def before(self, state): if state.request.method not in self.ACTION_MAP: pecan.abort(405) neutron_context = state.request.context.get('neutron_context') resource = state.request.context.get('resource') is_update = (state.request.method == 'PUT') items = state.request.resources policy.init() action = '%s_%s' % (self.ACTION_MAP[state.request.method], resource) for item in items: if is_update: obj = copy.copy(state.request.original_object) obj.update(item) obj[const.ATTRIBUTES_TO_UPDATE] = item.keys() item = obj try: policy.enforce( neutron_context, action, item, pluralized=attribute_population._plural(resource)) except oslo_policy.PolicyNotAuthorized: with excutils.save_and_reraise_exception() as ctxt: # If a tenant is modifying it's own object, it's safe to # return a 403. Otherwise, pretend that it doesn't exist # to avoid giving away information. if (is_update and neutron_context.tenant_id != obj['tenant_id']): ctxt.reraise = False msg = _('The resource could not be found.') raise webob.exc.HTTPNotFound(msg)
def after(self, state): neutron_context = state.request.context.get('neutron_context') resource = state.request.context.get('resource') if not resource: # can't filter a resource we don't recognize return # NOTE(kevinbenton): extension listing isn't controlled by policy if resource == 'extension': return try: data = state.response.json except simplejson.JSONDecodeError: return action = '%s_%s' % (self.ACTION_MAP[state.request.method], resource) plural = attribute_population._plural(resource) if not data or (resource not in data and plural not in data): return is_single = resource in data key = resource if is_single else plural to_process = [data[resource]] if is_single else data[plural] # in the single case, we enforce which raises on violation # in the plural case, we just check so violating items are hidden policy_method = policy.enforce if is_single else policy.check plugin = manager.NeutronManager.get_plugin_for_resource(resource) resp = [self._get_filtered_item(state.request, resource, item) for item in to_process if (state.request.method != 'GET' or policy_method(neutron_context, action, item, plugin=plugin, pluralized=plural))] if is_single: resp = resp[0] data[key] = resp state.response.json = data
def _exclude_attributes_by_policy(self, context, resource, data): """Identifies attributes to exclude according to authZ policies. Return a list of attribute names which should be stripped from the response returned to the user because the user is not authorized to see them. """ attributes_to_exclude = [] for attr_name in data.keys(): attr_data = attribute_population._attributes_for_resource( resource).get(attr_name) if attr_data and attr_data['is_visible']: if policy.check( context, # NOTE(kevinbenton): this used to reference a # _plugin_handlers dict, why? 'get_%s:%s' % (resource, attr_name), data, might_not_exist=True, pluralized=attribute_population._plural(resource)): # this attribute is visible, check next one continue # if the code reaches this point then either the policy check # failed or the attribute was not visible in the first place attributes_to_exclude.append(attr_name) return attributes_to_exclude
def before(self, state): # TODO(salv-orlando): This hook must go when adaptin the pecan code to # use reservations. if state.request.method != 'POST': return resource = state.request.context.get('resource') plugin = manager.NeutronManager.get_plugin_for_resource(resource) items = state.request.resources deltas = {} for item in items: tenant_id = item['tenant_id'] try: neutron_context = state.request.context.get('neutron_context') count = quota.QUOTAS.count(neutron_context, resource, plugin, attribute_population._plural( resource), tenant_id) delta = deltas.get(tenant_id, 0) + 1 kwargs = {resource: count + delta} except exceptions.QuotaResourceUnknown as e: # We don't want to quota this resource LOG.debug(e) else: quota.QUOTAS.limit_check(neutron_context, tenant_id, **kwargs)