def _exclude_attributes_by_policy(self, context, resource,
collection, data):
"""Identifies attributes to exclude according to authZ policies.
Return a list of attribute names which should be stripped from the
response returned to the user because the user is not authorized
to see them.
"""
attributes_to_exclude = []
for attr_name in data.keys():
attr_data = v2_attributes.get_resource_info(
resource).get(attr_name)
if attr_data and attr_data['is_visible']:
if policy.check(
context,
# NOTE(kevinbenton): this used to reference a
# _plugin_handlers dict, why?
'get_%s:%s' % (resource, attr_name),
data,
might_not_exist=True,
pluralized=collection):
# this attribute is visible, check next one
continue
# if the code reaches this point then either the policy check
# failed or the attribute was not visible in the first place
attributes_to_exclude.append(attr_name)
return attributes_to_exclude
def _fetch_resource(self, neutron_context, resource, resource_id):
attrs = v2_attributes.get_resource_info(resource)
field_list = [name for (name, value) in attrs.items()
if (value.get('required_by_policy') or
value.get('primary_key') or 'default' not in value)]
plugin = manager.NeutronManager.get_plugin_for_resource(resource)
getter = getattr(plugin, 'get_%s' % resource)
# TODO(kevinbenton): the parent_id logic currently in base.py
return getter(neutron_context, resource_id, fields=field_list)
def _fetch_resource(self, neutron_context, resource, resource_id):
attrs = v2_attributes.get_resource_info(resource)
field_list = [name for (name, value) in attrs.items()
if (value.get('required_by_policy') or
value.get('primary_key') or 'default' not in value)]
plugin = manager.NeutronManager.get_plugin_for_resource(resource)
if plugin:
getter = getattr(plugin, 'get_%s' % resource)
# TODO(kevinbenton): the parent_id logic currently in base.py
return getter(neutron_context, resource_id, fields=field_list)
else:
# Some legit resources, like quota, do not have a plugin yet.
# Retrieving the original object is nevertheless important
# for policy checks.
return _custom_getter(resource, resource_id)
def _fetch_resource(self, neutron_context, resource, resource_id):
attrs = v2_attributes.get_resource_info(resource)
field_list = [name for (name, value) in attrs.items()
if (value.get('required_by_policy') or
value.get('primary_key') or 'default' not in value)]
plugin = manager.NeutronManager.get_plugin_for_resource(resource)
if plugin:
getter = getattr(plugin, 'get_%s' % resource)
# TODO(kevinbenton): the parent_id logic currently in base.py
return getter(neutron_context, resource_id, fields=field_list)
else:
# Some legit resources, like quota, do not have a plugin yet.
# Retrieving the original object is nevertheless important
# for policy checks.
return _custom_getter(resource, resource_id)
def fetch_resource(neutron_context, resource, resource_id):
attrs = v2_attributes.get_resource_info(resource)
if not attrs:
# this isn't a request for a normal resource. it could be
# an action like removing a network from a dhcp agent.
# return None and assume the custom controller for this will
# handle the necessary logic.
return
field_list = [name for (name, value) in attrs.items()
if (value.get('required_by_policy') or
value.get('primary_key') or 'default' not in value)]
plugin = manager.NeutronManager.get_plugin_for_resource(resource)
if plugin:
getter = getattr(plugin, 'get_%s' % resource)
# TODO(kevinbenton): the parent_id logic currently in base.py
return getter(neutron_context, resource_id, fields=field_list)
else:
# Some legit resources, like quota, do not have a plugin yet.
# Retrieving the original object is nevertheless important
# for policy checks.
return _custom_getter(resource, resource_id)
def fetch_resource(neutron_context, resource, resource_id):
attrs = v2_attributes.get_resource_info(resource)
if not attrs:
# this isn't a request for a normal resource. it could be
# an action like removing a network from a dhcp agent.
# return None and assume the custom controller for this will
# handle the necessary logic.
return
field_list = [
name for (name, value) in attrs.items()
if (value.get('required_by_policy') or value.get('primary_key')
or 'default' not in value)
]
plugin = manager.NeutronManager.get_plugin_for_resource(resource)
if plugin:
getter = getattr(plugin, 'get_%s' % resource)
# TODO(kevinbenton): the parent_id logic currently in base.py
return getter(neutron_context, resource_id, fields=field_list)
else:
# Some legit resources, like quota, do not have a plugin yet.
# Retrieving the original object is nevertheless important
# for policy checks.
return _custom_getter(resource, resource_id)
def test_get_resource_info_cached(self):
with mock.patch('neutron.api.v2.attributes.PLURALS') as mock_plurals:
attributes.REVERSED_PLURALS['port'] = 'ports'
attrs = attributes.get_resource_info('port')
self._verify_port_attributes(attrs)
self.assertEqual(0, mock_plurals.items.call_count)
def test_get_resource_info_missing(self):
self.assertFalse(attributes.get_resource_info('meh'))
def test_get_resource_info(self):
attributes.REVERSED_PLURALS.pop('port', None)
attrs = attributes.get_resource_info('port')
self._verify_port_attributes(attrs)
# verify side effect
self.assertIn('port', attributes.REVERSED_PLURALS)
def test_get_resource_info_cached(self):
with mock.patch("neutron.api.v2.attributes.PLURALS") as mock_plurals:
attributes.REVERSED_PLURALS["port"] = "ports"
attrs = attributes.get_resource_info("port")
self._verify_port_attributes(attrs)
self.assertEqual(0, mock_plurals.items.call_count)
def test_get_resource_info_missing(self):
self.assertFalse(attributes.get_resource_info("meh"))
def test_get_resource_info(self):
attributes.REVERSED_PLURALS.pop("port", None)
attrs = attributes.get_resource_info("port")
self._verify_port_attributes(attrs)
# verify side effect
self.assertIn("port", attributes.REVERSED_PLURALS)
