def test_get_object_create_update_delete(self):
obj = api.create_object(self.ctxt, self.model, {'name': 'foo'})
new_obj = api.get_object(self.ctxt, self.model, id=obj.id)
self.assertEqual(obj, new_obj)
obj = new_obj
api.update_object(self.ctxt, self.model, {'name': 'bar'}, id=obj.id)
new_obj = api.get_object(self.ctxt, self.model, id=obj.id)
self.assertEqual(obj, new_obj)
obj = new_obj
api.delete_object(self.ctxt, self.model, id=obj.id)
new_obj = api.get_object(self.ctxt, self.model, id=obj.id)
self.assertIsNone(new_obj)
# delete_object raises an exception on missing object
self.assertRaises(n_exc.ObjectNotFound,
api.delete_object,
self.ctxt,
self.model,
id=obj.id)
# but delete_objects does not not
api.delete_objects(self.ctxt, self.model, id=obj.id)
def test_get_object_create_update_delete(self):
obj = api.create_object(self.ctxt, self.model, {'name': 'foo'})
new_obj = api.get_object(self.ctxt, self.model, id=obj.id)
self.assertEqual(obj, new_obj)
obj = new_obj
api.update_object(self.ctxt, self.model, {'name': 'bar'}, id=obj.id)
new_obj = api.get_object(self.ctxt, self.model, id=obj.id)
self.assertEqual(obj, new_obj)
obj = new_obj
api.delete_object(self.ctxt, self.model, id=obj.id)
new_obj = api.get_object(self.ctxt, self.model, id=obj.id)
self.assertIsNone(new_obj)
# delete_object raises an exception on missing object
self.assertRaises(
n_exc.ObjectNotFound,
api.delete_object, self.ctxt, self.model, id=obj.id)
# but delete_objects does not not
api.delete_objects(self.ctxt, self.model, id=obj.id)
def get_object(cls, context, fields=None, **kwargs):
"""Fetch a single object
Return the first result of given context or None if the result doesn't
contain any row. Next, convert it to a versioned object.
:param context:
:param fields: indicate which fields the caller is interested in
using. Note that currently this is limited to
avoid loading synthetic fields when possible, and
does not affect db queries. Default is None, which
is the same as []. Example: ['id', 'name']
:param kwargs: multiple keys defined by key=value pairs
:return: single object of NeutronDbObject class or None
"""
lookup_keys = set(kwargs.keys())
all_keys = itertools.chain([cls.primary_keys], cls.unique_keys)
if not any(lookup_keys.issuperset(keys) for keys in all_keys):
missing_keys = set(cls.primary_keys).difference(lookup_keys)
raise o_exc.NeutronPrimaryKeyMissing(object_class=cls,
missing_keys=missing_keys)
with cls.db_context_reader(context):
db_obj = obj_db_api.get_object(cls, context,
**cls.modify_fields_to_db(kwargs))
if db_obj:
return cls._load_object(context, db_obj, fields=fields)
def get_object(cls, context, fields=None, **kwargs):
"""Fetch a single object
Return the first result of given context or None if the result doesn't
contain any row. Next, convert it to a versioned object.
:param context:
:param fields: indicate which fields the caller is interested in
using. Note that currently this is limited to
avoid loading synthetic fields when possible, and
does not affect db queries. Default is None, which
is the same as []. Example: ['id', 'name']
:param kwargs: multiple keys defined by key=value pairs
:return: single object of NeutronDbObject class or None
"""
lookup_keys = set(kwargs.keys())
all_keys = itertools.chain([cls.primary_keys], cls.unique_keys)
if not any(lookup_keys.issuperset(keys) for keys in all_keys):
missing_keys = set(cls.primary_keys).difference(lookup_keys)
raise o_exc.NeutronPrimaryKeyMissing(object_class=cls,
missing_keys=missing_keys)
with cls.db_context_reader(context):
db_obj = obj_db_api.get_object(
cls, context, **cls.modify_fields_to_db(kwargs))
if db_obj:
return cls._load_object(context, db_obj, fields=fields)
def test_get_object_with_None_value_in_filters(self):
obj = api.create_object(self.obj_cls, self.ctxt, {'name': 'foo'})
new_obj = api.get_object(self.obj_cls,
self.ctxt,
name='foo',
status=None)
self.assertEqual(obj, new_obj)
def validate_rbac_policy_create(cls, resource, event, trigger,
payload=None):
context = payload.context
policy = payload.request_body
db_obj = obj_db_api.get_object(
cls, context.elevated(), id=policy['object_id'])
if not db_obj["address_scope_id"]:
# Nothing to validate
return
with db_api.CONTEXT_READER.using(context):
rbac_as_model = rbac_db_models.AddressScopeRBAC
# Ensure that target project has access to AS
shared_to_target_project_or_to_all = (
sa.and_(
rbac_as_model.target_project.in_(
["*", policy['target_project']]
),
rbac_as_model.object_id == db_obj["address_scope_id"]
)
)
matching_policies = model_query.query_with_hooks(
context, rbac_db_models.AddressScopeRBAC
).filter(shared_to_target_project_or_to_all).count()
if matching_policies == 0:
raise ext_rbac.RbacPolicyInitError(
object_id=policy['object_id'],
reason=_("target project doesn't have access to "
"associated address scope."))
def _create_fip_qos_db(self, context, fip_id, policy_id):
policy = self._get_policy_obj(context, policy_id)
policy.attach_floatingip(fip_id)
binding_db_obj = obj_db_api.get_object(context,
policy.fip_binding_model,
fip_id=fip_id)
return binding_db_obj
def validate_rbac_policy_change(cls, resource, event, trigger, context,
object_type, policy, **kwargs):
"""Callback to validate RBAC_POLICY changes.
This is the dispatching function for create, update and delete
callbacks. On creation and update, verify that the creator is an admin
or owns the resource being shared.
"""
# TODO(hdaniel): As this code was shamelessly stolen from
# NeutronDbPluginV2.validate_network_rbac_policy_change(), those pieces
# should be synced and contain the same bugs, until Network RBAC logic
# (hopefully) melded with this one.
if object_type != cls.rbac_db_model.object_type:
return
db_obj = obj_db_api.get_object(context.elevated(),
cls.db_model,
id=policy['object_id'])
if event in (events.BEFORE_CREATE, events.BEFORE_UPDATE):
if (not context.is_admin
and db_obj['tenant_id'] != context.tenant_id):
msg = _("Only admins can manipulate policies on objects "
"they do not own")
raise lib_exc.InvalidInput(error_message=msg)
callback_map = {
events.BEFORE_UPDATE: cls.validate_rbac_policy_update,
events.BEFORE_DELETE: cls.validate_rbac_policy_delete
}
if event in callback_map:
return callback_map[event](resource, event, trigger, context,
object_type, policy, **kwargs)
def validate_rbac_policy_change(cls, resource, event, trigger, context,
object_type, policy, **kwargs):
"""Callback to validate RBAC_POLICY changes.
This is the dispatching function for create, update and delete
callbacks. On creation and update, verify that the creator is an admin
or owns the resource being shared.
"""
# TODO(hdaniel): As this code was shamelessly stolen from
# NeutronDbPluginV2.validate_network_rbac_policy_change(), those pieces
# should be synced and contain the same bugs, until Network RBAC logic
# (hopefully) melded with this one.
if object_type != cls.rbac_db_model.object_type:
return
db_obj = obj_db_api.get_object(
context.elevated(), cls.db_model, id=policy['object_id'])
if event in (events.BEFORE_CREATE, events.BEFORE_UPDATE):
if (not context.is_admin and
db_obj['tenant_id'] != context.tenant_id):
msg = _("Only admins can manipulate policies on objects "
"they do not own")
raise lib_exc.InvalidInput(error_message=msg)
callback_map = {events.BEFORE_UPDATE: cls.validate_rbac_policy_update,
events.BEFORE_DELETE: cls.validate_rbac_policy_delete}
if event in callback_map:
return callback_map[event](resource, event, trigger, context,
object_type, policy, **kwargs)
def _get_object_policy(cls, context, binding_cls, **kwargs):
LOG.info('%s(): caller(): %s', log_utils.get_fname(1),
log_utils.get_fname(2))
with cls.db_context_reader(context):
binding_db_obj = obj_db_api.get_object(binding_cls, context,
**kwargs)
if binding_db_obj:
return cls.get_object(context, id=binding_db_obj['policy_id'])
def delete(self):
with db_api.autonested_transaction(self._context.session):
for object_type, model in self.binding_models.items():
binding_db_obj = obj_db_api.get_object(self._context, model, policy_id=self.id)
if binding_db_obj:
raise exceptions.QosPolicyInUse(
policy_id=self.id, object_type=object_type, object_id=binding_db_obj["%s_id" % object_type]
)
super(QosPolicy, self).delete()
def to_kwargs(self, context, model):
res = {
attr: getattr(self, attr)
for attr in ('sorts', 'limit', 'page_reverse')
if getattr(self, attr) is not None
}
if self.marker and self.limit:
res['marker_obj'] = obj_db_api.get_object(
context, model, id=self.marker)
return res
def to_kwargs(self, context, model):
res = {
attr: getattr(self, attr)
for attr in ('sorts', 'limit', 'page_reverse')
if getattr(self, attr) is not None
}
if self.marker and self.limit:
res['marker_obj'] = obj_db_api.get_object(
context, model, id=self.marker)
return res
def delete(self):
with db_api.autonested_transaction(self.obj_context.session):
for object_type, model in self.binding_models.items():
binding_db_obj = obj_db_api.get_object(self.obj_context, model,
policy_id=self.id)
if binding_db_obj:
raise exceptions.QosPolicyInUse(
policy_id=self.id,
object_type=object_type,
object_id=binding_db_obj['%s_id' % object_type])
super(QosPolicy, self).delete()
def objects_exist(cls, context, validate_filters=True, **kwargs):
"""Check if objects are present in DB.
:param context:
:param validate_filters: Raises an error in case of passing an unknown
filter
:param kwargs: multiple keys defined by key=value pairs
:return: boolean. True if object is present.
"""
if validate_filters:
cls.validate_filters(**kwargs)
# Succeed if at least a single object matches; no need to fetch more
return bool(obj_db_api.get_object(
cls, context, **cls.modify_fields_to_db(kwargs))
)
def objects_exist(cls, context, validate_filters=True, **kwargs):
"""Check if objects are present in DB.
:param context:
:param validate_filters: Raises an error in case of passing an unknown
filter
:param kwargs: multiple keys defined by key=value pairs
:return: boolean. True if object is present.
"""
if validate_filters:
cls.validate_filters(**kwargs)
# Succeed if at least a single object matches; no need to fetch more
return bool(
obj_db_api.get_object(cls, context,
**cls.modify_fields_to_db(kwargs)))
def validate_rbac_policy_delete(cls, resource, event, trigger, context,
object_type, policy, **kwargs):
"""Callback to handle RBAC_POLICY, BEFORE_DELETE callback.
:raises: RbacPolicyInUse -- in case the policy is in use.
"""
if policy['action'] != models.ACCESS_SHARED:
return
target_tenant = policy['target_tenant']
db_obj = obj_db_api.get_object(
cls, context.elevated(), id=policy['object_id'])
if db_obj.tenant_id == target_tenant:
return
cls._validate_rbac_policy_delete(context=context,
obj_id=policy['object_id'],
target_tenant=target_tenant)
def validate_rbac_policy_delete(cls, resource, event, trigger, context,
object_type, policy, **kwargs):
"""Callback to handle RBAC_POLICY, BEFORE_DELETE callback.
:raises: RbacPolicyInUse -- in case the policy is in use.
"""
if policy['action'] != models.ACCESS_SHARED:
return
target_tenant = policy['target_tenant']
db_obj = obj_db_api.get_object(
context.elevated(), cls.db_model, id=policy['object_id'])
if db_obj.tenant_id == target_tenant:
return
cls._validate_rbac_policy_delete(context=context,
obj_id=policy['object_id'],
target_tenant=target_tenant)
def get_object(cls, context, **kwargs):
"""
Fetch object from DB and convert it to a versioned object.
:param context:
:param kwargs: multiple keys defined by key=value pairs
:return: single object of NeutronDbObject class
"""
missing_keys = set(cls.primary_keys).difference(kwargs.keys())
if missing_keys:
raise NeutronPrimaryKeyMissing(object_class=cls.__class__,
missing_keys=missing_keys)
with db_api.autonested_transaction(context.session):
db_obj = obj_db_api.get_object(context, cls.db_model, **kwargs)
if db_obj:
return cls._load_object(context, db_obj)
def get_object(cls, context, **kwargs):
"""
Fetch object from DB and convert it to a versioned object.
:param context:
:param kwargs: multiple keys defined by key=value pairs
:return: single object of NeutronDbObject class
"""
missing_keys = set(cls.primary_keys).difference(kwargs.keys())
if missing_keys:
raise NeutronPrimaryKeyMissing(object_class=cls.__class__,
missing_keys=missing_keys)
with db_api.autonested_transaction(context.session):
db_obj = obj_db_api.get_object(context, cls.db_model, **kwargs)
if db_obj:
return cls._load_object(context, db_obj)
def update_shared(self, is_shared_new, obj_id):
admin_context = self._context.elevated()
shared_prev = obj_db_api.get_object(admin_context, self.rbac_db_model,
object_id=obj_id, target_tenant='*',
action=models.ACCESS_SHARED)
is_shared_prev = bool(shared_prev)
if is_shared_prev == is_shared_new:
return
# 'shared' goes False -> True
if not is_shared_prev and is_shared_new:
self.attach_rbac(obj_id, self._context.tenant_id)
return
# 'shared' goes True -> False is actually an attempt to delete
# rbac rule for sharing obj_id with target_tenant = '*'
self._validate_rbac_policy_delete(self._context, obj_id, '*')
return self._context.session.delete(shared_prev)
def update_shared(self, is_shared_new, obj_id):
admin_context = self.obj_context.elevated()
shared_prev = obj_db_api.get_object(admin_context, self.rbac_db_model,
object_id=obj_id, target_tenant='*',
action=models.ACCESS_SHARED)
is_shared_prev = bool(shared_prev)
if is_shared_prev == is_shared_new:
return
# 'shared' goes False -> True
if not is_shared_prev and is_shared_new:
self.attach_rbac(obj_id, self.obj_context.tenant_id)
return
# 'shared' goes True -> False is actually an attempt to delete
# rbac rule for sharing obj_id with target_tenant = '*'
self._validate_rbac_policy_delete(self.obj_context, obj_id, '*')
return self.obj_context.session.delete(shared_prev)
def validate_rbac_policy_change(cls,
resource,
event,
trigger,
payload=None):
"""Callback to validate changes.
This is the dispatching function for create, update and delete
callbacks. On creation and update, verify that the creator is an admin
or owns the resource being shared.
"""
object_type = payload.metadata.get('object_type')
context = payload.context
policy = (payload.request_body
if event == events.BEFORE_CREATE else payload.latest_state)
# TODO(hdaniel): As this code was shamelessly stolen from
# NeutronDbPluginV2.validate_network_rbac_policy_change(), those pieces
# should be synced and contain the same bugs, until Network RBAC logic
# (hopefully) melded with this one.
if object_type != cls.rbac_db_cls.db_model.object_type:
return
elevated_context = context.elevated()
with db_api.CONTEXT_READER.using(elevated_context):
db_obj = obj_db_api.get_object(cls,
elevated_context,
id=policy['object_id'])
if event in (events.BEFORE_CREATE, events.BEFORE_UPDATE):
if (not context.is_admin
and db_obj['project_id'] != context.project_id):
msg = _("Only admins can manipulate policies on objects "
"they do not own")
raise exceptions.InvalidInput(error_message=msg)
callback_map = {
events.BEFORE_CREATE: cls.validate_rbac_policy_create,
events.BEFORE_UPDATE: cls.validate_rbac_policy_update,
events.BEFORE_DELETE: cls.validate_rbac_policy_delete
}
if event in callback_map:
return callback_map[event](resource,
event,
trigger,
payload=payload)
def get_object(cls, context, **kwargs):
"""
This method fetches object from DB and convert it to versioned
object.
:param context:
:param kwargs: multiple primary keys defined key=value pairs
:return: single object of NeutronDbObject class
"""
missing_keys = set(cls.primary_keys).difference(kwargs.keys())
if missing_keys:
raise NeutronPrimaryKeyMissing(object_class=cls.__class__,
missing_keys=missing_keys)
db_obj = obj_db_api.get_object(context, cls.db_model, **kwargs)
if db_obj:
obj = cls(context, **db_obj)
obj.obj_reset_changes()
return obj
def get_object(cls, context, **kwargs):
"""
This method fetches object from DB and convert it to versioned
object.
:param context:
:param kwargs: multiple primary keys defined key=value pairs
:return: single object of NeutronDbObject class
"""
missing_keys = set(cls.primary_keys).difference(kwargs.keys())
if missing_keys:
raise NeutronPrimaryKeyMissing(object_class=cls.__class__,
missing_keys=missing_keys)
db_obj = obj_db_api.get_object(context, cls.db_model, **kwargs)
if db_obj:
obj = cls(context, **db_obj)
obj.obj_reset_changes()
return obj
def get_object(cls, context, **kwargs):
"""
Fetch object from DB and convert it to a versioned object.
:param context:
:param kwargs: multiple keys defined by key=value pairs
:return: single object of NeutronDbObject class
"""
lookup_keys = set(kwargs.keys())
all_keys = itertools.chain([cls.primary_keys], cls.unique_keys)
if not any(lookup_keys.issuperset(keys) for keys in all_keys):
missing_keys = set(cls.primary_keys).difference(lookup_keys)
raise o_exc.NeutronPrimaryKeyMissing(object_class=cls.__name__,
missing_keys=missing_keys)
with db_api.autonested_transaction(context.session):
db_obj = obj_db_api.get_object(context, cls.db_model,
**cls.modify_fields_to_db(kwargs))
if db_obj:
return cls._load_object(context, db_obj)
def get_object(cls, context, **kwargs):
"""
Return the first result of given context or None if the result doesn't
contain any row. Next, convert it to a versioned object.
:param context:
:param kwargs: multiple keys defined by key=value pairs
:return: single object of NeutronDbObject class or None
"""
lookup_keys = set(kwargs.keys())
all_keys = itertools.chain([cls.primary_keys], cls.unique_keys)
if not any(lookup_keys.issuperset(keys) for keys in all_keys):
missing_keys = set(cls.primary_keys).difference(lookup_keys)
raise o_exc.NeutronPrimaryKeyMissing(object_class=cls,
missing_keys=missing_keys)
with cls.db_context_reader(context):
db_obj = obj_db_api.get_object(
cls, context, **cls.modify_fields_to_db(kwargs))
if db_obj:
return cls._load_object(context, db_obj)
def get_object(cls, context, **kwargs):
"""
Return the first result of given context or None if the result doesn't
contain any row. Next, convert it to a versioned object.
:param context:
:param kwargs: multiple keys defined by key=value pairs
:return: single object of NeutronDbObject class or None
"""
lookup_keys = set(kwargs.keys())
all_keys = itertools.chain([cls.primary_keys], cls.unique_keys)
if not any(lookup_keys.issuperset(keys) for keys in all_keys):
missing_keys = set(cls.primary_keys).difference(lookup_keys)
raise o_exc.NeutronPrimaryKeyMissing(object_class=cls,
missing_keys=missing_keys)
with cls.db_context_reader(context):
db_obj = obj_db_api.get_object(
cls, context, **cls.modify_fields_to_db(kwargs))
if db_obj:
return cls._load_object(context, db_obj)
def get_object(cls, context, **kwargs):
"""
Fetch object from DB and convert it to a versioned object.
:param context:
:param kwargs: multiple keys defined by key=value pairs
:return: single object of NeutronDbObject class
"""
lookup_keys = set(kwargs.keys())
all_keys = itertools.chain([cls.primary_keys], cls.unique_keys)
if not any(lookup_keys.issuperset(keys) for keys in all_keys):
missing_keys = set(cls.primary_keys).difference(lookup_keys)
raise o_exc.NeutronPrimaryKeyMissing(object_class=cls.__name__,
missing_keys=missing_keys)
with db_api.autonested_transaction(context.session):
db_obj = obj_db_api.get_object(
context, cls.db_model,
**cls.modify_fields_to_db(kwargs)
)
if db_obj:
return cls._load_object(context, db_obj)
def validate_rbac_policy_delete(cls,
resource,
event,
trigger,
payload=None):
"""Callback to handle RBAC_POLICY, BEFORE_DELETE callback.
:raises: RbacPolicyInUse -- in case the policy is in use.
"""
context = payload.context
policy = payload.latest_state
if policy['action'] != models.ACCESS_SHARED:
return
target_tenant = policy['target_tenant']
db_obj = obj_db_api.get_object(cls,
utils.get_elevated_context(context),
id=policy['object_id'])
if db_obj.tenant_id == target_tenant:
return
cls._validate_rbac_policy_delete(context=context,
obj_id=policy['object_id'],
target_tenant=target_tenant)
def validate_rbac_policy_delete(cls,
resource,
event,
trigger,
payload=None):
"""Callback to handle RBAC_POLICY, BEFORE_DELETE callback.
:raises: RbacPolicyInUse -- in case the policy is in use.
"""
context = payload.context
policy = payload.latest_state
if policy['action'] != models.ACCESS_SHARED:
return
target_project = policy['target_project']
elevated_context = context.elevated()
with db_api.CONTEXT_READER.using(elevated_context):
db_obj = obj_db_api.get_object(cls,
elevated_context,
id=policy['object_id'])
if db_obj.project_id == target_project:
return
cls._validate_rbac_policy_delete(context, policy['object_id'],
target_project)
def _get_object_policy(cls, context, binding_cls, **kwargs):
with cls.db_context_reader(context):
binding_db_obj = obj_db_api.get_object(binding_cls, context,
**kwargs)
if binding_db_obj:
return cls.get_object(context, id=binding_db_obj['policy_id'])
def _get_object_policy(cls, context, model, **kwargs):
with db_api.autonested_transaction(context.session):
binding_db_obj = obj_db_api.get_object(context, model, **kwargs)
if binding_db_obj:
return cls.get_object(context, id=binding_db_obj['policy_id'])
def test_get_object_with_None_value_in_filters(self):
obj = api.create_object(self.ctxt, self.model, {'name': 'foo'})
new_obj = api.get_object(
self.ctxt, self.model, name='foo', status=None)
self.assertEqual(obj, new_obj)
def _get_object_policy(cls, context, binding_cls, **kwargs):
with cls.db_context_reader(context):
binding_db_obj = obj_db_api.get_object(binding_cls, context,
**kwargs)
if binding_db_obj:
return cls.get_object(context, id=binding_db_obj['policy_id'])
def _create_fip_qos_db(self, context, fip_id, policy_id):
policy = self._get_policy_obj(context, policy_id)
policy.attach_floatingip(fip_id)
binding_db_obj = obj_db_api.get_object(
context, policy.fip_binding_model, fip_id=fip_id)
return binding_db_obj
def _get_object_policy(cls, context, model, **kwargs):
with db_api.autonested_transaction(context.session):
binding_db_obj = obj_db_api.get_object(context, model, **kwargs)
if binding_db_obj:
return cls.get_object(context, id=binding_db_obj['policy_id'])