Merge "Move policy enforcement into REST API layer for v2.1 security groups"

author: Jenkins <jenkins@review.openstack.org> 2015-03-16 01:42:12 +0000
committer: Gerrit Code Review <review@openstack.org> 2015-03-16 01:42:12 +0000
commit: 5b516268e0cd33564c58f613a5520037c2ecb7be (patch)
tree: 5d5da58c9fe2ea41151f2700110e17879107d214
parent: 833f405ca73da2c293002385f7d3d31bb37ead02 (diff)
parent: 9d11bd5a419e0f2f96acee6b5736321c77984457 (diff)
download: nova-5b516268e0cd33564c58f613a5520037c2ecb7be.tar.gz
2 files changed, 109 insertions, 8 deletions
diff --git a/nova/api/openstack/compute/plugins/v3/security_groups.py b/nova/api/openstack/compute/plugins/v3/security_groups.py
index a3b607340e..49199b0b77 100644
--- a/nova/api/openstack/compute/plugins/v3/security_groups.py
+++ b/nova/api/openstack/compute/plugins/v3/security_groups.py
@@ -34,8 +34,8 @@ from nova.virt import netutils
 LOG = logging.getLogger(__name__)
 ALIAS = 'os-security-groups'
 ATTRIBUTE_NAME = 'security_groups'
-authorize = extensions.extension_authorizer('compute', 'v3:' + ALIAS)
-softauth = extensions.soft_extension_authorizer('compute', 'v3:' + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)
+softauth = extensions.os_compute_soft_authorizer(ALIAS)
 
 
 def _authorize_context(req):
@@ -49,9 +49,10 @@ class SecurityGroupControllerBase(wsgi.Controller):
 
     def __init__(self):
         self.security_group_api = (
-            openstack_driver.get_openstack_security_group_driver())
+            openstack_driver.get_openstack_security_group_driver(
+                skip_policy_check=True))
         self.compute_api = compute.API(
-                                   security_group_api=self.security_group_api)
+            security_group_api=self.security_group_api, skip_policy_check=True)
 
     def _format_security_group_rule(self, context, rule, group_rule_data=None):
         """Return a secuity group rule in desired API response format.
@@ -356,9 +357,10 @@ class SecurityGroupActionController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
         super(SecurityGroupActionController, self).__init__(*args, **kwargs)
         self.security_group_api = (
-            openstack_driver.get_openstack_security_group_driver())
+            openstack_driver.get_openstack_security_group_driver(
+                skip_policy_check=True))
         self.compute_api = compute.API(
-                                   security_group_api=self.security_group_api)
+            security_group_api=self.security_group_api, skip_policy_check=True)
 
     def _parse(self, body, action):
         try:
@@ -425,9 +427,10 @@ class SecurityGroupActionController(wsgi.Controller):
 class SecurityGroupsOutputController(wsgi.Controller):
     def __init__(self, *args, **kwargs):
         super(SecurityGroupsOutputController, self).__init__(*args, **kwargs)
-        self.compute_api = compute.API()
+        self.compute_api = compute.API(skip_policy_check=True)
         self.security_group_api = (
-            openstack_driver.get_openstack_security_group_driver())
+            openstack_driver.get_openstack_security_group_driver(
+                skip_policy_check=True))
 
     def _extend_servers(self, req, servers):
         # TODO(arosen) this function should be refactored to reduce duplicate
diff --git a/nova/tests/unit/api/openstack/compute/contrib/test_security_groups.py b/nova/tests/unit/api/openstack/compute/contrib/test_security_groups.py
index f339663b4f..ed385fb2d8 100644
--- a/nova/tests/unit/api/openstack/compute/contrib/test_security_groups.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_security_groups.py
@@ -1456,3 +1456,101 @@ class SecurityGroupsOutputTestV2(SecurityGroupsOutputTestV21):
 
     def _setup_app(self):
         return fakes.wsgi_app(init_only=('servers',))
+
+
+class SecurityGroupsOutputPolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(SecurityGroupsOutputPolicyEnforcementV21, self).setUp()
+        self.controller = secgroups_v21.SecurityGroupsOutputController()
+        self.req = fakes.HTTPRequest.blank('')
+        self.rule_name = "compute_extension:v3:os-security-groups"
+        self.rule = {self.rule_name: "project:non_fake"}
+        self.policy.set_rules(self.rule)
+
+    def test_show_policy_failed(self):
+        self.controller.show(self.req, None, FAKE_UUID1)
+
+    def test_create_policy_failed(self):
+        self.controller.create(self.req, None, {})
+
+    def test_detail_policy_failed(self):
+        self.controller.detail(self.req, None)
+
+
+class PolicyEnforcementV21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(PolicyEnforcementV21, self).setUp()
+        self.req = fakes.HTTPRequest.blank('')
+        self.rule_name = "compute_extension:v3:os-security-groups"
+        self.rule = {self.rule_name: "project:non_fake"}
+
+    def _common_policy_check(self, func, *arg, **kwarg):
+        self.policy.set_rules(self.rule)
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized, func, *arg, **kwarg)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())
+
+
+class SecurityGroupPolicyEnforcementV21(PolicyEnforcementV21):
+
+    def setUp(self):
+        super(SecurityGroupPolicyEnforcementV21, self).setUp()
+        self.controller = secgroups_v21.SecurityGroupController()
+
+    def test_create_policy_failed(self):
+        self._common_policy_check(self.controller.create, self.req, {})
+
+    def test_show_policy_failed(self):
+        self._common_policy_check(self.controller.show, self.req, FAKE_UUID1)
+
+    def test_delete_policy_failed(self):
+        self._common_policy_check(self.controller.delete, self.req, FAKE_UUID1)
+
+    def test_index_policy_failed(self):
+        self._common_policy_check(self.controller.index, self.req)
+
+    def test_update_policy_failed(self):
+        self._common_policy_check(
+            self.controller.update, self.req, FAKE_UUID1, {})
+
+
+class ServerSecurityGroupPolicyEnforcementV21(PolicyEnforcementV21):
+
+    def setUp(self):
+        super(ServerSecurityGroupPolicyEnforcementV21, self).setUp()
+        self.controller = secgroups_v21.ServerSecurityGroupController()
+
+    def test_index_policy_failed(self):
+        self._common_policy_check(self.controller.index, self.req, FAKE_UUID1)
+
+
+class SecurityGroupRulesPolicyEnforcementV21(PolicyEnforcementV21):
+
+    def setUp(self):
+        super(SecurityGroupRulesPolicyEnforcementV21, self).setUp()
+        self.controller = secgroups_v21.SecurityGroupRulesController()
+
+    def test_create_policy_failed(self):
+        self._common_policy_check(self.controller.create, self.req, {})
+
+    def test_delete_policy_failed(self):
+        self._common_policy_check(self.controller.delete, self.req, FAKE_UUID1)
+
+
+class SecurityGroupActionPolicyEnforcementV21(PolicyEnforcementV21):
+
+    def setUp(self):
+        super(SecurityGroupActionPolicyEnforcementV21, self).setUp()
+        self.controller = secgroups_v21.SecurityGroupActionController()
+
+    def test_add_security_group_policy_failed(self):
+        self._common_policy_check(
+            self.controller._addSecurityGroup, self.req, FAKE_UUID1, {})
+
+    def test_remove_security_group_policy_failed(self):
+        self._common_policy_check(
+            self.controller._removeSecurityGroup, self.req, FAKE_UUID1, {})
author	Jenkins <jenkins@review.openstack.org>	2015-03-16 01:42:12 +0000
committer	Gerrit Code Review <review@openstack.org>	2015-03-16 01:42:12 +0000
commit	5b516268e0cd33564c58f613a5520037c2ecb7be (patch)
tree	5d5da58c9fe2ea41151f2700110e17879107d214
parent	833f405ca73da2c293002385f7d3d31bb37ead02 (diff)
parent	9d11bd5a419e0f2f96acee6b5736321c77984457 (diff)
download	nova-5b516268e0cd33564c58f613a5520037c2ecb7be.tar.gz