From a043978419c600ee1e93baa0b83879e2c45c13f8 Mon Sep 17 00:00:00 2001
From: Brian Waldon <bcwaldon@gmail.com>
Date: Tue, 24 Jan 2012 15:01:21 -0800
Subject: Add authorization checks to flavormanage extension

Relates to bp separate-nova-adminapi

Change-Id: I69a851893b96ccbc2653716584bb3c3c0b0f3afa
---
 etc/nova/policy.json                               |  1 +
 nova/api/openstack/compute/contrib/flavormanage.py | 17 ++++++---------
 .../compute/contrib/test_flavor_manage.py          | 24 +++-------------------
 nova/tests/policy.json                             |  1 +
 4 files changed, 11 insertions(+), 32 deletions(-)

diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index d63934994..f098a1572 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -21,6 +21,7 @@
     "compute_extension:disk_config": [],
     "compute_extension:extended_status": [["rule:admin_api"]],
     "compute_extension:flavorextraspecs": [],
+    "compute_extension:flavormanage": [["rule:admin_api"]],
     "compute_extension:floating_ip_dns": [],
     "compute_extension:floating_ip_pools": [],
     "compute_extension:floating_ips": [],
diff --git a/nova/api/openstack/compute/contrib/flavormanage.py b/nova/api/openstack/compute/contrib/flavormanage.py
index 604f40766..d1dcee458 100644
--- a/nova/api/openstack/compute/contrib/flavormanage.py
+++ b/nova/api/openstack/compute/contrib/flavormanage.py
@@ -12,20 +12,19 @@
 #    License for the specific language governing permissions and limitations
 #    under the License
 
-import urlparse
-
 import webob
 
-from nova.api.openstack import extensions
-from nova.api.openstack import wsgi
 from nova.api.openstack.compute import flavors as flavors_api
 from nova.api.openstack.compute.views import flavors as flavors_view
+from nova.api.openstack import extensions
+from nova.api.openstack import wsgi
 from nova.compute import instance_types
-from nova import log as logging
 from nova import exception
+from nova import log as logging
 
 
 LOG = logging.getLogger('nova.api.openstack.compute.contrib.flavormanage')
+authorize = extensions.extension_authorizer('compute', 'flavormanage')
 
 
 class FlavorManageController(wsgi.Controller):
@@ -40,9 +39,7 @@ class FlavorManageController(wsgi.Controller):
     @wsgi.action("delete")
     def _delete(self, req, id):
         context = req.environ['nova.context']
-
-        if not context.is_admin:
-            return webob.Response(status_int=403)
+        authorize(context)
 
         try:
             flavor = instance_types.get_instance_type_by_flavor_id(id)
@@ -57,9 +54,7 @@ class FlavorManageController(wsgi.Controller):
     @wsgi.serializers(xml=flavors_api.FlavorTemplate)
     def _create(self, req, body):
         context = req.environ['nova.context']
-
-        if not context.is_admin:
-            return webob.Response(status_int=403)
+        authorize(context)
 
         vals = body['flavor']
         name = vals['name']
diff --git a/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py b/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py
index 1346e63d6..432632458 100644
--- a/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py
+++ b/nova/tests/api/openstack/compute/contrib/test_flavor_manage.py
@@ -85,23 +85,14 @@ class FlavorManageTest(test.TestCase):
         super(FlavorManageTest, self).tearDown()
 
     def test_delete(self):
-        req = fakes.HTTPRequest.blank(
-              '/v2/123/flavor/delete/1234',
-              use_admin_context=True)
-
+        req = fakes.HTTPRequest.blank('/v2/123/flavors/1234')
         res = self.controller._delete(req, id)
         self.assertEqual(res.status_int, 202)
 
+        # subsequent delete should fail
         self.assertRaises(webob.exc.HTTPNotFound,
                           self.controller._delete, req, "failtest")
 
-        req = fakes.HTTPRequest.blank(
-              '/v2/123/flavor/delete/1234',
-              use_admin_context=False)
-
-        res = self.controller._delete(req, id)
-        self.assertEqual(res.status_int, 403)
-
     def test_create(self):
         body = {
             "flavor": {
@@ -115,16 +106,7 @@ class FlavorManageTest(test.TestCase):
             }
         }
 
-        req = fakes.HTTPRequest.blank(
-              '/v2/123/flavor/create/',
-              use_admin_context=True)
-
+        req = fakes.HTTPRequest.blank('/v2/123/flavors')
         res = self.controller._create(req, body)
         for key in body["flavor"]:
             self.assertEquals(res["flavor"][key], body["flavor"][key])
-
-        req = fakes.HTTPRequest.blank(
-              '/v2/123/flavor/create/',
-              use_admin_context=False)
-        res = self.controller._create(req, body)
-        self.assertEqual(res.status_int, 403)
diff --git a/nova/tests/policy.json b/nova/tests/policy.json
index 737e98f68..7b4314c3c 100644
--- a/nova/tests/policy.json
+++ b/nova/tests/policy.json
@@ -80,6 +80,7 @@
     "compute_extension:disk_config": [],
     "compute_extension:extended_status": [],
     "compute_extension:flavorextraspecs": [],
+    "compute_extension:flavormanage": [],
     "compute_extension:floating_ip_dns": [],
     "compute_extension:floating_ip_pools": [],
     "compute_extension:floating_ips": [],
-- 
cgit