Add RBAC policy for ec2 API security groups calls2014.1.rc2 2014.1

The revoke_security_group_ingress, revoke_security_group_ingress, and delete_security_group calls in the ec2 API were not restricted by policy checks. This prevented a deployer from restricting their usage via roles or other checks. Checks have been added for these calls. Closes-Bug: #1290537 Change-Id: I4bf681bedd68ed2216b429d34db735823e0a6189 (cherry picked from commit d4056f8723cc6cefb28ff6e5a7c0df5ea77f82ef)
author: Andrew Laski <andrew.laski@rackspace.com> 2014-03-20 19:04:09 -0400
committer: Andrew Laski <andrew.laski@rackspace.com> 2014-04-09 12:53:25 -0400
commit: 87f57c0a2cc00a70edc87c5dc10bdefb6c01587b (patch)
tree: ecedce1ba17388a73754f4159a690738d76e799f
parent: 237b517e75e0a0e3e153923255aea3c555af289a (diff)
download: nova-2014.1.rc2.tar.gz
2 files changed, 52 insertions, 0 deletions
diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py
index 64f18ac6c7..6bc899d7a7 100644
--- a/nova/api/ec2/cloud.py
+++ b/nova/api/ec2/cloud.py
@@ -622,6 +622,9 @@ class CloudController(object):
         security_group = self.security_group_api.get(context, group_name,
                                                      group_id)
 
+        extensions.check_compute_policy(context, 'security_groups',
+                                        security_group, 'compute_extension')
+
         prevalues = kwargs.get('ip_permissions', [kwargs])
 
         rule_ids = []
@@ -656,6 +659,9 @@ class CloudController(object):
         security_group = self.security_group_api.get(context, group_name,
                                                      group_id)
 
+        extensions.check_compute_policy(context, 'security_groups',
+                                        security_group, 'compute_extension')
+
         prevalues = kwargs.get('ip_permissions', [kwargs])
         postvalues = []
         for values in prevalues:
@@ -728,6 +734,9 @@ class CloudController(object):
         security_group = self.security_group_api.get(context, group_name,
                                                      group_id)
 
+        extensions.check_compute_policy(context, 'security_groups',
+                                        security_group, 'compute_extension')
+
         self.security_group_api.destroy(context, security_group)
 
         return True
diff --git a/nova/tests/api/ec2/test_cloud.py b/nova/tests/api/ec2/test_cloud.py
index f34195ea3c..0abd0252d8 100644
--- a/nova/tests/api/ec2/test_cloud.py
+++ b/nova/tests/api/ec2/test_cloud.py
@@ -21,6 +21,7 @@ import copy
 import datetime
 import functools
 import iso8601
+import mock
 import os
 import string
 import tempfile
@@ -481,6 +482,34 @@ class CloudTestCase(test.TestCase):
         delete = self.cloud.delete_security_group
         self.assertRaises(exception.MissingParameter, delete, self.context)
 
+    def test_delete_security_group_policy_not_allowed(self):
+        rules = common_policy.Rules(
+                {'compute_extension:security_groups':
+                    common_policy.parse_rule('project_id:%(project_id)s')})
+        common_policy.set_rules(rules)
+
+        with mock.patch.object(self.cloud.security_group_api,
+                'get') as get:
+            get.return_value = {'project_id': 'invalid'}
+
+            self.assertRaises(exception.PolicyNotAuthorized,
+                    self.cloud.delete_security_group, self.context,
+                    'fake-name', 'fake-id')
+
+    def test_authorize_security_group_ingress_policy_not_allowed(self):
+        rules = common_policy.Rules(
+                {'compute_extension:security_groups':
+                    common_policy.parse_rule('project_id:%(project_id)s')})
+        common_policy.set_rules(rules)
+
+        with mock.patch.object(self.cloud.security_group_api,
+                'get') as get:
+            get.return_value = {'project_id': 'invalid'}
+
+            self.assertRaises(exception.PolicyNotAuthorized,
+                    self.cloud.authorize_security_group_ingress, self.context,
+                    'fake-name', 'fake-id')
+
     def test_authorize_security_group_ingress(self):
         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
         sec = db.security_group_create(self.context, kwargs)
@@ -585,6 +614,20 @@ class CloudTestCase(test.TestCase):
         db.security_group_destroy(self.context, sec2['id'])
         db.security_group_destroy(self.context, sec1['id'])
 
+    def test_revoke_security_group_ingress_policy_not_allowed(self):
+        rules = common_policy.Rules(
+                {'compute_extension:security_groups':
+                    common_policy.parse_rule('project_id:%(project_id)s')})
+        common_policy.set_rules(rules)
+
+        with mock.patch.object(self.cloud.security_group_api,
+                'get') as get:
+            get.return_value = {'project_id': 'invalid'}
+
+            self.assertRaises(exception.PolicyNotAuthorized,
+                    self.cloud.revoke_security_group_ingress, self.context,
+                    'fake-name', 'fake-id')
+
     def test_revoke_security_group_ingress(self):
         kwargs = {'project_id': self.context.project_id, 'name': 'test'}
         sec = db.security_group_create(self.context, kwargs)
author	Andrew Laski <andrew.laski@rackspace.com>	2014-03-20 19:04:09 -0400
committer	Andrew Laski <andrew.laski@rackspace.com>	2014-04-09 12:53:25 -0400
commit	87f57c0a2cc00a70edc87c5dc10bdefb6c01587b (patch)
tree	ecedce1ba17388a73754f4159a690738d76e799f
parent	237b517e75e0a0e3e153923255aea3c555af289a (diff)
download	nova-2014.1.rc2.tar.gz