Merge "Fix unpause server policy to be admin_or_owner"

2020-04-01 17:09:32 +00:00 · 2020-04-01 17:09:32 +00:00 · 6e8af0a374
parent 32a857722f cd0b96176a
commit 6e8af0a374
2 changed files with 8 additions and 2 deletions
--- a/nova/api/openstack/compute/pause_server.py
+++ b/nova/api/openstack/compute/pause_server.py
@ -55,8 +55,9 @@ class PauseServerController(wsgi.Controller):
    def _unpause(self, req, id, body):
        """Permit Admins to unpause the server."""
        ctxt = req.environ['nova.context']
-        ctxt.can(ps_policies.POLICY_ROOT % 'unpause')
        server = common.get_instance(self.compute_api, ctxt, id)
+        ctxt.can(ps_policies.POLICY_ROOT % 'unpause',
+                 target={'project_id': server.project_id})
        try:
            self.compute_api.unpause(ctxt, server)
        except exception.InstanceIsLocked as e:
--- a/nova/tests/unit/api/openstack/compute/test_pause_server.py
+++ b/nova/tests/unit/api/openstack/compute/test_pause_server.py
@ -114,7 +114,12 @@ class PauseServerPolicyEnforcementV21(test.NoDBTestCase):
        pause_mock.assert_called_once_with(self.req.environ['nova.context'],
                                          instance)

-    def test_unpause_policy_failed(self):
+    @mock.patch('nova.api.openstack.common.get_instance')
+    def test_unpause_policy_failed(self, get_instance_mock):
+        instance = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'],
+            user_id=self.req.environ['nova.context'].user_id)
+        get_instance_mock.return_value = instance
        rule_name = "os_compute_api:os-pause-server:unpause"
        self.policy.set_rules({rule_name: "project:non_fake"})
        exc = self.assertRaises(