Prevent admin role leak in context.elevated

context.elevated was creating a copy of the current context then adding 'admin' to the roles of that context. This should be a deepcopy, otherwise 'admin' is added to the original context too. Change-Id: I8ab00c88a8e76a14fb9f4ae96dfdb5f018fc2d0f Closes-bug: 1386932
openstack · Nov 24, 2014 · 06e2319 · 06e2319
1 parent 8456b90
commit 06e2319
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/nova/context.py b/nova/context.py
@@ -179,7 +179,7 @@ def from_dict(cls, values):
 
     def elevated(self, read_deleted=None, overwrite=False):
         """Return a version of this context with admin flag set."""
-        context = copy.copy(self)
+        context = copy.deepcopy(self)
         context.is_admin = True
 
         if 'admin' not in context.roles:

diff --git a/nova/tests/unit/test_context.py b/nova/tests/unit/test_context.py
@@ -18,6 +18,17 @@
 
 class ContextTestCase(test.NoDBTestCase):
 
+    def test_request_context_elevated(self):
+        user_ctxt = context.RequestContext('111',
+                                           '222',
+                                           admin=False)
+        self.assertFalse(user_ctxt.is_admin)
+        admin_ctxt = user_ctxt.elevated()
+        self.assertTrue(admin_ctxt.is_admin)
+        self.assertIn('admin', admin_ctxt.roles)
+        self.assertFalse(user_ctxt.is_admin)
+        self.assertNotIn('admin', user_ctxt.roles)
+
     def test_request_context_sets_is_admin(self):
         ctxt = context.RequestContext('111',
                                       '222',