From 0c0c60fecb644a8cb9d40435f52a06ff6a9d0af0 Mon Sep 17 00:00:00 2001 From: Anindita Das Date: Tue, 21 Mar 2017 03:37:25 +0000 Subject: [PATCH] [Pecan] Fix custom tenant_id project_id matching This patch fixes the missing custom tenant_id and project_id matching on policy_enforcement.py Change-Id: I278759f6b65cce7caa4f66fa694488b75f0459b6 Closes-Bug: #1674517 (cherry picked from commit 0193777e60216844019963f785cd28ca205c42a4) --- .../pecan_wsgi/hooks/policy_enforcement.py | 12 +++++++++++ .../functional/pecan_wsgi/test_controllers.py | 21 +++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/neutron/pecan_wsgi/hooks/policy_enforcement.py b/neutron/pecan_wsgi/hooks/policy_enforcement.py index c2499a7a007..9a0f39497a1 100644 --- a/neutron/pecan_wsgi/hooks/policy_enforcement.py +++ b/neutron/pecan_wsgi/hooks/policy_enforcement.py @@ -220,6 +220,13 @@ class PolicyHook(hooks.PecanHook): """ attributes_to_exclude = [] for attr_name in data.keys(): + # TODO(amotoki): All attribute maps have tenant_id and + # it determines excluded attributes based on tenant_id. + # We need to migrate tenant_id to project_id later + # as attr_info is referred to in various places and we need + # to check all logs carefully. + if attr_name == 'project_id': + continue attr_data = controller.resource_info.get(attr_name) if attr_data and attr_data['is_visible']: if policy.check( @@ -235,4 +242,9 @@ class PolicyHook(hooks.PecanHook): # if the code reaches this point then either the policy check # failed or the attribute was not visible in the first place attributes_to_exclude.append(attr_name) + # TODO(amotoki): As mentioned in the above TODO, + # we treat project_id and tenant_id equivalently. + # This should be migrated to project_id later. + if attr_name == 'tenant_id': + attributes_to_exclude.append('project_id') return attributes_to_exclude diff --git a/neutron/tests/functional/pecan_wsgi/test_controllers.py b/neutron/tests/functional/pecan_wsgi/test_controllers.py index edd482ee976..9f04aee68ce 100644 --- a/neutron/tests/functional/pecan_wsgi/test_controllers.py +++ b/neutron/tests/functional/pecan_wsgi/test_controllers.py @@ -1002,3 +1002,24 @@ class TestParentSubresourceController(test_functional.PecanFunctionalTest): self.assertEqual(200, resp.status_int) self.assertEqual({'fake_duplicates': [{'fake': 'something'}]}, resp.json) + + +class TestExcludeAttributePolicy(test_functional.PecanFunctionalTest): + + def setUp(self): + super(TestExcludeAttributePolicy, self).setUp() + policy.init() + self.addCleanup(policy.reset) + plugin = directory.get_plugin() + ctx = context.get_admin_context() + self.network_id = pecan_utils.create_network(ctx, plugin)['id'] + mock.patch('neutron.pecan_wsgi.controllers.resource.' + 'CollectionsController.get').start() + + def test_get_networks(self): + response = self.app.get('/v2.0/networks/%s.json' % self.network_id, + headers={'X-Project-Id': 'tenid'}) + json_body = jsonutils.loads(response.body) + self.assertEqual(response.status_int, 200) + self.assertEqual('tenid', json_body['network']['project_id']) + self.assertEqual('tenid', json_body['network']['tenant_id'])