def _verify_query_segregation(query, auth_project=None): """Ensure non-admin queries are not constrained to another project.""" auth_project = (auth_project or rbac.get_limited_to_project( pecan.request.headers, pecan.request.enforcer)) if not auth_project: return for q in query: if q.field in ('project', 'project_id') and auth_project != q.value: raise base.ProjectNotAuthorized(q.value)
def _set_ownership(aspect, owner_limitation, header): attr = '%s_id' % aspect requested_owner = getattr(data, attr) explicit_owner = requested_owner != wtypes.Unset caller = pecan.request.headers.get(header) if (owner_limitation and explicit_owner and requested_owner != caller): raise base.ProjectNotAuthorized(requested_owner, aspect) actual_owner = (owner_limitation or requested_owner if explicit_owner else caller) setattr(data, attr, actual_owner)
def get_all(self, project_id=None): """Get resource quotas of a project. - If no project given, get requested user's quota. - Admin user can get resource quotas of any project. """ request_project = pecan.request.headers.get('X-Project-Id') project_id = project_id if project_id else request_project is_admin = rbac.is_admin(pecan.request.headers) if project_id != request_project and not is_admin: raise base.ProjectNotAuthorized(project_id) LOG.debug('Getting resource quotas for project %s', project_id) db_quotas = pecan.request.storage.get_quotas(project_id=project_id) if len(db_quotas) == 0: project_alarm_quota = pecan.request.cfg.api.project_alarm_quota quotas = [{'resource': 'alarms', 'limit': project_alarm_quota}] db_quotas = pecan.request.storage.set_quotas(project_id, quotas) quotas = [Quota.from_db_model(i) for i in db_quotas] return Quotas(project_id=project_id, quotas=quotas)
def check_project_id(subfilter): op, value = list(subfilter.items())[0] if (op.lower() not in self.complex_operators and list(value.keys())[0] == visibility_field and value[visibility_field] != own_project_id): raise base.ProjectNotAuthorized(value[visibility_field])
def get_all(self, q=None, sort=None, limit=None, marker=None): """Return all alarms, based on the query provided. :param q: Filter rules for the alarms to be returned. :param sort: A list of pairs of sort key and sort dir. :param limit: The maximum number of items to be return. :param marker: The pagination query marker. """ target = rbac.target_from_segregation_rule(pecan.request.headers, pecan.request.enforcer) rbac.enforce('get_alarms', pecan.request.headers, pecan.request.enforcer, target) q = q or [] filters = {} # Check field keys = set([query.field for query in q]) if not keys.issubset(ALARM_QUERY_FIELDS_ALLOWED): raise wsme.exc.InvalidInput( 'field', keys, 'only fields %s are allowed' % ALARM_QUERY_FIELDS_ALLOWED) # Check op ops = set([query.op for query in q]) if any([op not in ALARM_QUERY_OPS_ALLOWED for op in ops]): raise wsme.exc.InvalidInput( 'op', ops, 'only operations %s are allowed' % ALARM_QUERY_OPS_ALLOWED) if 'all_projects' in keys: if v2_utils.get_query_value(q, 'all_projects', 'boolean'): rbac.enforce('get_alarms:all_projects', pecan.request.headers, pecan.request.enforcer, target) keys.remove('all_projects') else: project_id = pecan.request.headers.get('X-Project-Id') is_admin = rbac.is_admin(pecan.request.headers) if not v2_utils.is_field_exist(q, 'project_id'): q.append( base.Query(field='project_id', op='eq', value=project_id)) keys.add('project_id') else: request_project = v2_utils.get_query_value(q, 'project_id') if not is_admin and request_project != project_id: raise base.ProjectNotAuthorized(request_project) for query in q: if query.field in keys: filters[query.field] = {query.op: query.get_value(query.type)} if sort or limit or marker: filters['pagination'] = v2_utils.get_pagination_options( sort, limit, marker, models.Alarm) LOG.debug('Getting alarms from database, filters: %s', filters) return [ Alarm.from_db_model_scrubbed(m) for m in pecan.request.storage.get_alarms(**filters) ]