Allows nova to read files as root

 * Adds a rootwrap filter to limit readable files
 * Adds a utils method to read a file as root
 * adds tests to verify the additions work

Change-Id: Ic1ffb6f72f9b73795d5f39fac719842e6bdf16dd

2 files changed, 21 insertions, 0 deletions

diff --git a/nova/tests/test_nova_rootwrap.py b/nova/tests/test_nova_rootwrap.py
index 4dc476615..38cce3b35 100644
--- a/nova/tests/test_nova_rootwrap.py
+++ b/nova/tests/test_nova_rootwrap.py
@@ -93,6 +93,15 @@ class RootwrapTestCase(test.TestCase):
         # Providing -9 signal should work
         self.assertTrue(f.match(usercmd))
 
+    def test_ReadFileFilter(self):
+        goodfn = '/good/file.name'
+        f = filters.ReadFileFilter(goodfn)
+        usercmd = ['cat', '/bad/file']
+        self.assertFalse(f.match(['cat', '/bad/file']))
+        usercmd = ['cat', goodfn]
+        self.assertEqual(f.get_command(usercmd), ['/bin/cat', goodfn])
+        self.assertTrue(f.match(usercmd))
+
     def test_skips(self):
         # Check that all filters are skipped and that the last matches
         usercmd = ["cat", "/"]
diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
index 6c6e6fcd8..5da717bee 100644
--- a/nova/tests/test_utils.py
+++ b/nova/tests/test_utils.py
@@ -382,6 +382,18 @@ class GenericUtilsTestCase(test.TestCase):
         self.assertTrue([c for c in password
                          if c in 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'])
 
+    def test_read_file_as_root(self):
+        def fake_execute(*args, **kwargs):
+            if args[1] == 'bad':
+                raise exception.ProcessExecutionError
+            return 'fakecontents', None
+
+        self.stubs.Set(utils, 'execute', fake_execute)
+        contents = utils.read_file_as_root('good')
+        self.assertEqual(contents, 'fakecontents')
+        self.assertRaises(exception.FileNotFound,
+                          utils.read_file_as_root, 'bad')
+
 
 class IsUUIDLikeTestCase(test.TestCase):
     def assertUUIDLike(self, val, expected):