From d6a38c255531aff55205c04f25c7d07f2e417fba Mon Sep 17 00:00:00 2001
From: yuntong <yuntongjin@gmail.com>
Date: Mon, 26 Jan 2015 10:56:08 +0800
Subject: [PATCH] Move policy enforcement into REST API layer for v2.1 api
 console-output

This patch moves policy enforcement into REST API layer for v2.1
api console-output, and adds unit tests.

Partially implements blueprint v3-api-policy

Change-Id: I1b60955ed4433c37d7ae42b238a15cb5ed74e2c4
---
 .../compute/plugins/v3/console_output.py      |  4 ++--
 .../compute/contrib/test_console_output.py    | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/nova/api/openstack/compute/plugins/v3/console_output.py b/nova/api/openstack/compute/plugins/v3/console_output.py
index d153afe3b6b9..2651d82f0f76 100644
--- a/nova/api/openstack/compute/plugins/v3/console_output.py
+++ b/nova/api/openstack/compute/plugins/v3/console_output.py
@@ -28,13 +28,13 @@ from nova import exception
 from nova.i18n import _
 
 ALIAS = "os-console-output"
-authorize = extensions.extension_authorizer('compute', "v3:" + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class ConsoleOutputController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
         super(ConsoleOutputController, self).__init__(*args, **kwargs)
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)
 
     @extensions.expected_errors((400, 404, 409, 501))
     @wsgi.action('os-getConsoleOutput')
diff --git a/nova/tests/unit/api/openstack/compute/contrib/test_console_output.py b/nova/tests/unit/api/openstack/compute/contrib/test_console_output.py
index 72d1d6897a29..4c11e1c98787 100644
--- a/nova/tests/unit/api/openstack/compute/contrib/test_console_output.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_console_output.py
@@ -148,3 +148,23 @@ class ConsoleOutputExtensionTestV21(test.NoDBTestCase):
 class ConsoleOutputExtensionTestV2(ConsoleOutputExtensionTestV21):
     controller_class = console_output_v2
     validation_error = webob.exc.HTTPBadRequest
+
+
+class ConsoleOutpuPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(ConsoleOutpuPolicyEnforcementV21, self).setUp()
+        self.controller = console_output_v21.ConsoleOutputController()
+
+    def test_get_console_output_policy_failed(self):
+        rule_name = "compute_extension:v3:os-console-output"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        req = fakes.HTTPRequest.blank('')
+        body = {'os-getConsoleOutput': {}}
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.get_console_output, req, fakes.FAKE_UUID,
+            body=body)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())