From 036af931c98da119ce61049e42f0c5f21a2436a1 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Sun, 9 Feb 2020 19:01:15 -0600
Subject: [PATCH] Fix os-console-output policy to be admin_or_owner

os-console-output API policy is default to admin_or_owner[1] but API
is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/706724

This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]

This commit fix this policy by passing the server's project_id in policy
target.

[1] https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/policies/console_output.py#L27
[2] https://github.com/openstack/nova/blob/1fcd74730d343b7cee12a0a50ea537dc4ff87f65/nova/api/openstack/compute/console_output.py#L41
[3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

Change-Id: I77759721138b9b4cc724895c8d15c1ccf2923995
Closes-bug: #1862558
---
 nova/api/openstack/compute/console_output.py                 | 5 +++--
 nova/tests/unit/api/openstack/compute/test_console_output.py | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/nova/api/openstack/compute/console_output.py b/nova/api/openstack/compute/console_output.py
index 93285cc55c77..75727fb2f832 100644
--- a/nova/api/openstack/compute/console_output.py
+++ b/nova/api/openstack/compute/console_output.py
@@ -38,9 +38,10 @@ class ConsoleOutputController(wsgi.Controller):
     def get_console_output(self, req, id, body):
         """Get text console output."""
         context = req.environ['nova.context']
-        context.can(co_policies.BASE_POLICY_NAME)
-
         instance = common.get_instance(self.compute_api, context, id)
+        context.can(co_policies.BASE_POLICY_NAME,
+                    target={'project_id': instance.project_id})
+
         length = body['os-getConsoleOutput'].get('length')
         # TODO(cyeoh): In a future API update accept a length of -1
         # as meaning unlimited length (convert to None)
diff --git a/nova/tests/unit/api/openstack/compute/test_console_output.py b/nova/tests/unit/api/openstack/compute/test_console_output.py
index 1953b04ea8ac..30f7cf405eaa 100644
--- a/nova/tests/unit/api/openstack/compute/test_console_output.py
+++ b/nova/tests/unit/api/openstack/compute/test_console_output.py
@@ -156,6 +156,7 @@ class ConsoleOutputPolicyEnforcementV21(test.NoDBTestCase):
     def setUp(self):
         super(ConsoleOutputPolicyEnforcementV21, self).setUp()
         self.controller = console_output_v21.ConsoleOutputController()
+        self.stub_out('nova.compute.api.API.get', fake_get)
 
     def test_get_console_output_policy_failed(self):
         rule_name = "os_compute_api:os-console-output"