def _verify_query_segregation(query, auth_project=None):
"""Ensure non-admin queries are not constrained to another project."""
auth_project = (auth_project or rbac.get_limited_to_project(
pecan.request.headers, pecan.request.enforcer))
if not auth_project:
return
for q in query:
if q.field in ('project', 'project_id') and auth_project != q.value:
raise base.ProjectNotAuthorized(q.value)
def _set_ownership(aspect, owner_limitation, header):
attr = '%s_id' % aspect
requested_owner = getattr(data, attr)
explicit_owner = requested_owner != wtypes.Unset
caller = pecan.request.headers.get(header)
if (owner_limitation and explicit_owner
and requested_owner != caller):
raise base.ProjectNotAuthorized(requested_owner, aspect)
actual_owner = (owner_limitation or requested_owner
if explicit_owner else caller)
setattr(data, attr, actual_owner)
def get_all(self, project_id=None):
"""Get resource quotas of a project.
- If no project given, get requested user's quota.
- Admin user can get resource quotas of any project.
"""
request_project = pecan.request.headers.get('X-Project-Id')
project_id = project_id if project_id else request_project
is_admin = rbac.is_admin(pecan.request.headers)
if project_id != request_project and not is_admin:
raise base.ProjectNotAuthorized(project_id)
LOG.debug('Getting resource quotas for project %s', project_id)
db_quotas = pecan.request.storage.get_quotas(project_id=project_id)
if len(db_quotas) == 0:
project_alarm_quota = pecan.request.cfg.api.project_alarm_quota
quotas = [{'resource': 'alarms', 'limit': project_alarm_quota}]
db_quotas = pecan.request.storage.set_quotas(project_id, quotas)
quotas = [Quota.from_db_model(i) for i in db_quotas]
return Quotas(project_id=project_id, quotas=quotas)
def check_project_id(subfilter):
op, value = list(subfilter.items())[0]
if (op.lower() not in self.complex_operators
and list(value.keys())[0] == visibility_field
and value[visibility_field] != own_project_id):
raise base.ProjectNotAuthorized(value[visibility_field])
def get_all(self, q=None, sort=None, limit=None, marker=None):
"""Return all alarms, based on the query provided.
:param q: Filter rules for the alarms to be returned.
:param sort: A list of pairs of sort key and sort dir.
:param limit: The maximum number of items to be return.
:param marker: The pagination query marker.
"""
target = rbac.target_from_segregation_rule(pecan.request.headers,
pecan.request.enforcer)
rbac.enforce('get_alarms', pecan.request.headers,
pecan.request.enforcer, target)
q = q or []
filters = {}
# Check field
keys = set([query.field for query in q])
if not keys.issubset(ALARM_QUERY_FIELDS_ALLOWED):
raise wsme.exc.InvalidInput(
'field', keys,
'only fields %s are allowed' % ALARM_QUERY_FIELDS_ALLOWED)
# Check op
ops = set([query.op for query in q])
if any([op not in ALARM_QUERY_OPS_ALLOWED for op in ops]):
raise wsme.exc.InvalidInput(
'op', ops,
'only operations %s are allowed' % ALARM_QUERY_OPS_ALLOWED)
if 'all_projects' in keys:
if v2_utils.get_query_value(q, 'all_projects', 'boolean'):
rbac.enforce('get_alarms:all_projects', pecan.request.headers,
pecan.request.enforcer, target)
keys.remove('all_projects')
else:
project_id = pecan.request.headers.get('X-Project-Id')
is_admin = rbac.is_admin(pecan.request.headers)
if not v2_utils.is_field_exist(q, 'project_id'):
q.append(
base.Query(field='project_id', op='eq', value=project_id))
keys.add('project_id')
else:
request_project = v2_utils.get_query_value(q, 'project_id')
if not is_admin and request_project != project_id:
raise base.ProjectNotAuthorized(request_project)
for query in q:
if query.field in keys:
filters[query.field] = {query.op: query.get_value(query.type)}
if sort or limit or marker:
filters['pagination'] = v2_utils.get_pagination_options(
sort, limit, marker, models.Alarm)
LOG.debug('Getting alarms from database, filters: %s', filters)
return [
Alarm.from_db_model_scrubbed(m)
for m in pecan.request.storage.get_alarms(**filters)
]
