Merge "Fix target used in nova.policy.check_is_admin"

nova/context.py

@@ -251,8 +251,7 @@ class RequestContext(context.RequestContext):
             authorized and False if not authorized and fatal is False.
         """
         if target is None:
-            target = {'project_id': self.project_id,
-                      'user_id': self.user_id}
+            target = self.default_target()
 
         try:
             return policy.authorize(self, action, target)
@@ -261,6 +260,9 @@ class RequestContext(context.RequestContext):
                 raise
             return False
 
+    def default_target(self):
+        return {'project_id': self.project_id, 'user_id': self.user_id}
+
     def to_policy_values(self):
         policy = super(RequestContext, self).to_policy_values()
         policy['is_admin'] = self.is_admin

nova/policy.py

@@ -176,7 +176,7 @@ def check_is_admin(context):
     init()
     # the target is user-self
     credentials = context.to_policy_values()
-    target = credentials
+    target = context.default_target()
     return _ENFORCER.authorize('context_is_admin', target, credentials)
 
 

nova/tests/unit/test_policy.py

@@ -243,6 +243,17 @@ class IsAdminCheckTestCase(test.NoDBTestCase):
         self.assertTrue(check('target', dict(is_admin=False),
                               policy._ENFORCER))
 
+    def test_check_is_admin(self):
+        ctxt = context.RequestContext(
+            user_id='fake-user', project_id='fake-project')
+        with mock.patch('oslo_policy.policy.Enforcer.authorize') as mock_auth:
+            result = policy.check_is_admin(ctxt)
+        self.assertEqual(mock_auth.return_value, result)
+        mock_auth.assert_called_once_with(
+            'context_is_admin',
+            {'user_id': 'fake-user', 'project_id': 'fake-project'},
+            ctxt.to_policy_values())
+
 
 class AdminRolePolicyTestCase(test.NoDBTestCase):
     def setUp(self):