def setUp(self):
super(APIPolicyTestCase, self).setUp()
self.ATTRIBUTE_MAP_COPY = copy.copy(attributes.RESOURCE_ATTRIBUTE_MAP)
self.extension_path = os.path.abspath(os.path.join(
TEST_PATH, "../../../extensions"))
policy.reset()
def setUp(self):
super(APIPolicyTestCase, self).setUp()
self.ATTRIBUTE_MAP_COPY = copy.copy(attributes.RESOURCE_ATTRIBUTE_MAP)
self.extension_path = os.path.abspath(
os.path.join(TEST_PATH, "../../../extensions"))
policy.reset()
def setUp(self):
super(PolicyFileTestCase, self).setUp()
policy.reset()
self.addCleanup(policy.reset)
self.context = context.Context('fake', 'fake', is_admin=False)
self.target = {}
self.tempdir = self.useFixture(fixtures.TempDir())
def setUp(self):
super(APIPolicyTestCase, self).setUp()
self.useFixture(tools.AttributeMapMemento())
self.extension_path = os.path.abspath(os.path.join(
TEST_PATH, "../../../extensions"))
policy.reset()
self.addCleanup(policy.reset)
def setUp(self):
super(PolicyFileTestCase, self).setUp()
policy.reset()
self.addCleanup(policy.reset)
self.context = context.Context('fake', 'fake', is_admin=False)
self.target = {}
self.tempdir = self.useFixture(fixtures.TempDir())
def setUp(self):
super(NeutronPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.addCleanup(policy.reset)
self.admin_only_legacy = "role:admin"
self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s"
# Add a Fake 'something' resource to RESOURCE_ATTRIBUTE_MAP
attributes.RESOURCE_ATTRIBUTE_MAP.update(FAKE_RESOURCE)
self.rules = dict((k, common_policy.parse_rule(v)) for k, v in {
"context_is_admin": "role:admin",
"admin_or_network_owner": "rule:context_is_admin or "
"tenant_id:%(network:tenant_id)s",
"admin_or_owner": ("rule:context_is_admin or "
"tenant_id:%(tenant_id)s"),
"admin_only": "rule:context_is_admin",
"regular_user": "******",
"shared": "field:networks:shared=True",
"external": "field:networks:router:external=True",
"default": '@',
"create_network": "rule:admin_or_owner",
"create_network:shared": "rule:admin_only",
"update_network": '@',
"update_network:shared": "rule:admin_only",
"get_network": "rule:admin_or_owner or "
"rule:shared or "
"rule:external",
"create_port:mac": "rule:admin_or_network_owner",
"create_something": "rule:admin_or_owner",
"create_something:attr": "rule:admin_or_owner",
"create_something:attr:sub_attr_1": "rule:admin_or_owner",
"create_something:attr:sub_attr_2": "rule:admin_only",
"get_firewall_policy": "rule:admin_or_owner or "
"rule:shared",
"get_firewall_rule": "rule:admin_or_owner or "
"rule:shared"
}.items())
def fakepolicyinit():
common_policy.set_rules(common_policy.Rules(self.rules))
def remove_fake_resource():
del attributes.RESOURCE_ATTRIBUTE_MAP["%ss" % FAKE_RESOURCE_NAME]
self.patcher = mock.patch.object(neutron.policy,
'init',
new=fakepolicyinit)
self.patcher.start()
self.addCleanup(remove_fake_resource)
self.context = context.Context('fake', 'fake', roles=['user'])
plugin_klass = importutils.import_class(
"neutron.db.db_base_plugin_v2.NeutronDbPluginV2")
self.manager_patcher = mock.patch('neutron.manager.NeutronManager')
fake_manager = self.manager_patcher.start()
fake_manager_instance = fake_manager.return_value
fake_manager_instance.plugin = plugin_klass()
def initialize_all():
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
# At this stage we have a fully populated resource attribute map;
# build Pecan controllers and routes for every resource (both core
# and extensions)
pecanized_exts = [ext for ext in ext_mgr.extensions.values() if hasattr(ext, "get_pecan_controllers")]
pecan_controllers = {}
for ext in pecanized_exts:
LOG.debug("Extension %s is pecan-enabled. Fetching resources " "and controllers", ext.get_name())
controllers = ext.get_pecan_controllers()
# controllers is actually a list of pairs where the first element is
# the collection name and the second the actual controller
for (collection, coll_controller) in controllers:
pecan_controllers[collection] = coll_controller
for collection in attributes.RESOURCE_ATTRIBUTE_MAP:
if collection not in pecan_controllers:
resource = _handle_plurals(collection)
LOG.debug("Building controller for resource:%s", resource)
plugin = _plugin_for_resource(collection)
if plugin:
manager.NeutronManager.set_plugin_for_resource(resource, plugin)
controller = root.CollectionsController(collection, resource)
manager.NeutronManager.set_controller_for_resource(collection, controller)
LOG.info(
_LI("Added controller for resource %(resource)s " "via URI path segment:%(collection)s"),
{"resource": resource, "collection": collection},
)
else:
LOG.debug("There are already controllers for resource:%s", resource)
# NOTE(salv-orlando): If you are care about code quality, please read below
# Hackiness is strong with the piece of code below. It is used for
# populating resource plurals and registering resources with the quota
# engine, but the method it calls were not conceived with this aim.
# Therefore it only leverages side-effects from those methods. Moreover,
# as it is really not advisable to load an instance of
# neutron.api.v2.router.APIRouter just to register resources with the
# quota engine, core resources are explicitly registered here.
# TODO(salv-orlando): The Pecan WSGI support should provide its own
# solution to manage resource plurals and registration of resources with
# the quota engine
for resource in router.RESOURCES.keys():
resource_registry.register_resource_by_name(resource)
for ext in ext_mgr.extensions.values():
# make each extension populate its plurals
if hasattr(ext, "get_resources"):
ext.get_resources()
if hasattr(ext, "get_extended_resources"):
ext.get_extended_resources("v2.0")
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
def __init__(self, **local_config):
mapper = routes_mapper.Mapper()
manager.init()
plugin = directory.get_plugin()
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
col_kwargs = dict(collection_actions=COLLECTION_ACTIONS,
member_actions=MEMBER_ACTIONS)
def _map_resource(collection, resource, params, parent=None):
allow_bulk = cfg.CONF.allow_bulk
allow_pagination = cfg.CONF.allow_pagination
allow_sorting = cfg.CONF.allow_sorting
controller = base.create_resource(
collection,
resource,
plugin,
params,
allow_bulk=allow_bulk,
parent=parent,
allow_pagination=allow_pagination,
allow_sorting=allow_sorting)
path_prefix = None
if parent:
path_prefix = "/%s/{%s_id}/%s" % (parent['collection_name'],
parent['member_name'],
collection)
mapper_kwargs = dict(controller=controller,
requirements=REQUIREMENTS,
path_prefix=path_prefix,
**col_kwargs)
return mapper.collection(collection, resource, **mapper_kwargs)
mapper.connect('index', '/', controller=Index(RESOURCES))
for resource in RESOURCES:
_map_resource(
RESOURCES[resource], resource,
attributes.RESOURCE_ATTRIBUTE_MAP.get(RESOURCES[resource],
dict()))
resource_registry.register_resource_by_name(resource)
for resource in SUB_RESOURCES:
_map_resource(
SUB_RESOURCES[resource]['collection_name'], resource,
attributes.RESOURCE_ATTRIBUTE_MAP.get(
SUB_RESOURCES[resource]['collection_name'], dict()),
SUB_RESOURCES[resource]['parent'])
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
super(APIRouter, self).__init__(mapper)
def setUp(self):
super(NeutronPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.addCleanup(policy.reset)
self.admin_only_legacy = "role:admin"
self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s"
# Add a Fake 'something' resource to RESOURCE_ATTRIBUTE_MAP
attributes.RESOURCE_ATTRIBUTE_MAP.update(FAKE_RESOURCE)
self.rules = dict((k, common_policy.parse_rule(v)) for k, v in {
"context_is_admin": "role:admin",
"admin_or_network_owner": "rule:context_is_admin or "
"tenant_id:%(network:tenant_id)s",
"admin_or_owner": ("rule:context_is_admin or "
"tenant_id:%(tenant_id)s"),
"admin_only": "rule:context_is_admin",
"regular_user": "******",
"shared": "field:networks:shared=True",
"external": "field:networks:router:external=True",
"default": '@',
"create_network": "rule:admin_or_owner",
"create_network:shared": "rule:admin_only",
"update_network": '@',
"update_network:shared": "rule:admin_only",
"get_network": "rule:admin_or_owner or "
"rule:shared or "
"rule:external",
"create_port:mac": "rule:admin_or_network_owner",
"create_something": "rule:admin_or_owner",
"create_something:attr": "rule:admin_or_owner",
"create_something:attr:sub_attr_1": "rule:admin_or_owner",
"create_something:attr:sub_attr_2": "rule:admin_only"
}.items())
def fakepolicyinit():
common_policy.set_rules(common_policy.Rules(self.rules))
def remove_fake_resource():
del attributes.RESOURCE_ATTRIBUTE_MAP["%ss" % FAKE_RESOURCE_NAME]
self.patcher = mock.patch.object(neutron.policy,
'init',
new=fakepolicyinit)
self.patcher.start()
self.addCleanup(self.patcher.stop)
self.addCleanup(remove_fake_resource)
self.context = context.Context('fake', 'fake', roles=['user'])
plugin_klass = importutils.import_class(
"neutron.db.db_base_plugin_v2.NeutronDbPluginV2")
self.manager_patcher = mock.patch('neutron.manager.NeutronManager')
fake_manager = self.manager_patcher.start()
fake_manager_instance = fake_manager.return_value
fake_manager_instance.plugin = plugin_klass()
self.addCleanup(self.manager_patcher.stop)
def test_after_inits_policy(self):
self.mock_plugin.get_mehs.return_value = [{
'id': 'xxx',
'attr': 'meh',
'restricted_attr': '',
'tenant_id': 'tenid'}]
policy.reset()
response = self.app.get('/v2.0/mehs',
headers={'X-Project-Id': 'tenid'})
self.assertEqual(200, response.status_int)
def test_after_inits_policy(self):
self.mock_plugin.get_mehs.return_value = [{
'id': 'xxx',
'attr': 'meh',
'restricted_attr': '',
'tenant_id': 'tenid'}]
policy.reset()
response = self.app.get('/v2.0/mehs',
headers={'X-Project-Id': 'tenid'})
self.assertEqual(200, response.status_int)
def __init__(self, **local_config):
mapper = routes_mapper.Mapper()
plugin = manager.NeutronManager.get_plugin()#core plugin #/usr/lib/python2.7/site-packages/neutron/manager.py(216)get_plugin()
# #plugin=<weakproxy at 0x4490208 to Ml2Plugin at 0x2fd1f50>
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
#attributes.RESOURCE_ATTRIBUTE_MAP会被修改为包含neutron/extensions/xx目录下所有插件定义的资源信息,如routers
col_kwargs = dict(collection_actions=COLLECTION_ACTIONS,
member_actions=MEMBER_ACTIONS)
#col_kwargs ={'member_actions': ['show', 'update', 'delete'], 'collection_actions': ['index', 'create']}
def _map_resource(collection, resource, params, parent=None):
allow_bulk = cfg.CONF.allow_bulk
allow_pagination = cfg.CONF.allow_pagination
allow_sorting = cfg.CONF.allow_sorting
controller = base.create_resource(
collection, resource, plugin, params, allow_bulk=allow_bulk,
parent=parent, allow_pagination=allow_pagination,
allow_sorting=allow_sorting)
path_prefix = None
if parent:
path_prefix = "/%s/{%s_id}/%s" % (parent['collection_name'],
parent['member_name'],
collection)
mapper_kwargs = dict(controller=controller,
requirements=REQUIREMENTS,
path_prefix=path_prefix,
**col_kwargs)
#调用mapper对象的collection方法创建URL映射
return mapper.collection(collection, resource,
**mapper_kwargs)
mapper.connect('index', '/', controller=Index(RESOURCES))
for resource in RESOURCES:
_map_resource(RESOURCES[resource], resource,
attributes.RESOURCE_ATTRIBUTE_MAP.get(
RESOURCES[resource], dict()))
for resource in SUB_RESOURCES:
_map_resource(SUB_RESOURCES[resource]['collection_name'], resource,
attributes.RESOURCE_ATTRIBUTE_MAP.get(
SUB_RESOURCES[resource]['collection_name'],
dict()),
SUB_RESOURCES[resource]['parent'])
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
super(APIRouter, self).__init__(mapper)
def __init__(self, **local_config):
mapper = routes_mapper.Mapper()
plugin = manager.NeutronManager.get_plugin()
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
col_kwargs = dict(collection_actions=COLLECTION_ACTIONS, member_actions=MEMBER_ACTIONS)
def _map_resource(collection, resource, params, parent=None):
allow_bulk = cfg.CONF.allow_bulk
allow_pagination = cfg.CONF.allow_pagination
allow_sorting = cfg.CONF.allow_sorting
controller = base.create_resource(
collection,
resource,
plugin,
params,
allow_bulk=allow_bulk,
parent=parent,
allow_pagination=allow_pagination,
allow_sorting=allow_sorting,
)
path_prefix = None
if parent:
path_prefix = "/%s/{%s_id}/%s" % (parent["collection_name"], parent["member_name"], collection)
mapper_kwargs = dict(
controller=controller, requirements=REQUIREMENTS, path_prefix=path_prefix, **col_kwargs
)
return mapper.collection(collection, resource, **mapper_kwargs)
mapper.connect("index", "/", controller=Index(RESOURCES))
for resource in RESOURCES:
_map_resource(
RESOURCES[resource], resource, attributes.RESOURCE_ATTRIBUTE_MAP.get(RESOURCES[resource], dict())
)
resource_registry.register_resource_by_name(resource)
for resource in SUB_RESOURCES:
_map_resource(
SUB_RESOURCES[resource]["collection_name"],
resource,
attributes.RESOURCE_ATTRIBUTE_MAP.get(SUB_RESOURCES[resource]["collection_name"], dict()),
SUB_RESOURCES[resource]["parent"],
)
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
super(APIRouter, self).__init__(mapper)
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.addCleanup(policy.reset)
self.rules = {"default": "", "example:exist": "!"}
self._set_rules("default")
self.context = context.Context("fake", "fake")
def test_get_child_resource_policy_check(self):
policy.reset()
policy.init()
policy._ENFORCER.set_rules(
oslo_policy.Rules.from_dict({'get_meh_meh_fake_duplicate': ''}))
url = '/v2.0/{0}/something/{1}'.format(self.collection,
self.fake_collection)
resp = self.app.get(url)
self.assertEqual(200, resp.status_int)
self.assertEqual({'fake_duplicates': [{
'fake': 'something'
}]}, resp.json)
def initialize_all():
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
# At this stage we have a fully populated resource attribute map;
# build Pecan controllers and routes for every resource (both core
# and extensions)
pecanized_exts = [ext for ext in ext_mgr.extensions.values() if
hasattr(ext, 'get_pecan_controllers')]
pecan_controllers = {}
for ext in pecanized_exts:
LOG.debug("Extension %s is pecan-enabled. Fetching resources "
"and controllers", ext.get_name())
controllers = ext.get_pecan_controllers()
# controllers is actually a list of pairs where the first element is
# the collection name and the second the actual controller
for (collection, coll_controller) in controllers:
pecan_controllers[collection] = coll_controller
for collection in attributes.RESOURCE_ATTRIBUTE_MAP:
if collection not in pecan_controllers:
resource = _handle_plurals(collection)
LOG.debug("Building controller for resource:%s", resource)
plugin = _plugin_for_resource(collection)
if plugin:
manager.NeutronManager.set_plugin_for_resource(
resource, plugin)
controller = root.CollectionsController(collection, resource)
manager.NeutronManager.set_controller_for_resource(
collection, controller)
LOG.info(_LI("Added controller for resource %(resource)s "
"via URI path segment:%(collection)s"),
{'resource': resource,
'collection': collection})
else:
LOG.debug("There are already controllers for resource:%s",
resource)
for ext in ext_mgr.extensions.values():
# make each extension populate its plurals
if hasattr(ext, 'get_resources'):
ext.get_resources()
if hasattr(ext, 'get_extended_resources'):
ext.get_extended_resources('v2.0')
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
def test_get_child_resource_policy_check(self):
policy.reset()
policy.init()
policy._ENFORCER.set_rules(
oslo_policy.Rules.from_dict(
{'get_meh_meh_fake_duplicate': ''}
)
)
url = '/v2.0/{0}/something/{1}'.format(self.collection,
self.fake_collection)
resp = self.app.get(url)
self.assertEqual(200, resp.status_int)
self.assertEqual({'fake_duplicates': [{'fake': 'something'}]},
resp.json)
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.addCleanup(policy.reset)
self.rules = {
"default": '',
"example:exist": '!',
}
self._set_rules('default')
self.context = context.Context('fake', 'fake')
def setUp(self):
super(DefaultPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.addCleanup(policy.reset)
self.rules = {
"default": '',
"example:exist": '!',
}
self._set_rules('default')
self.context = context.Context('fake', 'fake')
def test_proper_load_order(self):
"""
Verifies that loading policies by way of admin context after
populating extensions and extending the resource map results in
networks with router:external are visible to regular tenants.
"""
policy.reset()
extension_manager = extensions.ExtensionManager(self.extension_path)
extension_manager.extend_resources(self.api_version,
attributes.RESOURCE_ATTRIBUTE_MAP)
policy.init()
admin_context = context.get_admin_context()
tenant_context = context.Context('test_user', 'test_tenant_id', False)
self.assertTrue(self._check_external_router_policy(admin_context))
self.assertTrue(self._check_external_router_policy(tenant_context))
def test_proper_load_order(self):
"""
Verifies that loading policies by way of admin context after
populating extensions and extending the resource map results in
networks with router:external are visible to regular tenants.
"""
policy.reset()
extension_manager = extensions.ExtensionManager(self.extension_path)
extension_manager.extend_resources(self.api_version,
attributes.RESOURCE_ATTRIBUTE_MAP)
policy.init()
admin_context = context.get_admin_context()
tenant_context = context.Context('test_user', 'test_tenant_id', False)
self.assertTrue(self._check_external_router_policy(admin_context))
self.assertTrue(self._check_external_router_policy(tenant_context))
def setUp(self):
super(UOSExtensionPolicyTestCase, self).setUp()
policy.reset()
policy.init()
rules = {
"associate_floatingip_router": "not role:project_observer",
"get_router_details": "role:admin",
"remove_router_portforwarding": "role:member"
}
common_policy.set_rules(common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
self.context = context.Context('fake', 'fake', roles=['member'])
self.request = FakeRequest(self.context)
self.target = {}
self.controller = uos.UosController()
def setUp(self):
super(UOSExtensionPolicyTestCase, self).setUp()
policy.reset()
policy.init()
rules = {
"associate_floatingip_router": "not role:project_observer",
"get_router_details": "role:admin",
"remove_router_portforwarding": "role:member"
}
common_policy.set_rules(
common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
self.context = context.Context('fake', 'fake', roles=['member'])
self.request = FakeRequest(self.context)
self.target = {}
self.controller = uos.UosController()
def test_proper_load_order(self):
"""Test proper policy load order
Verifies that loading policies by way of admin context after
populating extensions and extending the resource map results in
networks with router:external are visible to regular tenants.
"""
policy.reset()
extension_manager = extensions.ExtensionManager(self.extension_path)
extension_manager.extend_resources(self.api_version,
attributes.RESOURCES)
# TODO(amotoki): Consider this should be part of
# neutron.policy.reset (or refresh), but as of now
# this is only required for unit testing.
policies.reload_default_policies()
policy.init()
admin_context = context.get_admin_context()
tenant_context = context.Context('test_user', 'test_tenant_id', False)
self.assertTrue(self._check_external_router_policy(admin_context))
self.assertTrue(self._check_external_router_policy(tenant_context))
def test_proper_load_order(self):
"""Test proper policy load order
Verifies that loading policies by way of admin context after
populating extensions and extending the resource map results in
networks with router:external are visible to regular tenants.
"""
policy.reset()
extension_manager = extensions.ExtensionManager(self.extension_path)
extension_manager.extend_resources(self.api_version,
attributes.RESOURCES)
# TODO(amotoki): Consider this should be part of
# neutron.policy.reset (or refresh), but as of now
# this is only required for unit testing.
policies.reload_default_policies()
policy.init()
admin_context = context.get_admin_context()
tenant_context = context.Context('test_user', 'test_tenant_id', False)
self.assertTrue(self._check_external_router_policy(admin_context))
self.assertTrue(self._check_external_router_policy(tenant_context))
def test_policy_404(self):
with self.subnet(cidr='12.0.0.0/24') as public_sub:
self._set_net_external(public_sub['subnet']['network_id'])
fip = self._make_floatingip(self.fmt,
public_sub['subnet']['network_id'])
policy.reset()
policy.init()
rules = {"delete_floatingip": "role:admin_only"}
common_policy.set_rules(
common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
fip_id = fip['floatingip']['id']
self.context = context.Context('fake', 'fake', roles=['member'])
req = self.new_delete_request('floatingips', fip_id)
req.environ['neutron.context'] = self.context
res = req.get_response(self._api_for_resource('floatingips'))
self.assertEqual(404, res.status_int)
policy.reset()
policy.init()
self._delete('floatingips', fip_id)
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
self.addCleanup(policy.reset)
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": "@",
"example:allowed": "@",
"example:denied": "!",
"example:get_http": "http:http://www.example.com",
"example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
# NOTE(vish): then overload underlying rules
common_policy.set_rules(common_policy.Rules(dict((k, common_policy.parse_rule(v)) for k, v in rules.items())))
self.context = context.Context("fake", "fake", roles=["member"])
self.target = {}
def setUp(self):
super(NeutronPolicyTestCase, self).setUp()
policy.reset()
policy.init()
self.addCleanup(policy.reset)
self.admin_only_legacy = "role:admin"
self.admin_or_owner_legacy = "role:admin or tenant_id:%(tenant_id)s"
self.rules = dict(
(k, common_policy.parse_rule(v))
for k, v in {
"context_is_admin": "role:admin",
"admin_or_network_owner": "rule:context_is_admin or " "tenant_id:%(network:tenant_id)s",
"admin_or_owner": ("rule:context_is_admin or " "tenant_id:%(tenant_id)s"),
"admin_only": "rule:context_is_admin",
"regular_user": "******",
"shared": "field:networks:shared=True",
"external": "field:networks:router:external=True",
"default": "@",
"create_network": "rule:admin_or_owner",
"create_network:shared": "rule:admin_only",
"update_network": "@",
"update_network:shared": "rule:admin_only",
"get_network": "rule:admin_or_owner or " "rule:shared or " "rule:external",
"create_port:mac": "rule:admin_or_network_owner",
}.items()
)
def fakepolicyinit():
common_policy.set_rules(common_policy.Rules(self.rules))
self.patcher = mock.patch.object(neutron.policy, "init", new=fakepolicyinit)
self.patcher.start()
self.addCleanup(self.patcher.stop)
self.context = context.Context("fake", "fake", roles=["user"])
plugin_klass = importutils.import_class("neutron.db.db_base_plugin_v2.NeutronDbPluginV2")
self.manager_patcher = mock.patch("neutron.manager.NeutronManager")
fake_manager = self.manager_patcher.start()
fake_manager_instance = fake_manager.return_value
fake_manager_instance.plugin = plugin_klass()
self.addCleanup(self.manager_patcher.stop)
def setUp(self):
super(PolicyTestCase, self).setUp()
policy.reset()
self.addCleanup(policy.reset)
# NOTE(vish): preload rules to circumvent reloading from file
policy.init()
rules = {
"true": '@',
"example:allowed": '@',
"example:denied": '!',
"example:get_http": "http:http://www.example.com",
"example:my_file": "role:compute_admin or tenant_id:%(tenant_id)s",
"example:early_and_fail": "! and @",
"example:early_or_success": "@ or !",
"example:lowercase_admin": "role:admin or role:sysadmin",
"example:uppercase_admin": "role:ADMIN or role:sysadmin",
}
# NOTE(vish): then overload underlying rules
common_policy.set_rules(common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
self.context = context.Context('fake', 'fake', roles=['member'])
self.target = {}
def test_policy_404(self):
with self.subnet(cidr='12.0.0.0/24') as public_sub:
self._set_net_external(public_sub['subnet']['network_id'])
fip = self._make_floatingip(
self.fmt,
public_sub['subnet']['network_id'])
policy.reset()
policy.init()
rules = {
"delete_floatingip": "role:admin_only"
}
common_policy.set_rules(common_policy.Rules(
dict((k, common_policy.parse_rule(v))
for k, v in rules.items())))
fip_id = fip['floatingip']['id']
self.context = context.Context('fake', 'fake', roles=['member'])
req = self.new_delete_request('floatingips', fip_id)
req.environ['neutron.context'] = self.context
res = req.get_response(self._api_for_resource('floatingips'))
self.assertEqual(404, res.status_int)
policy.reset()
policy.init()
self._delete('floatingips', fip_id)
def initialize_all():
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
# At this stage we have a fully populated resource attribute map;
# build Pecan controllers and routes for all core resources
for resource, collection in router.RESOURCES.items():
resource_registry.register_resource_by_name(resource)
plugin = manager.NeutronManager.get_plugin()
new_controller = res_ctrl.CollectionsController(collection, resource,
plugin=plugin)
manager.NeutronManager.set_controller_for_resource(
collection, new_controller)
manager.NeutronManager.set_plugin_for_resource(resource, plugin)
pecanized_resources = ext_mgr.get_pecan_resources()
for pec_res in pecanized_resources:
resource = attributes.PLURALS[pec_res.collection]
manager.NeutronManager.set_controller_for_resource(
pec_res.collection, pec_res.controller)
manager.NeutronManager.set_plugin_for_resource(
resource, pec_res.plugin)
# Now build Pecan Controllers and routes for all extensions
resources = ext_mgr.get_resources()
# Extensions controller is already defined, we don't need it.
resources.pop(0)
for ext_res in resources:
path_prefix = ext_res.path_prefix.strip('/')
collection = ext_res.collection
if manager.NeutronManager.get_controller_for_resource(collection):
# This is a collection that already has a pecan controller, we
# do not need to do anything else
continue
legacy_controller = getattr(ext_res.controller, 'controller',
ext_res.controller)
new_controller = None
if isinstance(legacy_controller, base.Controller):
resource = legacy_controller.resource
plugin = legacy_controller.plugin
attr_info = legacy_controller.attr_info
# Retrieving the parent resource. It is expected the format of
# the parent resource to be:
# {'collection_name': 'name-of-collection',
# 'member_name': 'name-of-resource'}
# collection_name does not appear to be used in the legacy code
# inside the controller logic, so we can assume we do not need it.
parent = legacy_controller.parent or {}
parent_resource = parent.get('member_name')
new_controller = res_ctrl.CollectionsController(
collection, resource, resource_info=attr_info,
parent_resource=parent_resource)
manager.NeutronManager.set_plugin_for_resource(resource, plugin)
if path_prefix:
manager.NeutronManager.add_resource_for_path_prefix(
collection, path_prefix)
elif isinstance(legacy_controller, wsgi.Controller):
new_controller = utils.ShimCollectionsController(
collection, None, legacy_controller)
else:
LOG.warning(_LW("Unknown controller type encountered %s. It will"
"be ignored."), legacy_controller)
manager.NeutronManager.set_controller_for_resource(
collection, new_controller)
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
def __init__(self, path):
LOG.info(_("Initializing extension manager."))
self.path = path
self.extensions = {}
self._load_all_extensions()
policy.reset()
def tearDown(self):
policy.reset()
if self.ATTRIBUTE_MAP_COPY:
attributes.RESOURCE_ATTRIBUTE_MAP = self.ATTRIBUTE_MAP_COPY
super(APIPolicyTestCase, self).tearDown()
def initialize_all():
manager.init()
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCES)
# At this stage we have a fully populated resource attribute map;
# build Pecan controllers and routes for all core resources
plugin = directory.get_plugin()
for resource, collection in RESOURCES.items():
resource_registry.register_resource_by_name(resource)
new_controller = res_ctrl.CollectionsController(collection, resource,
plugin=plugin)
manager.NeutronManager.set_controller_for_resource(
collection, new_controller)
manager.NeutronManager.set_plugin_for_resource(collection, plugin)
pecanized_resources = ext_mgr.get_pecan_resources()
for pec_res in pecanized_resources:
manager.NeutronManager.set_controller_for_resource(
pec_res.collection, pec_res.controller)
manager.NeutronManager.set_plugin_for_resource(
pec_res.collection, pec_res.plugin)
# Now build Pecan Controllers and routes for all extensions
resources = ext_mgr.get_resources()
# Extensions controller is already defined, we don't need it.
resources.pop(0)
for ext_res in resources:
path_prefix = ext_res.path_prefix.strip('/')
collection = ext_res.collection
# Retrieving the parent resource. It is expected the format of
# the parent resource to be:
# {'collection_name': 'name-of-collection',
# 'member_name': 'name-of-resource'}
# collection_name does not appear to be used in the legacy code
# inside the controller logic, so we can assume we do not need it.
parent = ext_res.parent or {}
parent_resource = parent.get('member_name')
collection_key = collection
if parent_resource:
collection_key = '/'.join([parent_resource, collection])
collection_actions = ext_res.collection_actions
member_actions = ext_res.member_actions
if manager.NeutronManager.get_controller_for_resource(collection_key):
# This is a collection that already has a pecan controller, we
# do not need to do anything else
continue
legacy_controller = getattr(ext_res.controller, 'controller',
ext_res.controller)
new_controller = None
if isinstance(legacy_controller, base.Controller):
resource = legacy_controller.resource
plugin = legacy_controller.plugin
attr_info = legacy_controller.attr_info
member_actions = legacy_controller.member_actions
pagination = legacy_controller.allow_pagination
sorting = legacy_controller.allow_sorting
# NOTE(blogan): legacy_controller and ext_res both can both have
# member_actions. the member_actions for ext_res are strictly for
# routing, while member_actions for legacy_controller are used for
# handling the request once the routing has found the controller.
# They're always the same so we will just use the ext_res
# member_action.
new_controller = res_ctrl.CollectionsController(
collection, resource, resource_info=attr_info,
parent_resource=parent_resource, member_actions=member_actions,
plugin=plugin, allow_pagination=pagination,
allow_sorting=sorting, collection_actions=collection_actions)
# new_controller.collection has replaced hyphens with underscores
manager.NeutronManager.set_plugin_for_resource(
new_controller.collection, plugin)
if path_prefix:
manager.NeutronManager.add_resource_for_path_prefix(
collection, path_prefix)
else:
new_controller = utils.ShimCollectionsController(
collection, None, legacy_controller,
collection_actions=collection_actions,
member_actions=member_actions,
action_status=ext_res.controller.action_status,
collection_methods=ext_res.collection_methods)
manager.NeutronManager.set_controller_for_resource(
collection_key, new_controller)
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
def setUp(self):
super(APIPolicyTestCase, self).setUp()
self.useFixture(tools.AttributeMapMemento())
self.extension_path = os.path.abspath(os.path.join(TEST_PATH, "../../../extensions"))
policy.reset()
def tearDown(self):
policy.reset()
super(APIPolicyTestCase, self).tearDown()
def initialize_all():
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
# At this stage we have a fully populated resource attribute map;
# build Pecan controllers and routes for all core resources
for resource, collection in router.RESOURCES.items():
resource_registry.register_resource_by_name(resource)
plugin = manager.NeutronManager.get_plugin()
new_controller = res_ctrl.CollectionsController(collection,
resource,
plugin=plugin)
manager.NeutronManager.set_controller_for_resource(
collection, new_controller)
manager.NeutronManager.set_plugin_for_resource(resource, plugin)
pecanized_resources = ext_mgr.get_pecan_resources()
for pec_res in pecanized_resources:
resource = attributes.PLURALS[pec_res.collection]
manager.NeutronManager.set_controller_for_resource(
pec_res.collection, pec_res.controller)
manager.NeutronManager.set_plugin_for_resource(resource,
pec_res.plugin)
# Now build Pecan Controllers and routes for all extensions
resources = ext_mgr.get_resources()
# Extensions controller is already defined, we don't need it.
resources.pop(0)
for ext_res in resources:
path_prefix = ext_res.path_prefix.strip('/')
collection = ext_res.collection
if manager.NeutronManager.get_controller_for_resource(collection):
# This is a collection that already has a pecan controller, we
# do not need to do anything else
continue
legacy_controller = getattr(ext_res.controller, 'controller',
ext_res.controller)
new_controller = None
if isinstance(legacy_controller, base.Controller):
resource = legacy_controller.resource
plugin = legacy_controller.plugin
attr_info = legacy_controller.attr_info
# Retrieving the parent resource. It is expected the format of
# the parent resource to be:
# {'collection_name': 'name-of-collection',
# 'member_name': 'name-of-resource'}
# collection_name does not appear to be used in the legacy code
# inside the controller logic, so we can assume we do not need it.
parent = legacy_controller.parent or {}
parent_resource = parent.get('member_name')
new_controller = res_ctrl.CollectionsController(
collection,
resource,
resource_info=attr_info,
parent_resource=parent_resource)
manager.NeutronManager.set_plugin_for_resource(resource, plugin)
if path_prefix:
manager.NeutronManager.add_resource_for_path_prefix(
collection, path_prefix)
elif isinstance(legacy_controller, wsgi.Controller):
new_controller = utils.ShimCollectionsController(
collection, None, legacy_controller)
else:
LOG.warning(
_LW("Unknown controller type encountered %s. It will"
"be ignored."), legacy_controller)
manager.NeutronManager.set_controller_for_resource(
collection, new_controller)
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
def tearDown(self):
policy.reset()
super(APIPolicyTestCase, self).tearDown()
def initialize_all():
manager.init()
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
# At this stage we have a fully populated resource attribute map;
# build Pecan controllers and routes for all core resources
plugin = directory.get_plugin()
for resource, collection in router.RESOURCES.items():
resource_registry.register_resource_by_name(resource)
new_controller = res_ctrl.CollectionsController(collection,
resource,
plugin=plugin)
manager.NeutronManager.set_controller_for_resource(
collection, new_controller)
manager.NeutronManager.set_plugin_for_resource(collection, plugin)
pecanized_resources = ext_mgr.get_pecan_resources()
for pec_res in pecanized_resources:
manager.NeutronManager.set_controller_for_resource(
pec_res.collection, pec_res.controller)
manager.NeutronManager.set_plugin_for_resource(pec_res.collection,
pec_res.plugin)
# Now build Pecan Controllers and routes for all extensions
resources = ext_mgr.get_resources()
# Extensions controller is already defined, we don't need it.
resources.pop(0)
for ext_res in resources:
path_prefix = ext_res.path_prefix.strip('/')
collection = ext_res.collection
# Retrieving the parent resource. It is expected the format of
# the parent resource to be:
# {'collection_name': 'name-of-collection',
# 'member_name': 'name-of-resource'}
# collection_name does not appear to be used in the legacy code
# inside the controller logic, so we can assume we do not need it.
parent = ext_res.parent or {}
parent_resource = parent.get('member_name')
collection_key = collection
if parent_resource:
collection_key = '/'.join([parent_resource, collection])
collection_actions = ext_res.collection_actions
member_actions = ext_res.member_actions
if manager.NeutronManager.get_controller_for_resource(collection_key):
# This is a collection that already has a pecan controller, we
# do not need to do anything else
continue
legacy_controller = getattr(ext_res.controller, 'controller',
ext_res.controller)
new_controller = None
if isinstance(legacy_controller, base.Controller):
resource = legacy_controller.resource
plugin = legacy_controller.plugin
attr_info = legacy_controller.attr_info
member_actions = legacy_controller.member_actions
pagination = legacy_controller.allow_pagination
sorting = legacy_controller.allow_sorting
# NOTE(blogan): legacy_controller and ext_res both can both have
# member_actions. the member_actions for ext_res are strictly for
# routing, while member_actions for legacy_controller are used for
# handling the request once the routing has found the controller.
# They're always the same so we will just use the ext_res
# member_action.
new_controller = res_ctrl.CollectionsController(
collection,
resource,
resource_info=attr_info,
parent_resource=parent_resource,
member_actions=member_actions,
plugin=plugin,
allow_pagination=pagination,
allow_sorting=sorting,
collection_actions=collection_actions)
# new_controller.collection has replaced hyphens with underscores
manager.NeutronManager.set_plugin_for_resource(
new_controller.collection, plugin)
if path_prefix:
manager.NeutronManager.add_resource_for_path_prefix(
collection, path_prefix)
elif isinstance(legacy_controller, wsgi.Controller):
new_controller = utils.ShimCollectionsController(
collection,
None,
legacy_controller,
collection_actions=collection_actions,
member_actions=member_actions)
else:
LOG.warning(
_LW("Unknown controller type encountered %s. It will"
"be ignored."), legacy_controller)
manager.NeutronManager.set_controller_for_resource(
collection_key, new_controller)
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
def __init__(self, **local_config):
mapper = routes_mapper.Mapper()
plugin = manager.NeutronManager.get_plugin(
) #core plugin #/usr/lib/python2.7/site-packages/neutron/manager.py(216)get_plugin()
# #plugin=<weakproxy at 0x4490208 to Ml2Plugin at 0x2fd1f50>
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
#attributes.RESOURCE_ATTRIBUTE_MAP会被修改为包含neutron/extensions/xx目录下所有插件定义的资源信息,如routers
col_kwargs = dict(collection_actions=COLLECTION_ACTIONS,
member_actions=MEMBER_ACTIONS)
#col_kwargs ={'member_actions': ['show', 'update', 'delete'], 'collection_actions': ['index', 'create']}
def _map_resource(collection, resource, params, parent=None):
allow_bulk = cfg.CONF.allow_bulk
allow_pagination = cfg.CONF.allow_pagination
allow_sorting = cfg.CONF.allow_sorting
controller = base.create_resource(
collection,
resource,
plugin,
params,
allow_bulk=allow_bulk,
parent=parent,
allow_pagination=allow_pagination,
allow_sorting=allow_sorting)
path_prefix = None
if parent:
path_prefix = "/%s/{%s_id}/%s" % (parent['collection_name'],
parent['member_name'],
collection)
mapper_kwargs = dict(controller=controller,
requirements=REQUIREMENTS,
path_prefix=path_prefix,
**col_kwargs)
#调用mapper对象的collection方法创建URL映射
return mapper.collection(collection, resource, **mapper_kwargs)
mapper.connect('index', '/', controller=Index(RESOURCES))
for resource in RESOURCES:
_map_resource(
RESOURCES[resource], resource,
attributes.RESOURCE_ATTRIBUTE_MAP.get(RESOURCES[resource],
dict()))
for resource in SUB_RESOURCES:
_map_resource(
SUB_RESOURCES[resource]['collection_name'], resource,
attributes.RESOURCE_ATTRIBUTE_MAP.get(
SUB_RESOURCES[resource]['collection_name'], dict()),
SUB_RESOURCES[resource]['parent'])
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
super(APIRouter, self).__init__(mapper)
def __init__(self, path):
LOG.info(_('Initializing extension manager.'))
self.path = path
self.extensions = {}
self._load_all_extensions()
policy.reset()
def initialize_all():
ext_mgr = extensions.PluginAwareExtensionManager.get_instance()
ext_mgr.extend_resources("2.0", attributes.RESOURCE_ATTRIBUTE_MAP)
# At this stage we have a fully populated resource attribute map;
# build Pecan controllers and routes for every resource (both core
# and extensions)
pecanized_exts = [
ext for ext in ext_mgr.extensions.values()
if hasattr(ext, 'get_pecan_controllers')
]
pecan_controllers = {}
for ext in pecanized_exts:
LOG.info(
_LI("Extension %s is pecan-aware. Fetching resources "
"and controllers"), ext.get_name())
controllers = ext.get_pecan_controllers()
# controllers is actually a list of pairs where the first element is
# the collection name and the second the actual controller
for (collection, coll_controller) in controllers:
pecan_controllers[collection] = coll_controller
for collection in attributes.RESOURCE_ATTRIBUTE_MAP:
resource = _handle_plurals(collection)
controller = pecan_controllers.get(collection)
if not controller:
LOG.debug("Building controller for resource:%s", resource)
plugin = _plugin_for_resource(collection)
if plugin:
manager.NeutronManager.set_plugin_for_resource(
resource, plugin)
else:
LOG.warn(
_LW("No plugin found for resource:%s. API calls "
"may not be correctly dispatched"), resource)
controller = root.CollectionsController(collection, resource)
else:
LOG.debug("There are already controllers for resource:%s",
resource)
manager.NeutronManager.set_controller_for_resource(
collection, controller)
LOG.info(
_LI("Added controller for resource %(resource)s "
"via URI path segment:%(collection)s"), {
'resource': resource,
'collection': collection
})
# NOTE(salv-orlando): If you are care about code quality, please read below
# Hackiness is strong with the piece of code below. It is used for
# populating resource plurals and registering resources with the quota
# engine, but the method it calls were not conceived with this aim.
# Therefore it only leverages side-effects from those methods. Moreover,
# as it is really not advisable to load an instance of
# neutron.api.v2.router.APIRouter just to register resources with the
# quota engine, core resources are explicitly registered here.
# TODO(salv-orlando): The Pecan WSGI support should provide its own
# solution to manage resource plurals and registration of resources with
# the quota engine
for resource in router.RESOURCES.keys():
resource_registry.register_resource_by_name(resource)
for ext in ext_mgr.extensions.values():
# make each extension populate its plurals
if hasattr(ext, 'get_resources'):
ext.get_resources()
if hasattr(ext, 'get_extended_resources'):
ext.get_extended_resources('v2.0')
# Certain policy checks require that the extensions are loaded
# and the RESOURCE_ATTRIBUTE_MAP populated before they can be
# properly initialized. This can only be claimed with certainty
# once this point in the code has been reached. In the event
# that the policies have been initialized before this point,
# calling reset will cause the next policy check to
# re-initialize with all of the required data in place.
policy.reset()
def tearDown(self):
policy.reset()
if self.ATTRIBUTE_MAP_COPY:
attributes.RESOURCE_ATTRIBUTE_MAP = self.ATTRIBUTE_MAP_COPY
super(APIPolicyTestCase, self).tearDown()
