From db40ad11f1b8fa60ea9c0d69240487ec84df9341 Mon Sep 17 00:00:00 2001
From: John Griffith <john.griffith@solidfire.com>
Date: Wed, 5 Jun 2013 13:57:29 -0600
Subject: [PATCH] Add policy checking for transfer create/accept.

This patch adds policy checks for transfer create/accept
as well as adding the associated default policy.  In addition
we add the wrap in the volume/api accept_transfer method.

Fixes bug: 1187910

Change-Id: I599ac0a95cea1605380d4595a1f21023fbcfb6f1
---
 cinder/tests/policy.json | 8 +++++++-
 cinder/transfer/api.py   | 4 ++++
 cinder/volume/api.py     | 1 +
 etc/cinder/policy.json   | 8 +++++++-
 4 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/cinder/tests/policy.json b/cinder/tests/policy.json
index a2c226f4b..d11c0139e 100644
--- a/cinder/tests/policy.json
+++ b/cinder/tests/policy.json
@@ -38,5 +38,11 @@
     "volume_extension:volume_image_metadata": [],
     "volume_extension:volume_host_attribute": [["rule:admin_api"]],
     "volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
-    "volume_extension:hosts": [["rule:admin_api"]]
+    "volume_extension:hosts": [["rule:admin_api"]],
+
+    "volume:create_transfer": [],
+    "volume:accept_transfer": [],
+    "volume:delete_transfer": [],
+    "volume:get_all_transfers": []
+
 }
diff --git a/cinder/transfer/api.py b/cinder/transfer/api.py
index bdcfc2a8c..db53468d9 100644
--- a/cinder/transfer/api.py
+++ b/cinder/transfer/api.py
@@ -60,6 +60,7 @@ class API(base.Base):
         """
         Make the RPC call to delete a volume transfer.
         """
+        volume_api.check_policy(context, 'delete_transfer')
         transfer = self.db.transfer_get(context, transfer_id)
 
         volume_ref = self.db.volume_get(context, transfer.volume_id)
@@ -69,6 +70,7 @@ class API(base.Base):
         self.db.transfer_destroy(context, transfer_id)
 
     def get_all(self, context, filters={}):
+        volume_api.check_policy(context, 'get_all_transfers')
         if context.is_admin and 'all_tenants' in filters:
             transfers = self.db.transfer_get_all(context)
         else:
@@ -93,6 +95,7 @@ class API(base.Base):
 
     def create(self, context, volume_id, display_name):
         """Creates an entry in the transfers table."""
+        volume_api.check_policy(context, 'create_transfer')
         LOG.info("Generating transfer record for volume %s" % volume_id)
         volume_ref = self.db.volume_get(context, volume_id)
         if volume_ref['status'] != "available":
@@ -125,6 +128,7 @@ class API(base.Base):
         """Accept a volume that has been offered for transfer."""
         # We must use an elevated context to see the volume that is still
         # owned by the donor.
+        volume_api.check_policy(context, 'accept_transfer')
         transfer = self.db.transfer_get(context.elevated(), transfer_id)
 
         crypt_hash = self._get_crypt_hash(transfer['salt'], auth_key)
diff --git a/cinder/volume/api.py b/cinder/volume/api.py
index 05c22388c..46296e539 100644
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -518,6 +518,7 @@ class API(base.Base):
                                                        connector,
                                                        force)
 
+    @wrap_check_policy
     def accept_transfer(self, context, volume):
         return self.volume_rpcapi.accept_transfer(context,
                                                   volume)
diff --git a/etc/cinder/policy.json b/etc/cinder/policy.json
index f2bcc1b1c..a6a805a3a 100644
--- a/etc/cinder/policy.json
+++ b/etc/cinder/policy.json
@@ -29,5 +29,11 @@
     "volume_extension:volume_tenant_attribute": [["rule:admin_api"]],
     "volume_extension:hosts": [["rule:admin_api"]],
     "volume_extension:services": [["rule:admin_api"]],
-    "volume:services": [["rule:admin_api"]]
+    "volume:services": [["rule:admin_api"]],
+
+    "volume:create_transfer": [],
+    "volume:accept_transfer": [],
+    "volume:delete_transfer": [],
+    "volume:get_all_transfers": []
+
 }
-- 
2.45.2