Fix multinic policy for admin_or_owner

multinic API policy is default to admin_or_owner[1] but API
is allowed for everyone.

We can see the test trying with other project context can access the API
- https://review.opendev.org/#/c/742315

This is because API does not pass the server project_id in policy target[2]
and if no target is passed then, policy.py add the default targets which is
nothing but context.project_id (allow for everyone who try to access)[3]

This commit fix this policy by passing the server's project_id in policy
target.

Partial implement blueprint policy-defaults-refresh-deprecated-apis

[1] https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/policies/multinic.py#L27
[2] https://github.com/openstack/nova/blob/cd16ae25c865f25dbb313976b3d8ef9372db80af/nova/api/openstack/compute/multinic.py#L44
[3] https://github.com/openstack/nova/blob/c16315165ce307c605cf4b608b2df3aa06f46982/nova/policy.py#L191

Change-Id: Ie9b575cc15ae43d8b1eb1b74180ecead45702efe

Author: gmaanos

nova/api/openstack/compute/multinic.py

@@ -41,9 +41,10 @@ def __init__(self):
     def _add_fixed_ip(self, req, id, body):
         """Adds an IP on a given network to an instance."""
         context = req.environ['nova.context']
-        context.can(multinic_policies.BASE_POLICY_NAME)
-
         instance = common.get_instance(self.compute_api, context, id)
+        context.can(multinic_policies.BASE_POLICY_NAME,
+                    target={'project_id': instance.project_id})
+
         network_id = body['addFixedIp']['networkId']
         try:
             self.compute_api.add_fixed_ip(context, instance, network_id)
@@ -58,9 +59,10 @@ def _add_fixed_ip(self, req, id, body):
     def _remove_fixed_ip(self, req, id, body):
         """Removes an IP from an instance."""
         context = req.environ['nova.context']
-        context.can(multinic_policies.BASE_POLICY_NAME)
-
         instance = common.get_instance(self.compute_api, context, id)
+        context.can(multinic_policies.BASE_POLICY_NAME,
+                    target={'project_id': instance.project_id})
+
         address = body['removeFixedIp']['address']
 
         try:

nova/tests/unit/api/openstack/compute/test_multinic.py

@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import fixtures
 import mock
 import webob
 
@@ -22,6 +23,7 @@
 from nova import objects
 from nova import test
 from nova.tests.unit.api.openstack import fakes
+from nova.tests.unit import fake_instance
 
 
 UUID = '70f6db34-de8d-4fbd-aafb-4065bdfa6114'
@@ -66,6 +68,11 @@ def setUp(self):
         self.stub_out('nova.compute.api.API.get', compute_api_get)
         self.controller = self.controller_class.MultinicController()
         self.fake_req = fakes.HTTPRequest.blank('')
+        self.mock_get = self.useFixture(
+            fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock
+        self.mock_get.return_value = fake_instance.fake_instance_obj(
+            self.fake_req.environ['nova.context'], uuid=UUID,
+            project_id=self.fake_req.environ['nova.context'].project_id)
 
     def test_add_fixed_ip(self):
         global last_add_fixed_ip
@@ -151,6 +158,11 @@ def setUp(self):
         super(MultinicPolicyEnforcementV21, self).setUp()
         self.controller = multinic_v21.MultinicController()
         self.req = fakes.HTTPRequest.blank('')
+        self.mock_get = self.useFixture(
+            fixtures.MockPatch('nova.api.openstack.common.get_instance')).mock
+        self.mock_get.return_value = fake_instance.fake_instance_obj(
+            self.req.environ['nova.context'],
+            project_id=self.req.environ['nova.context'].project_id)
 
     def test_add_fixed_ip_policy_failed(self):
         rule_name = "os_compute_api:os-multinic"