diff options
| author | Li Chen <chen.li@intel.com> | 2013-02-01 17:32:26 +0800 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-02-06 00:46:38 +0000 |
| commit | 7ba533f069aa95c73524f7f0a398a216dfbcdbb3 (patch) | |
| tree | 32355c0558879a709e509b09a5f36c6657c7eb5a | |
| parent | af235b22eccb81d815c79fd1f531734a140cfafb (diff) | |
| download | nova-7ba533f069aa95c73524f7f0a398a216dfbcdbb3.tar.gz nova-7ba533f069aa95c73524f7f0a398a216dfbcdbb3.tar.xz nova-7ba533f069aa95c73524f7f0a398a216dfbcdbb3.zip | |
Flavor Extra Specs should require admin privileges
The previous fix added admin check in policy.json,
but code still can't recorginize the detailed actions.
This fix edited "authorize" function for flavor_extra_specs,
to make sure it will check the admin privileges in policy.json.
Also, together with the code, this fix edit old test case with admin privileges,
and added new non-admin privileges test case.
Fixes bug 1094142
Change-Id: Ia286aedb4846383ad51bd54b0984dd1feddfbf81
| -rw-r--r-- | nova/api/openstack/compute/contrib/flavorextraspecs.py | 10 | ||||
| -rw-r--r-- | nova/tests/api/openstack/compute/contrib/test_flavors_extra_specs.py | 48 | ||||
| -rw-r--r-- | nova/tests/fake_policy.py | 6 |
3 files changed, 51 insertions, 13 deletions
diff --git a/nova/api/openstack/compute/contrib/flavorextraspecs.py b/nova/api/openstack/compute/contrib/flavorextraspecs.py index 12cc7d9ed..1349abe78 100644 --- a/nova/api/openstack/compute/contrib/flavorextraspecs.py +++ b/nova/api/openstack/compute/contrib/flavorextraspecs.py @@ -62,13 +62,13 @@ class FlavorExtraSpecsController(object): def index(self, req, flavor_id): """Returns the list of extra specs for a given flavor.""" context = req.environ['nova.context'] - authorize(context) + authorize(context, action='index') return self._get_extra_specs(context, flavor_id) @wsgi.serializers(xml=ExtraSpecsTemplate) def create(self, req, flavor_id, body): context = req.environ['nova.context'] - authorize(context) + authorize(context, action='create') self._check_body(body) specs = body.get('extra_specs') try: @@ -82,7 +82,7 @@ class FlavorExtraSpecsController(object): @wsgi.serializers(xml=ExtraSpecTemplate) def update(self, req, flavor_id, id, body): context = req.environ['nova.context'] - authorize(context) + authorize(context, action='update') self._check_body(body) if id not in body: expl = _('Request body and URI mismatch') @@ -102,7 +102,7 @@ class FlavorExtraSpecsController(object): def show(self, req, flavor_id, id): """Return a single extra spec item.""" context = req.environ['nova.context'] - authorize(context) + authorize(context, action='show') specs = self._get_extra_specs(context, flavor_id) if id in specs['extra_specs']: return {id: specs['extra_specs'][id]} @@ -112,7 +112,7 @@ class FlavorExtraSpecsController(object): def delete(self, req, flavor_id, id): """Deletes an existing extra spec.""" context = req.environ['nova.context'] - authorize(context) + authorize(context, action='delete') db.instance_type_extra_specs_delete(context, flavor_id, id) diff --git a/nova/tests/api/openstack/compute/contrib/test_flavors_extra_specs.py b/nova/tests/api/openstack/compute/contrib/test_flavors_extra_specs.py index a3745d573..269937b82 100644 --- a/nova/tests/api/openstack/compute/contrib/test_flavors_extra_specs.py +++ b/nova/tests/api/openstack/compute/contrib/test_flavors_extra_specs.py @@ -19,6 +19,7 @@ import webob from nova.api.openstack.compute.contrib import flavorextraspecs import nova.db +from nova import exception from nova import test from nova.tests.api.openstack import fakes @@ -98,26 +99,47 @@ class FlavorsExtraSpecsTest(test.TestCase): delete_flavor_extra_specs) req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' + - '/key5') + '/key5', use_admin_context=True) self.controller.delete(req, 1, 'key5') + def test_delete_no_admin(self): + self.stubs.Set(nova.db, 'instance_type_extra_specs_delete', + delete_flavor_extra_specs) + + req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' + + '/key5') + self.assertRaises(exception.NotAuthorized, self.controller.delete, + req, 1, 'key 5') + def test_create(self): self.stubs.Set(nova.db, 'instance_type_extra_specs_update_or_create', return_create_flavor_extra_specs) body = {"extra_specs": {"key1": "value1"}} - req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs') + req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs', + use_admin_context=True) res_dict = self.controller.create(req, 1, body) self.assertEqual('value1', res_dict['extra_specs']['key1']) - def test_create_empty_body(self): + def test_create_no_admin(self): self.stubs.Set(nova.db, 'instance_type_extra_specs_update_or_create', return_create_flavor_extra_specs) + body = {"extra_specs": {"key1": "value1"}} req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs') + self.assertRaises(exception.NotAuthorized, self.controller.create, + req, 1, body) + + def test_create_empty_body(self): + self.stubs.Set(nova.db, + 'instance_type_extra_specs_update_or_create', + return_create_flavor_extra_specs) + + req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs', + use_admin_context=True) self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create, req, 1, '') @@ -128,18 +150,29 @@ class FlavorsExtraSpecsTest(test.TestCase): body = {"key1": "value1"} req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' + - '/key1') + '/key1', use_admin_context=True) res_dict = self.controller.update(req, 1, 'key1', body) self.assertEqual('value1', res_dict['key1']) - def test_update_item_empty_body(self): + def test_update_item_no_admin(self): self.stubs.Set(nova.db, 'instance_type_extra_specs_update_or_create', return_create_flavor_extra_specs) + body = {"key1": "value1"} req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' + '/key1') + self.assertRaises(exception.NotAuthorized, self.controller.update, + req, 1, 'key1', body) + + def test_update_item_empty_body(self): + self.stubs.Set(nova.db, + 'instance_type_extra_specs_update_or_create', + return_create_flavor_extra_specs) + + req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' + + '/key1', use_admin_context=True) self.assertRaises(webob.exc.HTTPBadRequest, self.controller.update, req, 1, 'key1', '') @@ -150,7 +183,7 @@ class FlavorsExtraSpecsTest(test.TestCase): body = {"key1": "value1", "key2": "value2"} req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs' + - '/key1') + '/key1', use_admin_context=True) self.assertRaises(webob.exc.HTTPBadRequest, self.controller.update, req, 1, 'key1', body) @@ -160,7 +193,8 @@ class FlavorsExtraSpecsTest(test.TestCase): return_create_flavor_extra_specs) body = {"key1": "value1"} - req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs/bad') + req = fakes.HTTPRequest.blank('/v2/fake/flavors/1/os-extra_specs/bad', + use_admin_context=True) self.assertRaises(webob.exc.HTTPBadRequest, self.controller.update, req, 1, 'bad', body) diff --git a/nova/tests/fake_policy.py b/nova/tests/fake_policy.py index 43d9e72b3..3586551d8 100644 --- a/nova/tests/fake_policy.py +++ b/nova/tests/fake_policy.py @@ -126,7 +126,11 @@ policy_data = """ "compute_extension:flavor_rxtx": "", "compute_extension:flavor_swap": "", "compute_extension:flavorextradata": "", - "compute_extension:flavorextraspecs": "", + "compute_extension:flavorextraspecs:index": "", + "compute_extension:flavorextraspecs:show": "", + "compute_extension:flavorextraspecs:create": "is_admin:True", + "compute_extension:flavorextraspecs:update": "is_admin:True", + "compute_extension:flavorextraspecs:delete": "is_admin:True", "compute_extension:flavormanage": "", "compute_extension:floating_ip_dns": "", "compute_extension:floating_ip_pools": "", |