x/mogan
Code Issues Proposed changes

Merge "Remove the policy check with function's parameter"

Browse Source
This commit is contained in:
Jenkins 2017-03-31 10:29:30 +00:00 committed by Gerrit Code Review
commit 481a491592
2 changed files with 8 additions and 47 deletions
mogan
common
policy.py
tests/unit/common
test_policy.py

46
mogan/common/policy.py

@ -90,21 +90,9 @@ instance_policies = [
policy.RuleDefault('mogan:instance:update', policy.RuleDefault('mogan:instance:update',
'rule:default', 'rule:default',
description='Update Instance records'), description='Update Instance records'),
policy.RuleDefault('mogan:instance:set_power_state:on', policy.RuleDefault('mogan:instance:set_power_state',
'rule:default', 'rule:default',
description='Start an instance'), description='Perform the power action on an instance'),
policy.RuleDefault('mogan:instance:set_power_state:off',
'rule:default',
description='Stop an instance'),
policy.RuleDefault('mogan:instance:set_power_state:soft_off',
'rule:default',
description='Soft stop an instance'),
policy.RuleDefault('mogan:instance:set_power_state:reboot',
'rule:default',
description='Reboot an instance'),
policy.RuleDefault('mogan:instance:set_power_state:soft_reboot',
'rule:default',
description='Soft reboot an instance'),
policy.RuleDefault('mogan:instance:get_networks', policy.RuleDefault('mogan:instance:get_networks',
'rule:default', 'rule:default',
description='Get Instance network information'), description='Get Instance network information'),
@ -117,16 +105,11 @@ instance_policies = [
policy.RuleDefault('mogan:instance:set_lock_state', policy.RuleDefault('mogan:instance:set_lock_state',
'rule:default', 'rule:default',
description='Lock/UnLock an instance'), description='Lock/UnLock an instance'),
policy.RuleDefault('mogan:instance:set_provision_state:rebuild', policy.RuleDefault('mogan:instance:set_provision_state',
'rule:default', 'rule:default',
description='Rebuild an instance'), description='Set the provision state of an instance'),
] ]
FUNC_PARAMS_INTERESTED = {
'power': ['target'],
'provision': ['target']
}
def list_policies(): def list_policies():
policies = (default_policies policies = (default_policies
@ -196,21 +179,6 @@ def authorize(rule, target, creds, *args, **kwargs):
raise exception.HTTPForbidden(resource=rule) raise exception.HTTPForbidden(resource=rule)
def _add_action_extra(action, fn, *args, **kwargs):
func_name = fn.__name__
if func_name in FUNC_PARAMS_INTERESTED:
fn_args = fn.__dict__['_pecan']['argspec'][0][1:]
for param in FUNC_PARAMS_INTERESTED[func_name]:
if param in kwargs:
if kwargs[param]:
action = '%s:%s' % (action, kwargs[param])
elif param in fn_args:
param_value = args[fn_args.index(param)]
if param_value:
action = '%s:%s' % (action, param_value)
return action
# NOTE(Shaohe Feng): This decorator MUST appear first (the outermost # NOTE(Shaohe Feng): This decorator MUST appear first (the outermost
# decorator) on an API method for it to work correctly # decorator) on an API method for it to work correctly
def authorize_wsgi(api_name, act=None, need_target=True): def authorize_wsgi(api_name, act=None, need_target=True):
@ -221,7 +189,7 @@ def authorize_wsgi(api_name, act=None, need_target=True):
:param need_target: Whether need target for authorization. Such as, :param need_target: Whether need target for authorization. Such as,
when create some resource , maybe target is not needed. when create some resource , maybe target is not needed.
example: example:
from magnum.common import policy from mogan.common import policy
class InstancesController(rest.RestController): class InstancesController(rest.RestController):
.... ....
@policy.authorize_wsgi("mogan:instance", "delete") @policy.authorize_wsgi("mogan:instance", "delete")
@ -276,12 +244,10 @@ def authorize_wsgi(api_name, act=None, need_target=True):
# the credentials with itself. # the credentials with itself.
target = {'project_id': context.tenant, target = {'project_id': context.tenant,
'user_id': context.user} 'user_id': context.user}
action_with_extra = _add_action_extra(action, fn, *args, **kwargs)
try: try:
authorize(action_with_extra, target, credentials) authorize(action, target, credentials)
except Exception: except Exception:
return return_error(403) return return_error(403)
return fn(self, *args, **kwargs) return fn(self, *args, **kwargs)
return handle return handle

9
mogan/tests/unit/common/test_policy.py

@ -31,15 +31,10 @@ class TestAuthorizeWsgi(base.TestCase):
def power(self, instance_uuid, target): def power(self, instance_uuid, target):
pass pass
power.__dict__['_pecan'] = {
'argspec': [['self', 'instance_uuid', 'target']]}
self.fake_power = power
def lock(self, instance_uuid, target): def lock(self, instance_uuid, target):
pass pass
lock.__dict__['_pecan'] = { self.fake_power = power
'argspec': [['self', 'instance_uuid', 'target']]}
self.fake_lock = lock self.fake_lock = lock
@mock.patch('pecan.request') @mock.patch('pecan.request')
@ -69,7 +64,7 @@ class TestAuthorizeWsgi(base.TestCase):
'reboot') 'reboot')
self.assertEqual(403, mocked_pecan_response.status) self.assertEqual(403, mocked_pecan_response.status)
self.assertEqual('Access was denied to the following resource: ' self.assertEqual('Access was denied to the following resource: '
'mogan:instance:set_power_state:reboot', 'mogan:instance:set_power_state',
data['faultstring']) data['faultstring'])
@mock.patch('pecan.request') @mock.patch('pecan.request')