Fix unpause server policy to be admin_or_owner

unpause server API policy is default to admin_or_owner[1] but API is allowed for everyone. We can see the test trying with other project context can access the API - https://review.opendev.org/#/c/716161/ This is because API does not pass the server project_id in policy target[2] and if no target is passed then, policy.py add the default targets which is nothing but context.project_id (allow for everyone who try to access)[3] This commit fix this policy by passing the server's project_id in policy target. Closes-bug: #1869841 Partial implement blueprint policy-defaults-refresh [1] - eb6bd04e4c/nova/policies/pause_server.py (L38) [2] - eb6bd04e4c/nova/api/openstack/compute/pause_server.py (L58) [3] - c16315165c/nova/policy.py (L191) Change-Id: Iacfaec63eb380863657b44c7f5ff14f6209e3857
2020-03-31 01:28:09 -05:00 · 2020-03-31 01:28:09 -05:00 · cd0b96176a
parent eb6bd04e4c
commit cd0b96176a
2 changed files with 8 additions and 2 deletions
--- a/nova/api/openstack/compute/pause_server.py
+++ b/nova/api/openstack/compute/pause_server.py
@ -55,8 +55,9 @@ class PauseServerController(wsgi.Controller):
    def _unpause(self, req, id, body):
        """Permit Admins to unpause the server."""
        ctxt = req.environ['nova.context']
-        ctxt.can(ps_policies.POLICY_ROOT % 'unpause')
        server = common.get_instance(self.compute_api, ctxt, id)
+        ctxt.can(ps_policies.POLICY_ROOT % 'unpause',
+                 target={'project_id': server.project_id})
        try:
            self.compute_api.unpause(ctxt, server)
        except exception.InstanceIsLocked as e:
--- a/nova/tests/unit/api/openstack/compute/test_pause_server.py
+++ b/nova/tests/unit/api/openstack/compute/test_pause_server.py
@ -114,7 +114,12 @@ class PauseServerPolicyEnforcementV21(test.NoDBTestCase):
        pause_mock.assert_called_once_with(self.req.environ['nova.context'],
                                          instance)

-    def test_unpause_policy_failed(self):
+    @mock.patch('nova.api.openstack.common.get_instance')
+    def test_unpause_policy_failed(self, get_instance_mock):
+        instance = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'],
+            user_id=self.req.environ['nova.context'].user_id)
+        get_instance_mock.return_value = instance
        rule_name = "os_compute_api:os-pause-server:unpause"
        self.policy.set_rules({rule_name: "project:non_fake"})
        exc = self.assertRaises(