Move policy enforcement into REST API layer for v2.1 api console-output

This patch moves policy enforcement into REST API layer for v2.1
api console-output, and adds unit tests.

Partially implements blueprint v3-api-policy

Change-Id: I1b60955ed4433c37d7ae42b238a15cb5ed74e2c4

nova/api/openstack/compute/plugins/v3/console_output.py

@@ -28,13 +28,13 @@ from nova import exception
 from nova.i18n import _
 
 ALIAS = "os-console-output"
-authorize = extensions.extension_authorizer('compute', "v3:" + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ConsoleOutputController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
         super(ConsoleOutputController, self).__init__(*args, **kwargs)
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)
 
     @extensions.expected_errors((400, 404, 409, 501))
     @wsgi.action('os-getConsoleOutput')

nova/tests/unit/api/openstack/compute/contrib/test_console_output.py

@@ -148,3 +148,23 @@ class ConsoleOutputExtensionTestV21(test.NoDBTestCase):
 class ConsoleOutputExtensionTestV2(ConsoleOutputExtensionTestV21):
     controller_class = console_output_v2
     validation_error = webob.exc.HTTPBadRequest
+
+
+class ConsoleOutpuPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(ConsoleOutpuPolicyEnforcementV21, self).setUp()
+        self.controller = console_output_v21.ConsoleOutputController()
+
+    def test_get_console_output_policy_failed(self):
+        rule_name = "compute_extension:v3:os-console-output"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        req = fakes.HTTPRequest.blank('')
+        body = {'os-getConsoleOutput': {}}
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.get_console_output, req, fakes.FAKE_UUID,
+            body=body)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())