diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 64f18ac6c7a5..6bc899d7a717 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -622,6 +622,9 @@ class CloudController(object): security_group = self.security_group_api.get(context, group_name, group_id) + extensions.check_compute_policy(context, 'security_groups', + security_group, 'compute_extension') + prevalues = kwargs.get('ip_permissions', [kwargs]) rule_ids = [] @@ -656,6 +659,9 @@ class CloudController(object): security_group = self.security_group_api.get(context, group_name, group_id) + extensions.check_compute_policy(context, 'security_groups', + security_group, 'compute_extension') + prevalues = kwargs.get('ip_permissions', [kwargs]) postvalues = [] for values in prevalues: @@ -728,6 +734,9 @@ class CloudController(object): security_group = self.security_group_api.get(context, group_name, group_id) + extensions.check_compute_policy(context, 'security_groups', + security_group, 'compute_extension') + self.security_group_api.destroy(context, security_group) return True diff --git a/nova/tests/api/ec2/test_cloud.py b/nova/tests/api/ec2/test_cloud.py index f34195ea3c09..0abd0252d8f4 100644 --- a/nova/tests/api/ec2/test_cloud.py +++ b/nova/tests/api/ec2/test_cloud.py @@ -21,6 +21,7 @@ import copy import datetime import functools import iso8601 +import mock import os import string import tempfile @@ -481,6 +482,34 @@ class CloudTestCase(test.TestCase): delete = self.cloud.delete_security_group self.assertRaises(exception.MissingParameter, delete, self.context) + def test_delete_security_group_policy_not_allowed(self): + rules = common_policy.Rules( + {'compute_extension:security_groups': + common_policy.parse_rule('project_id:%(project_id)s')}) + common_policy.set_rules(rules) + + with mock.patch.object(self.cloud.security_group_api, + 'get') as get: + get.return_value = {'project_id': 'invalid'} + + self.assertRaises(exception.PolicyNotAuthorized, + self.cloud.delete_security_group, self.context, + 'fake-name', 'fake-id') + + def test_authorize_security_group_ingress_policy_not_allowed(self): + rules = common_policy.Rules( + {'compute_extension:security_groups': + common_policy.parse_rule('project_id:%(project_id)s')}) + common_policy.set_rules(rules) + + with mock.patch.object(self.cloud.security_group_api, + 'get') as get: + get.return_value = {'project_id': 'invalid'} + + self.assertRaises(exception.PolicyNotAuthorized, + self.cloud.authorize_security_group_ingress, self.context, + 'fake-name', 'fake-id') + def test_authorize_security_group_ingress(self): kwargs = {'project_id': self.context.project_id, 'name': 'test'} sec = db.security_group_create(self.context, kwargs) @@ -585,6 +614,20 @@ class CloudTestCase(test.TestCase): db.security_group_destroy(self.context, sec2['id']) db.security_group_destroy(self.context, sec1['id']) + def test_revoke_security_group_ingress_policy_not_allowed(self): + rules = common_policy.Rules( + {'compute_extension:security_groups': + common_policy.parse_rule('project_id:%(project_id)s')}) + common_policy.set_rules(rules) + + with mock.patch.object(self.cloud.security_group_api, + 'get') as get: + get.return_value = {'project_id': 'invalid'} + + self.assertRaises(exception.PolicyNotAuthorized, + self.cloud.revoke_security_group_ingress, self.context, + 'fake-name', 'fake-id') + def test_revoke_security_group_ingress(self): kwargs = {'project_id': self.context.project_id, 'name': 'test'} sec = db.security_group_create(self.context, kwargs)