Enforce policy checking in REST API layer for v2.1 server_password

This patch moves the policy enforcement into REST API layer for v2.1 server_password extension and adds related unittest. Partially implements bp v3-api-policy DocImpact Change-Id: I0c4ff3c8574cc5de54fff44a058a24a73d56fbd8
2015-01-15 13:31:36 +08:00
parent 8a6ddbe996
commit e794dbe5d1
2 changed files with 29 additions and 2 deletions
--- a/nova/api/openstack/compute/plugins/v3/server_password.py
+++ b/nova/api/openstack/compute/plugins/v3/server_password.py
@@ -23,13 +23,13 @@ from nova import compute


 ALIAS = 'os-server-password'
-authorize = extensions.extension_authorizer('compute', 'v3:' + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)


 class ServerPasswordController(wsgi.Controller):
    """The Server Password API controller for the OpenStack API."""
    def __init__(self):
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)

    @extensions.expected_errors(404)
    def index(self, req, server_id):
--- a/nova/tests/unit/api/openstack/compute/contrib/test_server_password.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_server_password.py
@@ -21,6 +21,7 @@ from nova.api.openstack.compute.contrib import server_password \
 from nova.api.openstack.compute.plugins.v3 import server_password \
    as server_password_v21
 from nova import compute
+from nova import exception
 from nova import test
 from nova.tests.unit.api.openstack import fakes
 from nova.tests.unit import fake_instance
@@ -74,3 +75,29 @@ class ServerPasswordTestV21(test.TestCase):
 class ServerPasswordTestV2(ServerPasswordTestV21):
    server_password = server_password_v2
    delete_call = 'self.controller.delete'
+
+
+class ServerPasswordPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(ServerPasswordPolicyEnforcementV21, self).setUp()
+        self.controller = server_password_v21.ServerPasswordController()
+        self.req = fakes.HTTPRequest.blank('')
+
+    def _test_policy_failed(self, method, rule_name):
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            method, self.req, fakes.FAKE_UUID)
+
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
+
+    def test_get_password_policy_failed(self):
+        rule_name = "compute_extension:v3:os-server-password"
+        self._test_policy_failed(self.controller.index, rule_name)
+
+    def test_clear_password_policy_failed(self):
+        rule_name = "compute_extension:v3:os-server-password"
+        self._test_policy_failed(self.controller.clear, rule_name)