[Pecan] Fix custom tenant_id project_id matching

This patch fixes the missing custom tenant_id and project_id matching on policy_enforcement.py Change-Id: I278759f6b65cce7caa4f66fa694488b75f0459b6 Closes-Bug: #1674517 (cherry picked from commit 0193777e60)
2017-03-21 03:37:25 +00:00 · 2017-03-21 03:37:25 +00:00 · 0c0c60fecb
parent 633b452e28
commit 0c0c60fecb
2 changed files with 33 additions and 0 deletions
--- a/neutron/pecan_wsgi/hooks/policy_enforcement.py
+++ b/neutron/pecan_wsgi/hooks/policy_enforcement.py
@ -220,6 +220,13 @@ class PolicyHook(hooks.PecanHook):
        """
        attributes_to_exclude = []
        for attr_name in data.keys():
+            # TODO(amotoki): All attribute maps have tenant_id and
+            # it determines excluded attributes based on tenant_id.
+            # We need to migrate tenant_id to project_id later
+            # as attr_info is referred to in various places and we need
+            # to check all logs carefully.
+            if attr_name == 'project_id':
+                continue
            attr_data = controller.resource_info.get(attr_name)
            if attr_data and attr_data['is_visible']:
                if policy.check(
@ -235,4 +242,9 @@ class PolicyHook(hooks.PecanHook):
            # if the code reaches this point then either the policy check
            # failed or the attribute was not visible in the first place
            attributes_to_exclude.append(attr_name)
+            # TODO(amotoki): As mentioned in the above TODO,
+            # we treat project_id and tenant_id equivalently.
+            # This should be migrated to project_id later.
+            if attr_name == 'tenant_id':
+                attributes_to_exclude.append('project_id')
        return attributes_to_exclude
--- a/neutron/tests/functional/pecan_wsgi/test_controllers.py
+++ b/neutron/tests/functional/pecan_wsgi/test_controllers.py
@ -1002,3 +1002,24 @@ class TestParentSubresourceController(test_functional.PecanFunctionalTest):
        self.assertEqual(200, resp.status_int)
        self.assertEqual({'fake_duplicates': [{'fake': 'something'}]},
                         resp.json)
+
+
+class TestExcludeAttributePolicy(test_functional.PecanFunctionalTest):
+
+    def setUp(self):
+        super(TestExcludeAttributePolicy, self).setUp()
+        policy.init()
+        self.addCleanup(policy.reset)
+        plugin = directory.get_plugin()
+        ctx = context.get_admin_context()
+        self.network_id = pecan_utils.create_network(ctx, plugin)['id']
+        mock.patch('neutron.pecan_wsgi.controllers.resource.'
+                   'CollectionsController.get').start()
+
+    def test_get_networks(self):
+        response = self.app.get('/v2.0/networks/%s.json' % self.network_id,
+                headers={'X-Project-Id': 'tenid'})
+        json_body = jsonutils.loads(response.body)
+        self.assertEqual(response.status_int, 200)
+        self.assertEqual('tenid', json_body['network']['project_id'])
+        self.assertEqual('tenid', json_body['network']['tenant_id'])