From fa5dc301336103c94a38d30f3f4d19d3d8ba2ca5 Mon Sep 17 00:00:00 2001
From: He Jie Xu <hejie.xu@intel.com>
Date: Sun, 25 Jan 2015 12:42:40 +0800
Subject: [PATCH] Move policy enforcement into REST API layer for v2.1 multinic

This patch moves the policy enforcement into REST API layer for v2.1
multinic extension and adds related unittest.

Partially implements bp v3-api-policy
DocImpact

Change-Id: I5d1056cac70d4dd0efe8a400093bee019ce91135
---
 .../openstack/compute/plugins/v3/multinic.py  |  4 +--
 .../compute/contrib/test_multinic.py          | 30 +++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/nova/api/openstack/compute/plugins/v3/multinic.py b/nova/api/openstack/compute/plugins/v3/multinic.py
index c61127e4840e..eab0a41e71e1 100644
--- a/nova/api/openstack/compute/plugins/v3/multinic.py
+++ b/nova/api/openstack/compute/plugins/v3/multinic.py
@@ -27,13 +27,13 @@ from nova import exception
 
 
 ALIAS = "os-multinic"
-authorize = extensions.extension_authorizer('compute', 'v3:' + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 class MultinicController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
         super(MultinicController, self).__init__(*args, **kwargs)
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)
 
     @wsgi.response(202)
     @wsgi.action('addFixedIp')
diff --git a/nova/tests/unit/api/openstack/compute/contrib/test_multinic.py b/nova/tests/unit/api/openstack/compute/contrib/test_multinic.py
index 8d2269a4ffc8..f6859c8c4eb1 100644
--- a/nova/tests/unit/api/openstack/compute/contrib/test_multinic.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_multinic.py
@@ -171,3 +171,33 @@ class FixedIpTestV2(FixedIpTestV21):
         # NOTE(cyeoh): This test is disabled for the V2 API because it is
         # has poorer input validation.
         pass
+
+
+class MultinicPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(MultinicPolicyEnforcementV21, self).setUp()
+        self.controller = multinic_v21.MultinicController()
+        self.req = fakes.HTTPRequest.blank('')
+
+    def test_add_fixed_ip_policy_failed(self):
+        rule_name = "compute_extension:v3:os-multinic"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller._add_fixed_ip, self.req, fakes.FAKE_UUID,
+            body={'addFixedIp': {'networkId': fakes.FAKE_UUID}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())
+
+    def test_remove_fixed_ip_policy_failed(self):
+        rule_name = "compute_extension:v3:os-multinic"
+        self.policy.set_rules({rule_name: "project:non_fake"})
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller._remove_fixed_ip, self.req, fakes.FAKE_UUID,
+            body={'removeFixedIp': {'address': "10.0.0.1"}})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % rule_name,
+            exc.format_message())