if name in self._member_actions:
def _handle_action(request, id, **kwargs):
arg_list = [request.context, id]
+ # Ensure policy engine is initialized
+ policy.init()
# Fetch the resource and verify if the user can access it
try:
resource = self._item(request, id, True)
# Explicit comparison with None to distinguish from {}
if body is not None:
arg_list.append(body)
- # TODO(salvatore-orlando): bp/make-authz-ortogonal
- # The body of the action request should be included
- # in the info passed to the policy engine
# It is ok to raise a 403 because accessibility to the
# object was checked earlier in this method
policy.enforce(request.context, name, resource)
pagination_links = pagination_helper.get_links(obj_list)
if pagination_links:
collection[self._collection + "_links"] = pagination_links
-
return collection
def _item(self, request, id, do_authz=False, field_list=None,
def index(self, request, **kwargs):
"""Returns a list of the requested entity."""
parent_id = kwargs.get(self._parent_id_name)
+ # Ensure policy engine is initialized
+ policy.init()
return self._items(request, True, parent_id)
def show(self, request, id, **kwargs):
field_list, added_fields = self._do_field_list(
api_common.list_args(request, "fields"))
parent_id = kwargs.get(self._parent_id_name)
+ # Ensure policy engine is initialized
+ policy.init()
return {self._resource:
self._view(request.context,
self._item(request,
else:
items = [body]
bulk = False
+ # Ensure policy engine is initialized
+ policy.init()
for item in items:
self._validate_network_tenant_ownership(request,
item[self._resource])
action = self._plugin_handlers[self.DELETE]
# Check authz
+ policy.init()
parent_id = kwargs.get(self._parent_id_name)
obj = self._item(request, id, parent_id=parent_id)
try:
if (value.get('required_by_policy') or
value.get('primary_key') or
'default' not in value)]
+ # Ensure policy engine is initialized
+ policy.init()
orig_obj = self._item(request, id, field_list=field_list,
parent_id=parent_id)
orig_object_copy = copy.copy(orig_obj)
action is being executed
(e.g.: create_router:external_gateway_info:network_id)
"""
-
match_rule = policy.RuleCheck('rule', action)
resource, is_write = get_resource_and_action(action)
# Attribute-based checks shall not be enforced on GETs
def _prepare_check(context, action, target):
"""Prepare rule, target, and credentials for the policy engine."""
- init()
# Compare with None to distinguish case in which target is {}
if target is None:
target = {}
:raises neutron.exceptions.PolicyNotAuthorized: if verification fails.
"""
- init()
rule, target, credentials = _prepare_check(context, action, target)
result = policy.check(rule, target, credentials, action=action)
if not result:
action = "example:test"
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": ""}""")
+ policy.init()
policy.enforce(self.context, action, self.target)
with open(tmpfilename, "w") as policyfile:
policyfile.write("""{"example:test": "!"}""")
# NOTE(vish): reset stored policy cache so we don't have to
# sleep(1)
policy._POLICY_CACHE = {}
+ policy.init()
self.assertRaises(exceptions.PolicyNotAuthorized,
policy.enforce,
self.context,
# Trigger a policy with rule admin_or_owner
action = "create_network"
target = {'tenant_id': 'fake'}
+ policy.init()
self.assertRaises(exceptions.PolicyCheckError,
policy.enforce,
self.context, action, target)
Code Review / openstack-build / neutron-build.git / commitdiff