Merge "Add policy checking to nova.network.api.API"

3 files changed, 79 insertions, 11 deletions

diff --git a/nova/tests/fake_network.py b/nova/tests/fake_network.py
index 071990bd6..29bb793ce 100644
--- a/nova/tests/fake_network.py
+++ b/nova/tests/fake_network.py
@@ -15,6 +15,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import nova.context
 from nova import db
 from nova import exception
 from nova import flags
@@ -295,11 +296,9 @@ def fake_get_instance_nw_info(stubs, num_networks=1, ips_per_vif=2,
     stubs.Set(db, 'network_get', network_get_fake)
     stubs.Set(db, 'instance_info_cache_update', update_cache_fake)
 
-    class FakeContext(object):
-        def __init__(self):
-            self.project_id = 1
-
-    return network.get_instance_nw_info(FakeContext(), 0, 0, 0, None)
+    context = nova.context.RequestContext('testuser', 'testproject',
+                                          is_admin=False)
+    return network.get_instance_nw_info(context, 0, 0, 0, None)
 
 
 def stub_out_nw_api_get_instance_nw_info(stubs, func=None):
diff --git a/nova/tests/policy.json b/nova/tests/policy.json
index c96908fff..a12a84ab1 100644
--- a/nova/tests/policy.json
+++ b/nova/tests/policy.json
@@ -88,5 +88,39 @@
     "volume:create_snapshot": [],
     "volume:delete_snapshot": [],
     "volume:get_snapshot": [],
-    "volume:get_all_snapshots": []
+    "volume:get_all_snapshots": [],
+
+
+    "network:get_all_networks": [],
+    "network:get_network": [],
+    "network:delete_network": [],
+    "network:disassociate_network": [],
+    "network:get_vifs_by_instance": [],
+    "network:allocate_for_instance": [],
+    "network:deallocate_for_instance": [],
+    "network:validate_networks": [],
+    "network:get_instance_uuids_by_ip_filter": [],
+
+    "network:get_floating_ip": [],
+    "network:get_floating_ip_pools": [],
+    "network:get_floating_ip_by_address": [],
+    "network:get_floating_ips_by_project": [],
+    "network:get_floating_ips_by_fixed_address": [],
+    "network:allocate_floating_ip": [],
+    "network:deallocate_floating_ip": [],
+    "network:associate_floating_ip": [],
+    "network:disassociate_floating_ip": [],
+
+    "network:get_fixed_ip": [],
+    "network:add_fixed_ip_to_instance": [],
+    "network:remove_fixed_ip_from_instance": [],
+    "network:add_network_to_project": [],
+    "network:get_instance_nw_info": [],
+
+    "network:get_dns_zones": [],
+    "network:add_dns_entry": [],
+    "network:modify_dns_entry": [],
+    "network:delete_dns_entry": [],
+    "network:get_dns_entries_by_address": [],
+    "network:get_dns_entries_by_name": []
 }
diff --git a/nova/tests/test_network.py b/nova/tests/test_network.py
index 8f8efc991..8b230376b 100644
--- a/nova/tests/test_network.py
+++ b/nova/tests/test_network.py
@@ -22,6 +22,7 @@ from nova import db
 from nova import exception
 from nova import flags
 from nova import log as logging
+import nova.policy
 from nova import rpc
 from nova import test
 from nova import utils
@@ -230,7 +231,7 @@ class FlatNetworkTestCase(test.TestCase):
         self.mox.ReplayAll()
 
         self.assertRaises(exception.FixedIpInvalid,
-                          self.network.validate_networks, None,
+                          self.network.validate_networks, self.context,
                           requested_networks)
 
     def test_validate_networks_empty_fixed_ip(self):
@@ -243,7 +244,7 @@ class FlatNetworkTestCase(test.TestCase):
 
         self.assertRaises(exception.FixedIpInvalid,
                           self.network.validate_networks,
-                          None, requested_networks)
+                          self.context, requested_networks)
 
     def test_validate_networks_none_fixed_ip(self):
         self.mox.StubOutWithMock(db, 'network_get_all_by_uuids')
@@ -253,7 +254,7 @@ class FlatNetworkTestCase(test.TestCase):
                                     mox.IgnoreArg()).AndReturn(networks)
         self.mox.ReplayAll()
 
-        self.network.validate_networks(None, requested_networks)
+        self.network.validate_networks(self.context, requested_networks)
 
     def test_add_fixed_ip_instance_without_vpn_requested_networks(self):
         self.mox.StubOutWithMock(db, 'network_get')
@@ -813,12 +814,17 @@ class VlanNetworkTestCase(test.TestCase):
 
 
 class CommonNetworkTestCase(test.TestCase):
+
+    def setUp(self):
+        super(CommonNetworkTestCase, self).setUp()
+        self.context = context.RequestContext('fake', 'fake')
+
     def fake_create_fixed_ips(self, context, network_id):
         return None
 
     def test_remove_fixed_ip_from_instance(self):
         manager = fake_network.FakeNetworkManager()
-        manager.remove_fixed_ip_from_instance(None, 99, '10.0.0.1')
+        manager.remove_fixed_ip_from_instance(self.context, 99, '10.0.0.1')
 
         self.assertEquals(manager.deallocate_called, '10.0.0.1')
 
@@ -826,7 +832,7 @@ class CommonNetworkTestCase(test.TestCase):
         manager = fake_network.FakeNetworkManager()
         self.assertRaises(exception.FixedIpNotFoundForSpecificInstance,
                           manager.remove_fixed_ip_from_instance,
-                          None, 99, 'bad input')
+                          self.context, 99, 'bad input')
 
     def test_validate_cidrs(self):
         manager = fake_network.FakeNetworkManager()
@@ -1320,3 +1326,32 @@ class FloatingIPTestCase(test.TestCase):
         self.assertRaises(exception.NotFound,
                           self.network.delete_dns_entry, self.context,
                           name1, zone)
+
+
+class NetworkPolicyTestCase(test.TestCase):
+    def setUp(self):
+        super(NetworkPolicyTestCase, self).setUp()
+
+        nova.policy.reset()
+        nova.policy.init()
+
+        self.context = context.get_admin_context()
+
+    def tearDown(self):
+        super(NetworkPolicyTestCase, self).tearDown()
+        nova.policy.reset()
+
+    def _set_rules(self, rules):
+        nova.common.policy.set_brain(nova.common.policy.HttpBrain(rules))
+
+    def test_check_policy(self):
+        self.mox.StubOutWithMock(nova.policy, 'enforce')
+        target = {
+            'project_id': self.context.project_id,
+            'user_id': self.context.user_id,
+        }
+        nova.policy.enforce(self.context, 'network:get_all', target)
+        self.mox.ReplayAll()
+        network_manager.check_policy(self.context, 'get_all')
+        self.mox.UnsetStubs()
+        self.mox.VerifyAll()