diff --git a/zun/api/controllers/v1/views/capsules_view.py b/zun/api/controllers/v1/views/capsules_view.py index d11e54da6..a2b1ba8a2 100644 --- a/zun/api/controllers/v1/views/capsules_view.py +++ b/zun/api/controllers/v1/views/capsules_view.py @@ -16,6 +16,7 @@ import itertools from zun.api.controllers import link from zun.api.controllers.v1.views import containers_view +from zun.common.policies import capsule as policies _basic_keys = ( @@ -41,6 +42,10 @@ def format_capsule(url, capsule, context, legacy_api_version=False): def transform(key, value): if key not in _basic_keys: return + # strip the key if it is not allowed by policy + policy_action = policies.CAPSULE % ('get:%s' % key) + if not context.can(policy_action, fatal=False, might_not_exist=True): + return if key == 'uuid': yield ('uuid', value) yield ('links', [link.make_link( diff --git a/zun/common/policies/capsule.py b/zun/common/policies/capsule.py index 623015a85..a2d816b86 100644 --- a/zun/common/policies/capsule.py +++ b/zun/common/policies/capsule.py @@ -76,6 +76,28 @@ rules = [ # FIXME(lbragstad): This API call isn't actually listed in zun's API # reference: # https://developer.openstack.org/api-ref/application-container/ + policy.DocumentedRuleDefault( + name=CAPSULE % 'get:host', + check_str=base.RULE_ADMIN_API, + description='Retrieve the host field of a capsule.', + operations=[ + { + 'path': '/v1/capsules/{capsule_ident}', + 'method': 'GET' + }, + { + 'path': '/v1/capsules', + 'method': 'GET' + }, + { + 'path': '/v1/capsules', + 'method': 'POST' + }, + ] + ), + # FIXME(lbragstad): This API call isn't actually listed in zun's API + # reference: + # https://developer.openstack.org/api-ref/application-container/ policy.DocumentedRuleDefault( name=CAPSULE % 'get_one_all_projects', check_str=base.RULE_ADMIN_API, diff --git a/zun/common/policies/container.py b/zun/common/policies/container.py index 0f31f60ea..23306337f 100644 --- a/zun/common/policies/container.py +++ b/zun/common/policies/container.py @@ -131,6 +131,75 @@ rules = [ } ] ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'get_one:image_pull_policy', + check_str=base.RULE_ADMIN_API, + description='Retrieve the image_pull_policy field of containers.', + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'GET' + }, + { + 'path': '/v1/containers', + 'method': 'GET' + }, + { + 'path': '/v1/containers', + 'method': 'POST' + }, + { + 'path': '/v1/containers/{container_ident}', + 'method': 'PATCH' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'get_one:privileged', + check_str=base.RULE_ADMIN_API, + description='Retrieve the privileged field of containers.', + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'GET' + }, + { + 'path': '/v1/containers', + 'method': 'GET' + }, + { + 'path': '/v1/containers', + 'method': 'POST' + }, + { + 'path': '/v1/containers/{container_ident}', + 'method': 'PATCH' + } + ] + ), + policy.DocumentedRuleDefault( + name=CONTAINER % 'get_one:runtime', + check_str=base.RULE_ADMIN_API, + description='Retrieve the runtime field of containers.', + operations=[ + { + 'path': '/v1/containers/{container_ident}', + 'method': 'GET' + }, + { + 'path': '/v1/containers', + 'method': 'GET' + }, + { + 'path': '/v1/containers', + 'method': 'POST' + }, + { + 'path': '/v1/containers/{container_ident}', + 'method': 'PATCH' + } + ] + ), policy.DocumentedRuleDefault( name=CONTAINER % 'get_one_all_projects', check_str=base.RULE_ADMIN_API, diff --git a/zun/tests/unit/api/controllers/v1/test_containers.py b/zun/tests/unit/api/controllers/v1/test_containers.py index 9f8471710..1866c4f80 100644 --- a/zun/tests/unit/api/controllers/v1/test_containers.py +++ b/zun/tests/unit/api/controllers/v1/test_containers.py @@ -317,7 +317,6 @@ class TestContainerController(api_base.FunctionalTest): self.assertEqual('512', c.get('memory')) self.assertEqual({"key1": "val1", "key2": "val2"}, c.get('environment')) - self.assertEqual('runc', c.get('runtime')) self.assertEqual('testhost', c.get('hostname')) self.assertEqual(20, c.get('disk')) self.assertEqual({"Name": "no", "MaximumRetryCount": "0"}, @@ -868,7 +867,7 @@ class TestContainerController(api_base.FunctionalTest): actual_containers[0].get('uuid')) @patch('zun.objects.Container.list') - def test_get_all_has_status_reason_and_image_pull_policy( + def test_get_all_has_status_reason( self, mock_container_list): test_container = utils.get_test_container() containers = [objects.Container(self.context, **test_container)] @@ -881,7 +880,6 @@ class TestContainerController(api_base.FunctionalTest): self.assertEqual(test_container['uuid'], actual_containers[0].get('uuid')) self.assertIn('status_reason', actual_containers[0].keys()) - self.assertIn('image_pull_policy', actual_containers[0].keys()) @patch('zun.objects.Container.list') def test_get_all_containers_with_pagination_marker(self,