Add policy checking to nova.network.api.API

Partially implements bp interim-nova-authz-service Change-Id: Ib93d854ee1a7f22f4e7f313a9d50300df8b8596b
2012-01-12 15:52:11 -08:00
parent 70fff0e7c2
commit c0127c3b17
2 changed files with 75 additions and 6 deletions
--- a/nova/tests/policy.json
+++ b/nova/tests/policy.json
@@ -88,5 +88,39 @@
    "volume:create_snapshot": [],
    "volume:delete_snapshot": [],
    "volume:get_snapshot": [],
-    "volume:get_all_snapshots": []
+    "volume:get_all_snapshots": [],
+
+
+    "network:get_all_networks": [],
+    "network:get_network": [],
+    "network:delete_network": [],
+    "network:disassociate_network": [],
+    "network:get_vifs_by_instance": [],
+    "network:allocate_for_instance": [],
+    "network:deallocate_for_instance": [],
+    "network:validate_networks": [],
+    "network:get_instance_uuids_by_ip_filter": [],
+
+    "network:get_floating_ip": [],
+    "network:get_floating_ip_pools": [],
+    "network:get_floating_ip_by_address": [],
+    "network:get_floating_ips_by_project": [],
+    "network:get_floating_ips_by_fixed_address": [],
+    "network:allocate_floating_ip": [],
+    "network:deallocate_floating_ip": [],
+    "network:associate_floating_ip": [],
+    "network:disassociate_floating_ip": [],
+
+    "network:get_fixed_ip": [],
+    "network:add_fixed_ip_to_instance": [],
+    "network:remove_fixed_ip_from_instance": [],
+    "network:add_network_to_project": [],
+    "network:get_instance_nw_info": [],
+
+    "network:get_dns_zones": [],
+    "network:add_dns_entry": [],
+    "network:modify_dns_entry": [],
+    "network:delete_dns_entry": [],
+    "network:get_dns_entries_by_address": [],
+    "network:get_dns_entries_by_name": []
 }
--- a/nova/tests/test_network.py
+++ b/nova/tests/test_network.py
@@ -22,6 +22,7 @@ from nova import db
 from nova import exception
 from nova import flags
 from nova import log as logging
+import nova.policy
 from nova import rpc
 from nova import test
 from nova import utils
@@ -230,7 +231,7 @@ class FlatNetworkTestCase(test.TestCase):
        self.mox.ReplayAll()

        self.assertRaises(exception.FixedIpInvalid,
-                          self.network.validate_networks, None,
+                          self.network.validate_networks, self.context,
                          requested_networks)

    def test_validate_networks_empty_fixed_ip(self):
@@ -243,7 +244,7 @@ class FlatNetworkTestCase(test.TestCase):

        self.assertRaises(exception.FixedIpInvalid,
                          self.network.validate_networks,
-                          None, requested_networks)
+                          self.context, requested_networks)

    def test_validate_networks_none_fixed_ip(self):
        self.mox.StubOutWithMock(db, 'network_get_all_by_uuids')
@@ -253,7 +254,7 @@ class FlatNetworkTestCase(test.TestCase):
                                    mox.IgnoreArg()).AndReturn(networks)
        self.mox.ReplayAll()

-        self.network.validate_networks(None, requested_networks)
+        self.network.validate_networks(self.context, requested_networks)

    def test_add_fixed_ip_instance_without_vpn_requested_networks(self):
        self.mox.StubOutWithMock(db, 'network_get')
@@ -813,12 +814,17 @@ class VlanNetworkTestCase(test.TestCase):


 class CommonNetworkTestCase(test.TestCase):
+
+    def setUp(self):
+        super(CommonNetworkTestCase, self).setUp()
+        self.context = context.RequestContext('fake', 'fake')
+
    def fake_create_fixed_ips(self, context, network_id):
        return None

    def test_remove_fixed_ip_from_instance(self):
        manager = fake_network.FakeNetworkManager()
-        manager.remove_fixed_ip_from_instance(None, 99, '10.0.0.1')
+        manager.remove_fixed_ip_from_instance(self.context, 99, '10.0.0.1')

        self.assertEquals(manager.deallocate_called, '10.0.0.1')

@@ -826,7 +832,7 @@ class CommonNetworkTestCase(test.TestCase):
        manager = fake_network.FakeNetworkManager()
        self.assertRaises(exception.FixedIpNotFoundForSpecificInstance,
                          manager.remove_fixed_ip_from_instance,
-                          None, 99, 'bad input')
+                          self.context, 99, 'bad input')

    def test_validate_cidrs(self):
        manager = fake_network.FakeNetworkManager()
@@ -1320,3 +1326,32 @@ class FloatingIPTestCase(test.TestCase):
        self.assertRaises(exception.NotFound,
                          self.network.delete_dns_entry, self.context,
                          name1, zone)
+
+
+class NetworkPolicyTestCase(test.TestCase):
+    def setUp(self):
+        super(NetworkPolicyTestCase, self).setUp()
+
+        nova.policy.reset()
+        nova.policy.init()
+
+        self.context = context.get_admin_context()
+
+    def tearDown(self):
+        super(NetworkPolicyTestCase, self).tearDown()
+        nova.policy.reset()
+
+    def _set_rules(self, rules):
+        nova.common.policy.set_brain(nova.common.policy.HttpBrain(rules))
+
+    def test_check_policy(self):
+        self.mox.StubOutWithMock(nova.policy, 'enforce')
+        target = {
+            'project_id': self.context.project_id,
+            'user_id': self.context.user_id,
+        }
+        nova.policy.enforce(self.context, 'network:get_all', target)
+        self.mox.ReplayAll()
+        network_manager.check_policy(self.context, 'get_all')
+        self.mox.UnsetStubs()
+        self.mox.VerifyAll()