Merge "Move policy enforcement into REST API layer for v2.1 api attac…

…h_interfaces"

nova/api/openstack/compute/plugins/v3/attach_interfaces.py

@@ -30,8 +30,7 @@
 
 
 ALIAS = 'os-attach-interfaces'
-authorize = extensions.extension_authorizer('compute',
-                                            'v3:' + ALIAS)
+authorize = extensions.os_compute_authorizer(ALIAS)
 
 
 def _translate_interface_attachment_view(port_info):
@@ -49,8 +48,8 @@ class InterfaceAttachmentController(wsgi.Controller):
     """The interface attachment API controller for the OpenStack API."""
 
     def __init__(self):
-        self.compute_api = compute.API()
-        self.network_api = network.API()
+        self.compute_api = compute.API(skip_policy_check=True)
+        self.network_api = network.API(skip_policy_check=True)
         super(InterfaceAttachmentController, self).__init__()
 
     @extensions.expected_errors((404, 501))

nova/tests/unit/api/openstack/compute/contrib/test_attach_interfaces.py

@@ -427,3 +427,46 @@ def test_attach_interface_instance_with_non_uuid_port_id(self):
 
     def test_attach_interface_instance_with_non_array_fixed_ips(self):
         pass
+
+
+class AttachInterfacesPolicyEnforcementv21(test.NoDBTestCase):
+
+    def setUp(self):
+        super(AttachInterfacesPolicyEnforcementv21, self).setUp()
+        self.controller = \
+            attach_interfaces_v21.InterfaceAttachmentController()
+        self.req = fakes.HTTPRequest.blank('')
+        self.rule_name = "compute_extension:v3:os-attach-interfaces"
+        self.policy.set_rules({self.rule_name: "project:non_fake"})
+
+    def test_index_attach_interfaces_policy_failed(self):
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.index, self.req, fakes.FAKE_UUID)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())
+
+    def test_show_attach_interfaces_policy_failed(self):
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.show, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())
+
+    def test_create_attach_interfaces_policy_failed(self):
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.create, self.req, fakes.FAKE_UUID, body={})
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())
+
+    def test_delete_attach_interfaces_policy_failed(self):
+        exc = self.assertRaises(
+            exception.PolicyNotAuthorized,
+            self.controller.delete, self.req, fakes.FAKE_UUID, FAKE_PORT_ID1)
+        self.assertEqual(
+            "Policy doesn't allow %s to be performed." % self.rule_name,
+            exc.format_message())