From 318d01083102a3ea4a097bc1a50dc9091f7a8fa6 Mon Sep 17 00:00:00 2001 From: Elena Ezhova Date: Wed, 9 Jul 2014 20:10:17 +0400 Subject: [PATCH] Add rule for updating network's router:external attribute Set admin_only rule for update_network:router:external in policy.json Also, change the default value of router:external from attr.ATTR_NOT_SPECIFIED to False, because each time we try to get or update a network the dict with its attributes is extended by _extend_network_dict_l3 function which adds router:external=False to the dict if this attribute is not specified. Thus, if the default value is not specified, router:external is considered to be updated in any case and the policy rule is applied. Change-Id: I899d98c7d8c9d9863ac5d8f992b6a2d507ec4482 Closes-Bug: 1338880 --- etc/policy.json | 1 + neutron/extensions/external_net.py | 2 +- neutron/tests/unit/test_extension_ext_net.py | 13 +++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/etc/policy.json b/etc/policy.json index 81fe49556a..d21427cb4e 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -39,6 +39,7 @@ "update_network:provider:network_type": "rule:admin_only", "update_network:provider:physical_network": "rule:admin_only", "update_network:provider:segmentation_id": "rule:admin_only", + "update_network:router:external": "rule:admin_only", "delete_network": "rule:admin_or_owner", "create_port": "", diff --git a/neutron/extensions/external_net.py b/neutron/extensions/external_net.py index 6e50e93cb0..0e24f13f6c 100644 --- a/neutron/extensions/external_net.py +++ b/neutron/extensions/external_net.py @@ -29,7 +29,7 @@ EXTERNAL = 'router:external' EXTENDED_ATTRIBUTES_2_0 = { 'networks': {EXTERNAL: {'allow_post': True, 'allow_put': True, - 'default': attr.ATTR_NOT_SPECIFIED, + 'default': False, 'is_visible': True, 'convert_to': attr.convert_to_boolean, 'enforce_policy': True, diff --git a/neutron/tests/unit/test_extension_ext_net.py b/neutron/tests/unit/test_extension_ext_net.py index d841670b15..fc308747c0 100644 --- a/neutron/tests/unit/test_extension_ext_net.py +++ b/neutron/tests/unit/test_extension_ext_net.py @@ -108,6 +108,19 @@ class ExtNetDBTestCase(test_db_plugin.NeutronDbPluginV2TestCase): result = plugin.get_networks(ctx, filters=None) self.assertEqual(result, []) + def test_update_network_set_external_non_admin_fails(self): + # Assert that a non-admin user cannot update the + # router:external attribute + with self.network(tenant_id='noadmin') as network: + data = {'network': {'router:external': True}} + req = self.new_update_request('networks', + data, + network['network']['id']) + req.environ['neutron.context'] = context.Context('', 'noadmin') + res = req.get_response(self.api) + # The API layer always returns 404 on updates in place of 403 + self.assertEqual(exc.HTTPNotFound.code, res.status_int) + def test_network_filter_hook_admin_context(self): plugin = manager.NeutronManager.get_plugin() ctx = context.Context(None, None, is_admin=True)