Merge "Filter by project id in list_security_groups"

2020-04-16 08:13:17 +00:00 · 2020-04-16 08:13:17 +00:00 · 1e168df5ec
parent ab69088d04 fe55842f72
commit 1e168df5ec
3 changed files with 8 additions and 33 deletions
--- a/heat/engine/clients/os/neutron/init.py
+++ b/heat/engine/clients/os/neutron/init.py
@ -167,7 +167,11 @@ class NeutronClientPlugin(os_client.ExtensionMixin,
                seclist.append(sg)
            else:
                if not all_groups:
-                    response = self.client().list_security_groups()
+                    # filtering by project_id so that if the user
+                    # has access to multiple (like admin)
+                    # only groups from the token scope are returned
+                    response = self.client().list_security_groups(
+                        project_id=self.context.project_id)
                    all_groups = response['security_groups']
                same_name_groups = [g for g in all_groups if g['name'] == sg]
                groups = [g['id'] for g in same_name_groups]
@ -176,15 +180,7 @@ class NeutronClientPlugin(os_client.ExtensionMixin,
                elif len(groups) == 1:
                    seclist.append(groups[0])
                else:
-                    # for admin roles, can get the other users'
-                    # securityGroups, so we should match the tenant_id with
-                    # the groups, and return the own one
-                    own_groups = [g['id'] for g in same_name_groups
-                                  if g['tenant_id'] == self.context.tenant_id]
-                    if len(own_groups) == 1:
-                        seclist.append(own_groups[0])
-                    else:
-                        raise exception.PhysicalResourceNameAmbiguity(name=sg)
+                    raise exception.PhysicalResourceNameAmbiguity(name=sg)
        return seclist

    def _resolve_resource_path(self, resource):
--- a/heat/tests/aws/test_instance.py
+++ b/heat/tests/aws/test_instance.py
@ -1385,7 +1385,8 @@ class InstancesTest(common.HeatTestCase):

            self.nclient.create_port.assert_called_with({'port': props})
        if not all_uuids:
-            self.nclient.list_security_groups.assert_called_once_with()
+            self.nclient.list_security_groups.assert_called_once_with(
+                project_id=mock.ANY)

    def _get_fake_properties(self, sg='one'):
        fake_groups_list = {
--- a/heat/tests/clients/test_neutron_client.py
+++ b/heat/tests/clients/test_neutron_client.py
@ -64,28 +64,6 @@ class NeutronClientPluginTest(NeutronClientPluginTestCase):
            ]
        }
        self.neutron_client.list_security_groups.return_value = fake_list
-        self.assertEqual(expected_groups,
-                         self.neutron_plugin.get_secgroup_uuids(sgs_non_uuid))
-        # test only one belong to the tenant
-        fake_list = {
-            'security_groups': [
-                {
-                    'tenant_id': 'test_tenant_id',
-                    'id': '0389f747-7785-4757-b7bb-2ab07e4b09c3',
-                    'name': 'security_group_1',
-                    'security_group_rules': [],
-                    'description': 'no protocol'
-                },
-                {
-                    'tenant_id': 'not_test_tenant_id',
-                    'id': '384ccd91-447c-4d83-832c-06974a7d3d05',
-                    'name': 'security_group_1',
-                    'security_group_rules': [],
-                    'description': 'no protocol'
-                }
-            ]
-        }
-        self.neutron_client.list_security_groups.return_value = fake_list
        self.assertEqual(expected_groups,
                         self.neutron_plugin.get_secgroup_uuids(sgs_non_uuid))
        # test there are two securityGroups with same name, and the two