Disallow regular user to update firewall's shared attribute
Shared firewalls should only be operable by admins. Currently only admin can provide shared attribute at firewall creation, so update_firewall should be consistent with that as well. Change-Id: I093743514637824207b375d724404d51f778d012 Closes-Bug: #1323322
This commit is contained in:
parent
f7654c3b4c
commit
0c3ccf2d40
@ -70,6 +70,7 @@
|
|||||||
"create_firewall:shared": "rule:admin_only",
|
"create_firewall:shared": "rule:admin_only",
|
||||||
"get_firewall:shared": "rule:admin_only",
|
"get_firewall:shared": "rule:admin_only",
|
||||||
"update_firewall": "rule:admin_or_owner",
|
"update_firewall": "rule:admin_or_owner",
|
||||||
|
"update_firewall:shared": "rule:admin_only",
|
||||||
"delete_firewall": "rule:admin_or_owner",
|
"delete_firewall": "rule:admin_or_owner",
|
||||||
|
|
||||||
"create_firewall_policy": "",
|
"create_firewall_policy": "",
|
||||||
|
@ -248,6 +248,25 @@ class TestFirewallPluginBase(test_db_firewall.TestFirewallDBPlugin):
|
|||||||
res = req.get_response(self.ext_api)
|
res = req.get_response(self.ext_api)
|
||||||
self.assertEqual(res.status_int, exc.HTTPConflict.code)
|
self.assertEqual(res.status_int, exc.HTTPConflict.code)
|
||||||
|
|
||||||
|
def test_update_firewall_shared_fails_for_non_admin(self):
|
||||||
|
ctx = context.get_admin_context()
|
||||||
|
with self.firewall_policy() as fwp:
|
||||||
|
fwp_id = fwp['firewall_policy']['id']
|
||||||
|
with self.firewall(firewall_policy_id=fwp_id,
|
||||||
|
admin_state_up=
|
||||||
|
test_db_firewall.ADMIN_STATE_UP,
|
||||||
|
tenant_id='noadmin') as firewall:
|
||||||
|
fw_id = firewall['firewall']['id']
|
||||||
|
self.callbacks.set_firewall_status(ctx, fw_id,
|
||||||
|
const.ACTIVE)
|
||||||
|
data = {'firewall': {'shared': True}}
|
||||||
|
req = self.new_update_request(
|
||||||
|
'firewalls', data, fw_id,
|
||||||
|
context=context.Context('', 'noadmin'))
|
||||||
|
res = req.get_response(self.ext_api)
|
||||||
|
# returns 404 due to security reasons
|
||||||
|
self.assertEqual(res.status_int, exc.HTTPNotFound.code)
|
||||||
|
|
||||||
def test_update_firewall_policy_fails_when_firewall_pending(self):
|
def test_update_firewall_policy_fails_when_firewall_pending(self):
|
||||||
name = "new_firewall1"
|
name = "new_firewall1"
|
||||||
attrs = self._get_test_firewall_attrs(name)
|
attrs = self._get_test_firewall_attrs(name)
|
||||||
|
@ -158,7 +158,7 @@ class NeutronDbPluginV2TestCase(testlib_api.WebTestCase):
|
|||||||
super(NeutronDbPluginV2TestCase, self).tearDown()
|
super(NeutronDbPluginV2TestCase, self).tearDown()
|
||||||
|
|
||||||
def _req(self, method, resource, data=None, fmt=None, id=None, params=None,
|
def _req(self, method, resource, data=None, fmt=None, id=None, params=None,
|
||||||
action=None, subresource=None, sub_id=None):
|
action=None, subresource=None, sub_id=None, context=None):
|
||||||
fmt = fmt or self.fmt
|
fmt = fmt or self.fmt
|
||||||
|
|
||||||
path = '/%s.%s' % (
|
path = '/%s.%s' % (
|
||||||
@ -176,7 +176,7 @@ class NeutronDbPluginV2TestCase(testlib_api.WebTestCase):
|
|||||||
if data is not None: # empty dict is valid
|
if data is not None: # empty dict is valid
|
||||||
body = self.serialize(data)
|
body = self.serialize(data)
|
||||||
return testlib_api.create_request(path, body, content_type, method,
|
return testlib_api.create_request(path, body, content_type, method,
|
||||||
query_string=params)
|
query_string=params, context=context)
|
||||||
|
|
||||||
def new_create_request(self, resource, data, fmt=None, id=None,
|
def new_create_request(self, resource, data, fmt=None, id=None,
|
||||||
subresource=None):
|
subresource=None):
|
||||||
@ -211,9 +211,10 @@ class NeutronDbPluginV2TestCase(testlib_api.WebTestCase):
|
|||||||
)
|
)
|
||||||
|
|
||||||
def new_update_request(self, resource, data, id, fmt=None,
|
def new_update_request(self, resource, data, id, fmt=None,
|
||||||
subresource=None):
|
subresource=None, context=None):
|
||||||
return self._req(
|
return self._req(
|
||||||
'PUT', resource, data, fmt, id=id, subresource=subresource
|
'PUT', resource, data, fmt, id=id, subresource=subresource,
|
||||||
|
context=context
|
||||||
)
|
)
|
||||||
|
|
||||||
def new_action_request(self, resource, data, id, action, fmt=None,
|
def new_action_request(self, resource, data, id, action, fmt=None,
|
||||||
|
Loading…
Reference in New Issue
Block a user