Move policy enforcement into REST API layer for v2.1 multinic

This patch moves the policy enforcement into REST API layer for v2.1 multinic extension and adds related unittest. Partially implements bp v3-api-policy DocImpact Change-Id: I5d1056cac70d4dd0efe8a400093bee019ce91135
2015-01-25 12:42:40 +08:00
parent ef826bf971
commit fa5dc30133
2 changed files with 32 additions and 2 deletions
--- a/nova/api/openstack/compute/plugins/v3/multinic.py
+++ b/nova/api/openstack/compute/plugins/v3/multinic.py
@@ -27,13 +27,13 @@ from nova import exception


 ALIAS = "os-multinic"
-authorize = extensions.extension_authorizer('compute', 'v3:' + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)


 class MultinicController(wsgi.Controller):
    def __init__(self, *args, **kwargs):
        super(MultinicController, self).__init__(*args, **kwargs)
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)

    @wsgi.response(202)
    @wsgi.action('addFixedIp')
--- a/nova/tests/unit/api/openstack/compute/contrib/test_multinic.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_multinic.py
@@ -171,3 +171,33 @@ class FixedIpTestV2(FixedIpTestV21):
        # NOTE(cyeoh): This test is disabled for the V2 API because it is
        # has poorer input validation.
        pass
+
+
+class MultinicPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(MultinicPolicyEnforcementV21, self).setUp()
+        self.controller = multinic_v21.MultinicController()
+        self.req = fakes.HTTPRequest.blank('')
+
+    def test_add_fixed_ip_policy_failed(self):
+        rule_name = "compute_extension:v3:os-multinic"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller._add_fixed_ip, self.req, fakes.FAKE_UUID,
+            body={'addFixedIp': {'networkId': fakes.FAKE_UUID}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
+
+    def test_remove_fixed_ip_policy_failed(self):
+        rule_name = "compute_extension:v3:os-multinic"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller._remove_fixed_ip, self.req, fakes.FAKE_UUID,
+            body={'removeFixedIp': {'address': "10.0.0.1"}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())