From 393738860481119a2089d0acbb090611f7ba5bb3 Mon Sep 17 00:00:00 2001
From: Andrew Laski <andrew.laski@rackspace.com>
Date: Wed, 30 Jan 2013 16:25:25 -0500
Subject: Extend extension_authorizer to enable cleaner code.

I have seen and used two different methods for authorizing multiple
methods in a class, and both use code duplication that won't be
necessary with this patch.

The first method involves creating multiple authorizers, which can get
out of hand quickly.  i.e.:

authorize_attach_index = extensions.extension_authorizer('compute',
                                                'volume_attachments:index')
authorize_attach_show = extensions.extension_authorizer('compute',
                                                'volume_attachments:show')

The second method involves creating an intermediate method in the
extension like:

def authorize(context, action_name):
    action = 'os-networksv2:%s' % action_name
    extensions.extension_authorizer('compute', action)(context)

but this ends up getting duplicated in each file.  This patch allows
extensions to use the authorizers they already have but gives them finer
control by passing something like "action='index'" to the authorizer.

Change-Id: I6371b2c631acc9345ee6ca4672afa1f49781f22b
---
 nova/api/openstack/extensions.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/nova/api/openstack/extensions.py b/nova/api/openstack/extensions.py
index a94065ab0..94ce76ec7 100644
--- a/nova/api/openstack/extensions.py
+++ b/nova/api/openstack/extensions.py
@@ -386,12 +386,15 @@ def load_standard_extensions(ext_mgr, logger, path, package, ext_list=None):
 
 
 def extension_authorizer(api_name, extension_name):
-    def authorize(context, target=None):
+    def authorize(context, target=None, action=None):
         if target is None:
             target = {'project_id': context.project_id,
                       'user_id': context.user_id}
-        action = '%s_extension:%s' % (api_name, extension_name)
-        nova.policy.enforce(context, action, target)
+        if action is None:
+            act = '%s_extension:%s' % (api_name, extension_name)
+        else:
+            act = '%s_extension:%s:%s' % (api_name, extension_name, action)
+        nova.policy.enforce(context, act, target)
     return authorize
 
 
-- 
cgit