def _exclude_attributes_by_policy(self, context, resource, collection, data): """Identifies attributes to exclude according to authZ policies. Return a list of attribute names which should be stripped from the response returned to the user because the user is not authorized to see them. """ attributes_to_exclude = [] for attr_name in data.keys(): attr_data = v2_attributes.get_resource_info( resource).get(attr_name) if attr_data and attr_data['is_visible']: if policy.check( context, # NOTE(kevinbenton): this used to reference a # _plugin_handlers dict, why? 'get_%s:%s' % (resource, attr_name), data, might_not_exist=True, pluralized=collection): # this attribute is visible, check next one continue # if the code reaches this point then either the policy check # failed or the attribute was not visible in the first place attributes_to_exclude.append(attr_name) return attributes_to_exclude
def _fetch_resource(self, neutron_context, resource, resource_id): attrs = v2_attributes.get_resource_info(resource) field_list = [name for (name, value) in attrs.items() if (value.get('required_by_policy') or value.get('primary_key') or 'default' not in value)] plugin = manager.NeutronManager.get_plugin_for_resource(resource) getter = getattr(plugin, 'get_%s' % resource) # TODO(kevinbenton): the parent_id logic currently in base.py return getter(neutron_context, resource_id, fields=field_list)
def _fetch_resource(self, neutron_context, resource, resource_id): attrs = v2_attributes.get_resource_info(resource) field_list = [name for (name, value) in attrs.items() if (value.get('required_by_policy') or value.get('primary_key') or 'default' not in value)] plugin = manager.NeutronManager.get_plugin_for_resource(resource) if plugin: getter = getattr(plugin, 'get_%s' % resource) # TODO(kevinbenton): the parent_id logic currently in base.py return getter(neutron_context, resource_id, fields=field_list) else: # Some legit resources, like quota, do not have a plugin yet. # Retrieving the original object is nevertheless important # for policy checks. return _custom_getter(resource, resource_id)
def fetch_resource(neutron_context, resource, resource_id): attrs = v2_attributes.get_resource_info(resource) if not attrs: # this isn't a request for a normal resource. it could be # an action like removing a network from a dhcp agent. # return None and assume the custom controller for this will # handle the necessary logic. return field_list = [name for (name, value) in attrs.items() if (value.get('required_by_policy') or value.get('primary_key') or 'default' not in value)] plugin = manager.NeutronManager.get_plugin_for_resource(resource) if plugin: getter = getattr(plugin, 'get_%s' % resource) # TODO(kevinbenton): the parent_id logic currently in base.py return getter(neutron_context, resource_id, fields=field_list) else: # Some legit resources, like quota, do not have a plugin yet. # Retrieving the original object is nevertheless important # for policy checks. return _custom_getter(resource, resource_id)
def fetch_resource(neutron_context, resource, resource_id): attrs = v2_attributes.get_resource_info(resource) if not attrs: # this isn't a request for a normal resource. it could be # an action like removing a network from a dhcp agent. # return None and assume the custom controller for this will # handle the necessary logic. return field_list = [ name for (name, value) in attrs.items() if (value.get('required_by_policy') or value.get('primary_key') or 'default' not in value) ] plugin = manager.NeutronManager.get_plugin_for_resource(resource) if plugin: getter = getattr(plugin, 'get_%s' % resource) # TODO(kevinbenton): the parent_id logic currently in base.py return getter(neutron_context, resource_id, fields=field_list) else: # Some legit resources, like quota, do not have a plugin yet. # Retrieving the original object is nevertheless important # for policy checks. return _custom_getter(resource, resource_id)
def test_get_resource_info_cached(self): with mock.patch('neutron.api.v2.attributes.PLURALS') as mock_plurals: attributes.REVERSED_PLURALS['port'] = 'ports' attrs = attributes.get_resource_info('port') self._verify_port_attributes(attrs) self.assertEqual(0, mock_plurals.items.call_count)
def test_get_resource_info_missing(self): self.assertFalse(attributes.get_resource_info('meh'))
def test_get_resource_info(self): attributes.REVERSED_PLURALS.pop('port', None) attrs = attributes.get_resource_info('port') self._verify_port_attributes(attrs) # verify side effect self.assertIn('port', attributes.REVERSED_PLURALS)
def test_get_resource_info_cached(self): with mock.patch("neutron.api.v2.attributes.PLURALS") as mock_plurals: attributes.REVERSED_PLURALS["port"] = "ports" attrs = attributes.get_resource_info("port") self._verify_port_attributes(attrs) self.assertEqual(0, mock_plurals.items.call_count)
def test_get_resource_info_missing(self): self.assertFalse(attributes.get_resource_info("meh"))
def test_get_resource_info(self): attributes.REVERSED_PLURALS.pop("port", None) attrs = attributes.get_resource_info("port") self._verify_port_attributes(attrs) # verify side effect self.assertIn("port", attributes.REVERSED_PLURALS)