From 7bcd2a1c6b63caba3578b02f512d52cf72c00a22 Mon Sep 17 00:00:00 2001
From: Aseel Awwad <aseel.awwad@exalt.ps>
Date: Sun, 21 Jan 2018 08:45:13 -0500
Subject: [PATCH] Add policy check for complete attachment API action

Add new policy rule for complete_attachment action to
prevent anyone who can read the attachment from the database
to complete it (mark it as in-use)

Change-Id: Idad8c44acde155e70f6f9f618887a97fc956cdd2
Closes-Bug: #1737000
---
 cinder/api/v3/attachments.py                          |  3 +++
 cinder/policies/attachments.py                        | 11 +++++++++++
 .../block-storage/samples/policy.json.inc             |  1 +
 3 files changed, 15 insertions(+)

diff --git a/cinder/api/v3/attachments.py b/cinder/api/v3/attachments.py
index 6c457920f9b..4d3bdbb1635 100644
--- a/cinder/api/v3/attachments.py
+++ b/cinder/api/v3/attachments.py
@@ -24,6 +24,7 @@ from cinder.api import validation
 from cinder import exception
 from cinder.i18n import _
 from cinder import objects
+from cinder.policies import attachments as attachment_policy
 from cinder import utils
 from cinder.volume import api as volume_api
 
@@ -268,6 +269,8 @@ class AttachmentsController(wsgi.Controller):
         volume_ref = objects.Volume.get_by_id(
             context,
             attachment_ref.volume_id)
+        context.authorize(attachment_policy.COMPLETE_POLICY,
+                          target_obj=attachment_ref)
         attachment_ref.update({'attach_status': 'attached'})
         attachment_ref.save()
         volume_ref.update({'status': 'in-use', 'attach_status': 'attached'})
diff --git a/cinder/policies/attachments.py b/cinder/policies/attachments.py
index 1378e4477fc..c177a65a8e8 100644
--- a/cinder/policies/attachments.py
+++ b/cinder/policies/attachments.py
@@ -21,6 +21,7 @@ from cinder.policies import base
 CREATE_POLICY = 'volume:attachment_create'
 UPDATE_POLICY = 'volume:attachment_update'
 DELETE_POLICY = 'volume:attachment_delete'
+COMPLETE_POLICY = 'volume:attachment_complete'
 MULTIATTACH_BOOTABLE_VOLUME_POLICY = 'volume:multiattach_bootable_volume'
 
 attachments_policies = [
@@ -54,6 +55,16 @@ attachments_policies = [
                 'path': '/attachments/{attachment_id}'
             }
         ]),
+    policy.DocumentedRuleDefault(
+        name=COMPLETE_POLICY,
+        check_str=base.RULE_ADMIN_OR_OWNER,
+        description="Mark a volume attachment process as completed (in-use)",
+        operations=[
+            {
+                'method': 'POST',
+                'path': '/attachments/{attachment_id}/action (os-complete)'
+            }
+        ]),
     policy.DocumentedRuleDefault(
         name=MULTIATTACH_BOOTABLE_VOLUME_POLICY,
         check_str=base.RULE_ADMIN_OR_OWNER,
diff --git a/doc/source/configuration/block-storage/samples/policy.json.inc b/doc/source/configuration/block-storage/samples/policy.json.inc
index c51f564af13..1cd641ce58c 100644
--- a/doc/source/configuration/block-storage/samples/policy.json.inc
+++ b/doc/source/configuration/block-storage/samples/policy.json.inc
@@ -108,6 +108,7 @@
     "volume:attachment_create": "",
     "volume:attachment_update": "rule:admin_or_owner",
     "volume:attachment_delete": "rule:admin_or_owner",
+    "volume:attachment_complete": "rule:admin_or_owner",
 
     "snapshot_extension:snapshot_actions:update_snapshot_status": "",
     "snapshot_extension:snapshot_manage": "rule:admin_api",