From 2e8c325ee9be483adc8fd744fbde6d8bd7e4e6f2 Mon Sep 17 00:00:00 2001 From: yuntong Date: Mon, 26 Jan 2015 10:35:47 +0800 Subject: [PATCH] Move policy enforcement into REST API layer for v2.1 api assisted_volume_snapshots This patch moves policy enforement into REST API layer for v2.1 api assisted_volume_snapshots, and adds unit tests. Partially implements blueprint v3-api-policy Change-Id: I4203f7c6f19ca0e62dcb35a259d841f4a75644ac --- .../plugins/v3/assisted_volume_snapshots.py | 5 ++- .../openstack/compute/contrib/test_volumes.py | 35 +++++++++++++++++++ 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/nova/api/openstack/compute/plugins/v3/assisted_volume_snapshots.py b/nova/api/openstack/compute/plugins/v3/assisted_volume_snapshots.py index f9cae99599..39682adf59 100644 --- a/nova/api/openstack/compute/plugins/v3/assisted_volume_snapshots.py +++ b/nova/api/openstack/compute/plugins/v3/assisted_volume_snapshots.py @@ -32,15 +32,14 @@ from nova.openstack.common import log as logging LOG = logging.getLogger(__name__) ALIAS = 'os-assisted-volume-snapshots' -authorize = extensions.extension_authorizer('compute', - 'v3:' + ALIAS) +authorize = extensions.os_compute_authorizer(ALIAS) class AssistedVolumeSnapshotsController(wsgi.Controller): """The Assisted volume snapshots API controller for the OpenStack API.""" def __init__(self): - self.compute_api = compute.API() + self.compute_api = compute.API(skip_policy_check=True) super(AssistedVolumeSnapshotsController, self).__init__() @extensions.expected_errors(400) diff --git a/nova/tests/unit/api/openstack/compute/contrib/test_volumes.py b/nova/tests/unit/api/openstack/compute/contrib/test_volumes.py index b377ebb69a..fa94a9696e 100644 --- a/nova/tests/unit/api/openstack/compute/contrib/test_volumes.py +++ b/nova/tests/unit/api/openstack/compute/contrib/test_volumes.py @@ -821,3 +821,38 @@ class AssistedSnapshotDeleteTestCaseV2(AssistedSnapshotDeleteTestCaseV21): def _check_status(self, expected_status, res, controller_method): self.assertEqual(expected_status, res.status_int) + + +class TestAssistedVolumeSnapshotsPolicyEnforcementV21(test.NoDBTestCase): + + def setUp(self): + super(TestAssistedVolumeSnapshotsPolicyEnforcementV21, self).setUp() + self.controller = ( + assisted_snaps_v21.AssistedVolumeSnapshotsController()) + self.req = fakes.HTTPRequest.blank('') + + def test_create_assisted_volumes_snapshots_policy_failed(self): + rule_name = "compute_extension:v3:os-assisted-volume-snapshots:create" + self.policy.set_rules({rule_name: "project:non_fake"}) + body = {'snapshot': + {'volume_id': '1', + 'create_info': {'type': 'qcow2', + 'new_file': 'new_file', + 'snapshot_id': 'snapshot_id'}}} + exc = self.assertRaises( + exception.PolicyNotAuthorized, + self.controller.create, self.req, body=body) + self.assertEqual( + "Policy doesn't allow %s to be performed." % rule_name, + exc.format_message()) + + def test_delete_assisted_volumes_snapshots_policy_failed(self): + rule_name = "compute_extension:v3:os-assisted-volume-snapshots:delete" + self.policy.set_rules({rule_name: "project:non_fake"}) + exc = self.assertRaises( + exception.PolicyNotAuthorized, + self.controller.delete, self.req, '5') + + self.assertEqual( + "Policy doesn't allow %s to be performed." % rule_name, + exc.format_message())