Add a policy handler to control copy-from functionality

This patch adds the ability to set a policy handler to control what users can use the 'copy_from' feature in the v1 API. Fixes bug: 1153614 Change-Id: Ie194979a2aa66c9327bf14d7a85ead6f773a6079
openstack · Mar 28, 2013 · b1ac90f · b1ac90f
1 parent cc6ce4a
commit b1ac90f
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py
@@ -683,6 +683,8 @@ def create(self, req, image_meta, image_data):
         is_public = image_meta.get('is_public')
         if is_public:
             self._enforce(req, 'publicize_image')
+        if Controller._copy_from(req):
+            self._enforce(req, 'copy_from')
 
         image_meta = self._reserve(req, image_meta)
         id = image_meta['id']

diff --git a/glance/tests/unit/v1/test_api.py b/glance/tests/unit/v1/test_api.py
@@ -2363,6 +2363,44 @@ def test_add_publicize_image_authorized(self):
         res = req.get_response(self.api)
         self.assertEquals(res.status_int, httplib.CREATED)
 
+    def test_add_copy_from_image_unauthorized(self):
+        rules = {"add_image": '@', "copy_from": '!'}
+        self.set_policy_rules(rules)
+        fixture_headers = {'x-image-meta-store': 'file',
+                           'x-image-meta-disk-format': 'vhd',
+                           'x-glance-api-copy-from': 'http://glance.com/i.ovf',
+                           'x-image-meta-container-format': 'ovf',
+                           'x-image-meta-name': 'fake image #F'}
+
+        req = webob.Request.blank("/images")
+        req.method = 'POST'
+        for k, v in fixture_headers.iteritems():
+            req.headers[k] = v
+
+        req.headers['Content-Type'] = 'application/octet-stream'
+        req.body = "chunk00000remainder"
+        res = req.get_response(self.api)
+        self.assertEquals(res.status_int, 403)
+
+    def test_add_copy_from_image_authorized(self):
+        rules = {"add_image": '@', "copy_from": '@'}
+        self.set_policy_rules(rules)
+        fixture_headers = {'x-image-meta-store': 'file',
+                           'x-image-meta-disk-format': 'vhd',
+                           'x-glance-api-copy-from': 'http://glance.com/i.ovf',
+                           'x-image-meta-container-format': 'ovf',
+                           'x-image-meta-name': 'fake image #F'}
+
+        req = webob.Request.blank("/images")
+        req.method = 'POST'
+        for k, v in fixture_headers.iteritems():
+            req.headers[k] = v
+
+        req.headers['Content-Type'] = 'application/octet-stream'
+        req.body = "chunk00000remainder"
+        res = req.get_response(self.api)
+        self.assertEquals(res.status_int, httplib.CREATED)
+
     def _do_test_post_image_content_missing_format(self, missing):
         """Tests creation of an image with missing format"""
         fixture_headers = {'x-image-meta-store': 'file',