   fake_auth_context=self.alt_user_context))
+            self.assertEqual(res.status_int, 403)
+        finally:
+            policy.reset()
 
 
 class SimpleTenantUsageSerializerTest(test.TestCase):

nova/tests/policy.json

@@ -92,7 +92,8 @@
     "compute_extension:security_groups": [],
     "compute_extension:server_action_list": [],
     "compute_extension:server_diagnostics": [],
-    "compute_extension:simple_tenant_usage": [],
+    "compute_extension:simple_tenant_usage:show": [],
+    "compute_extension:simple_tenant_usage:list": [],
     "compute_extension:users": [],
     "compute_extension:virtual_interfaces": [],
     "compute_extension:virtual_storage_arrays": [],