Merge "Prioritize policy validation"
This commit is contained in:
commit
265e4cbd98
|
@ -196,16 +196,19 @@ class HealthMonitorController(base.BaseController):
|
||||||
context = pecan_request.context.get('octavia_context')
|
context = pecan_request.context.get('octavia_context')
|
||||||
health_monitor = health_monitor_.healthmonitor
|
health_monitor = health_monitor_.healthmonitor
|
||||||
|
|
||||||
if (not CONF.api_settings.allow_ping_health_monitors and
|
|
||||||
health_monitor.type == consts.HEALTH_MONITOR_PING):
|
|
||||||
raise exceptions.DisabledOption(
|
|
||||||
option='type', value=consts.HEALTH_MONITOR_PING)
|
|
||||||
|
|
||||||
pool = self._get_db_pool(context.session, health_monitor.pool_id)
|
pool = self._get_db_pool(context.session, health_monitor.pool_id)
|
||||||
|
|
||||||
health_monitor.project_id, provider = self._get_lb_project_id_provider(
|
health_monitor.project_id, provider = self._get_lb_project_id_provider(
|
||||||
context.session, pool.load_balancer_id)
|
context.session, pool.load_balancer_id)
|
||||||
|
|
||||||
|
self._auth_validate_action(context, health_monitor.project_id,
|
||||||
|
consts.RBAC_POST)
|
||||||
|
|
||||||
|
if (not CONF.api_settings.allow_ping_health_monitors and
|
||||||
|
health_monitor.type == consts.HEALTH_MONITOR_PING):
|
||||||
|
raise exceptions.DisabledOption(
|
||||||
|
option='type', value=consts.HEALTH_MONITOR_PING)
|
||||||
|
|
||||||
if pool.protocol == consts.PROTOCOL_UDP:
|
if pool.protocol == consts.PROTOCOL_UDP:
|
||||||
self._validate_healthmonitor_request_for_udp(health_monitor)
|
self._validate_healthmonitor_request_for_udp(health_monitor)
|
||||||
else:
|
else:
|
||||||
|
@ -215,9 +218,6 @@ class HealthMonitorController(base.BaseController):
|
||||||
"%(protocol)s.") % {'type': health_monitor.type,
|
"%(protocol)s.") % {'type': health_monitor.type,
|
||||||
'protocol': consts.PROTOCOL_UDP})
|
'protocol': consts.PROTOCOL_UDP})
|
||||||
|
|
||||||
self._auth_validate_action(context, health_monitor.project_id,
|
|
||||||
consts.RBAC_POST)
|
|
||||||
|
|
||||||
# Load the driver early as it also provides validation
|
# Load the driver early as it also provides validation
|
||||||
driver = driver_factory.get_driver(provider)
|
driver = driver_factory.get_driver(provider)
|
||||||
|
|
||||||
|
|
|
@ -117,6 +117,7 @@ class L7PolicyController(base.BaseController):
|
||||||
"""Creates a l7policy on a listener."""
|
"""Creates a l7policy on a listener."""
|
||||||
l7policy = l7policy_.l7policy
|
l7policy = l7policy_.l7policy
|
||||||
context = pecan_request.context.get('octavia_context')
|
context = pecan_request.context.get('octavia_context')
|
||||||
|
|
||||||
# Verify the parent listener exists
|
# Verify the parent listener exists
|
||||||
listener_id = l7policy.listener_id
|
listener_id = l7policy.listener_id
|
||||||
listener = self._get_db_listener(
|
listener = self._get_db_listener(
|
||||||
|
@ -124,15 +125,16 @@ class L7PolicyController(base.BaseController):
|
||||||
load_balancer_id = listener.load_balancer_id
|
load_balancer_id = listener.load_balancer_id
|
||||||
l7policy.project_id, provider = self._get_lb_project_id_provider(
|
l7policy.project_id, provider = self._get_lb_project_id_provider(
|
||||||
context.session, load_balancer_id)
|
context.session, load_balancer_id)
|
||||||
|
|
||||||
|
self._auth_validate_action(context, l7policy.project_id,
|
||||||
|
constants.RBAC_POST)
|
||||||
|
|
||||||
# Make sure any pool specified by redirect_pool_id exists
|
# Make sure any pool specified by redirect_pool_id exists
|
||||||
if l7policy.redirect_pool_id:
|
if l7policy.redirect_pool_id:
|
||||||
db_pool = self._get_db_pool(
|
db_pool = self._get_db_pool(
|
||||||
context.session, l7policy.redirect_pool_id)
|
context.session, l7policy.redirect_pool_id)
|
||||||
self._validate_protocol(listener.protocol, db_pool.protocol)
|
self._validate_protocol(listener.protocol, db_pool.protocol)
|
||||||
|
|
||||||
self._auth_validate_action(context, l7policy.project_id,
|
|
||||||
constants.RBAC_POST)
|
|
||||||
|
|
||||||
# Load the driver early as it also provides validation
|
# Load the driver early as it also provides validation
|
||||||
driver = driver_factory.get_driver(provider)
|
driver = driver_factory.get_driver(provider)
|
||||||
|
|
||||||
|
@ -200,6 +202,16 @@ class L7PolicyController(base.BaseController):
|
||||||
def put(self, id, l7policy_):
|
def put(self, id, l7policy_):
|
||||||
"""Updates a l7policy."""
|
"""Updates a l7policy."""
|
||||||
l7policy = l7policy_.l7policy
|
l7policy = l7policy_.l7policy
|
||||||
|
context = pecan_request.context.get('octavia_context')
|
||||||
|
db_l7policy = self._get_db_l7policy(context.session, id,
|
||||||
|
show_deleted=False)
|
||||||
|
load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
|
||||||
|
db_l7policy)
|
||||||
|
project_id, provider = self._get_lb_project_id_provider(
|
||||||
|
context.session, load_balancer_id)
|
||||||
|
|
||||||
|
self._auth_validate_action(context, project_id, constants.RBAC_PUT)
|
||||||
|
|
||||||
l7policy_dict = validate.sanitize_l7policy_api_args(
|
l7policy_dict = validate.sanitize_l7policy_api_args(
|
||||||
l7policy.to_dict(render_unsets=False))
|
l7policy.to_dict(render_unsets=False))
|
||||||
# Reset renamed attributes
|
# Reset renamed attributes
|
||||||
|
@ -207,10 +219,7 @@ class L7PolicyController(base.BaseController):
|
||||||
if val in l7policy_dict:
|
if val in l7policy_dict:
|
||||||
l7policy_dict[attr] = l7policy_dict.pop(val)
|
l7policy_dict[attr] = l7policy_dict.pop(val)
|
||||||
sanitized_l7policy = l7policy_types.L7PolicyPUT(**l7policy_dict)
|
sanitized_l7policy = l7policy_types.L7PolicyPUT(**l7policy_dict)
|
||||||
context = pecan_request.context.get('octavia_context')
|
|
||||||
|
|
||||||
db_l7policy = self._get_db_l7policy(context.session, id,
|
|
||||||
show_deleted=False)
|
|
||||||
listener = self._get_db_listener(
|
listener = self._get_db_listener(
|
||||||
context.session, db_l7policy.listener_id)
|
context.session, db_l7policy.listener_id)
|
||||||
# Make sure any specified redirect_pool_id exists
|
# Make sure any specified redirect_pool_id exists
|
||||||
|
@ -218,12 +227,6 @@ class L7PolicyController(base.BaseController):
|
||||||
db_pool = self._get_db_pool(
|
db_pool = self._get_db_pool(
|
||||||
context.session, l7policy_dict['redirect_pool_id'])
|
context.session, l7policy_dict['redirect_pool_id'])
|
||||||
self._validate_protocol(listener.protocol, db_pool.protocol)
|
self._validate_protocol(listener.protocol, db_pool.protocol)
|
||||||
load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
|
|
||||||
db_l7policy)
|
|
||||||
project_id, provider = self._get_lb_project_id_provider(
|
|
||||||
context.session, load_balancer_id)
|
|
||||||
|
|
||||||
self._auth_validate_action(context, project_id, constants.RBAC_PUT)
|
|
||||||
|
|
||||||
# Load the driver early as it also provides validation
|
# Load the driver early as it also provides validation
|
||||||
driver = driver_factory.get_driver(provider)
|
driver = driver_factory.get_driver(provider)
|
||||||
|
|
|
@ -123,10 +123,6 @@ class L7RuleController(base.BaseController):
|
||||||
def post(self, rule_):
|
def post(self, rule_):
|
||||||
"""Creates a l7rule on an l7policy."""
|
"""Creates a l7rule on an l7policy."""
|
||||||
l7rule = rule_.rule
|
l7rule = rule_.rule
|
||||||
try:
|
|
||||||
validate.l7rule_data(l7rule)
|
|
||||||
except Exception as e:
|
|
||||||
raise exceptions.L7RuleValidation(error=e)
|
|
||||||
context = pecan_request.context.get('octavia_context')
|
context = pecan_request.context.get('octavia_context')
|
||||||
|
|
||||||
db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
|
db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
|
||||||
|
@ -135,12 +131,16 @@ class L7RuleController(base.BaseController):
|
||||||
db_l7policy)
|
db_l7policy)
|
||||||
l7rule.project_id, provider = self._get_lb_project_id_provider(
|
l7rule.project_id, provider = self._get_lb_project_id_provider(
|
||||||
context.session, load_balancer_id)
|
context.session, load_balancer_id)
|
||||||
|
|
||||||
self._check_l7policy_max_rules(context.session)
|
|
||||||
|
|
||||||
self._auth_validate_action(context, l7rule.project_id,
|
self._auth_validate_action(context, l7rule.project_id,
|
||||||
constants.RBAC_POST)
|
constants.RBAC_POST)
|
||||||
|
|
||||||
|
try:
|
||||||
|
validate.l7rule_data(l7rule)
|
||||||
|
except Exception as e:
|
||||||
|
raise exceptions.L7RuleValidation(error=e)
|
||||||
|
|
||||||
|
self._check_l7policy_max_rules(context.session)
|
||||||
|
|
||||||
# Load the driver early as it also provides validation
|
# Load the driver early as it also provides validation
|
||||||
driver = driver_factory.get_driver(provider)
|
driver = driver_factory.get_driver(provider)
|
||||||
|
|
||||||
|
@ -192,15 +192,6 @@ class L7RuleController(base.BaseController):
|
||||||
context = pecan_request.context.get('octavia_context')
|
context = pecan_request.context.get('octavia_context')
|
||||||
db_l7rule = self._get_db_l7rule(context.session, id,
|
db_l7rule = self._get_db_l7rule(context.session, id,
|
||||||
show_deleted=False)
|
show_deleted=False)
|
||||||
|
|
||||||
# Handle the invert unset
|
|
||||||
if l7rule.invert is None:
|
|
||||||
l7rule.invert = False
|
|
||||||
|
|
||||||
new_l7rule = db_l7rule.to_dict()
|
|
||||||
new_l7rule.update(l7rule.to_dict())
|
|
||||||
new_l7rule = data_models.L7Rule.from_dict(new_l7rule)
|
|
||||||
|
|
||||||
db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
|
db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
|
||||||
show_deleted=False)
|
show_deleted=False)
|
||||||
load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
|
load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
|
||||||
|
@ -210,6 +201,14 @@ class L7RuleController(base.BaseController):
|
||||||
|
|
||||||
self._auth_validate_action(context, project_id, constants.RBAC_PUT)
|
self._auth_validate_action(context, project_id, constants.RBAC_PUT)
|
||||||
|
|
||||||
|
# Handle the invert unset
|
||||||
|
if l7rule.invert is None:
|
||||||
|
l7rule.invert = False
|
||||||
|
|
||||||
|
new_l7rule = db_l7rule.to_dict()
|
||||||
|
new_l7rule.update(l7rule.to_dict())
|
||||||
|
new_l7rule = data_models.L7Rule.from_dict(new_l7rule)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
validate.l7rule_data(new_l7rule)
|
validate.l7rule_data(new_l7rule)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
|
|
|
@ -146,12 +146,6 @@ class MemberController(base.BaseController):
|
||||||
member = member_.member
|
member = member_.member
|
||||||
context = pecan_request.context.get('octavia_context')
|
context = pecan_request.context.get('octavia_context')
|
||||||
|
|
||||||
validate.ip_not_reserved(member.address)
|
|
||||||
|
|
||||||
# Validate member subnet
|
|
||||||
if (member.subnet_id and
|
|
||||||
not validate.subnet_exists(member.subnet_id, context=context)):
|
|
||||||
raise exceptions.NotFound(resource='Subnet', id=member.subnet_id)
|
|
||||||
pool = self.repositories.pool.get(context.session, id=self.pool_id)
|
pool = self.repositories.pool.get(context.session, id=self.pool_id)
|
||||||
member.project_id, provider = self._get_lb_project_id_provider(
|
member.project_id, provider = self._get_lb_project_id_provider(
|
||||||
context.session, pool.load_balancer_id)
|
context.session, pool.load_balancer_id)
|
||||||
|
@ -159,6 +153,13 @@ class MemberController(base.BaseController):
|
||||||
self._auth_validate_action(context, member.project_id,
|
self._auth_validate_action(context, member.project_id,
|
||||||
constants.RBAC_POST)
|
constants.RBAC_POST)
|
||||||
|
|
||||||
|
validate.ip_not_reserved(member.address)
|
||||||
|
|
||||||
|
# Validate member subnet
|
||||||
|
if (member.subnet_id and
|
||||||
|
not validate.subnet_exists(member.subnet_id, context=context)):
|
||||||
|
raise exceptions.NotFound(resource='Subnet', id=member.subnet_id)
|
||||||
|
|
||||||
# Load the driver early as it also provides validation
|
# Load the driver early as it also provides validation
|
||||||
driver = driver_factory.get_driver(provider)
|
driver = driver_factory.get_driver(provider)
|
||||||
|
|
||||||
|
@ -232,7 +233,6 @@ class MemberController(base.BaseController):
|
||||||
context = pecan_request.context.get('octavia_context')
|
context = pecan_request.context.get('octavia_context')
|
||||||
db_member = self._get_db_member(context.session, id,
|
db_member = self._get_db_member(context.session, id,
|
||||||
show_deleted=False)
|
show_deleted=False)
|
||||||
|
|
||||||
pool = self.repositories.pool.get(context.session,
|
pool = self.repositories.pool.get(context.session,
|
||||||
id=db_member.pool_id)
|
id=db_member.pool_id)
|
||||||
project_id, provider = self._get_lb_project_id_provider(
|
project_id, provider = self._get_lb_project_id_provider(
|
||||||
|
|
|
@ -203,22 +203,13 @@ class PoolsController(base.BaseController):
|
||||||
# pool_dict:
|
# pool_dict:
|
||||||
pool = pool_.pool
|
pool = pool_.pool
|
||||||
context = pecan_request.context.get('octavia_context')
|
context = pecan_request.context.get('octavia_context')
|
||||||
if pool.protocol == constants.PROTOCOL_UDP:
|
listener = None
|
||||||
self._validate_pool_request_for_udp(pool)
|
|
||||||
else:
|
|
||||||
if (pool.session_persistence and (
|
|
||||||
pool.session_persistence.persistence_timeout or
|
|
||||||
pool.session_persistence.persistence_granularity)):
|
|
||||||
raise exceptions.ValidationException(detail=_(
|
|
||||||
"persistence_timeout and persistence_granularity "
|
|
||||||
"is only for UDP protocol pools."))
|
|
||||||
if pool.loadbalancer_id:
|
if pool.loadbalancer_id:
|
||||||
pool.project_id, provider = self._get_lb_project_id_provider(
|
pool.project_id, provider = self._get_lb_project_id_provider(
|
||||||
context.session, pool.loadbalancer_id)
|
context.session, pool.loadbalancer_id)
|
||||||
elif pool.listener_id:
|
elif pool.listener_id:
|
||||||
listener = self.repositories.listener.get(
|
listener = self.repositories.listener.get(
|
||||||
context.session, id=pool.listener_id)
|
context.session, id=pool.listener_id)
|
||||||
self._validate_protocol(listener.protocol, pool.protocol)
|
|
||||||
pool.loadbalancer_id = listener.load_balancer_id
|
pool.loadbalancer_id = listener.load_balancer_id
|
||||||
pool.project_id, provider = self._get_lb_project_id_provider(
|
pool.project_id, provider = self._get_lb_project_id_provider(
|
||||||
context.session, pool.loadbalancer_id)
|
context.session, pool.loadbalancer_id)
|
||||||
|
@ -230,6 +221,19 @@ class PoolsController(base.BaseController):
|
||||||
self._auth_validate_action(context, pool.project_id,
|
self._auth_validate_action(context, pool.project_id,
|
||||||
constants.RBAC_POST)
|
constants.RBAC_POST)
|
||||||
|
|
||||||
|
if pool.listener_id and listener:
|
||||||
|
self._validate_protocol(listener.protocol, pool.protocol)
|
||||||
|
|
||||||
|
if pool.protocol == constants.PROTOCOL_UDP:
|
||||||
|
self._validate_pool_request_for_udp(pool)
|
||||||
|
else:
|
||||||
|
if (pool.session_persistence and (
|
||||||
|
pool.session_persistence.persistence_timeout or
|
||||||
|
pool.session_persistence.persistence_granularity)):
|
||||||
|
raise exceptions.ValidationException(detail=_(
|
||||||
|
"persistence_timeout and persistence_granularity "
|
||||||
|
"is only for UDP protocol pools."))
|
||||||
|
|
||||||
if pool.session_persistence:
|
if pool.session_persistence:
|
||||||
sp_dict = pool.session_persistence.to_dict(render_unsets=False)
|
sp_dict = pool.session_persistence.to_dict(render_unsets=False)
|
||||||
validate.check_session_persistence(sp_dict)
|
validate.check_session_persistence(sp_dict)
|
||||||
|
@ -467,15 +471,16 @@ class PoolsController(base.BaseController):
|
||||||
"""Deletes a pool from a load balancer."""
|
"""Deletes a pool from a load balancer."""
|
||||||
context = pecan_request.context.get('octavia_context')
|
context = pecan_request.context.get('octavia_context')
|
||||||
db_pool = self._get_db_pool(context.session, id, show_deleted=False)
|
db_pool = self._get_db_pool(context.session, id, show_deleted=False)
|
||||||
if db_pool.l7policies:
|
|
||||||
raise exceptions.PoolInUseByL7Policy(
|
|
||||||
id=db_pool.id, l7policy_id=db_pool.l7policies[0].id)
|
|
||||||
|
|
||||||
project_id, provider = self._get_lb_project_id_provider(
|
project_id, provider = self._get_lb_project_id_provider(
|
||||||
context.session, db_pool.load_balancer_id)
|
context.session, db_pool.load_balancer_id)
|
||||||
|
|
||||||
self._auth_validate_action(context, project_id, constants.RBAC_DELETE)
|
self._auth_validate_action(context, project_id, constants.RBAC_DELETE)
|
||||||
|
|
||||||
|
if db_pool.l7policies:
|
||||||
|
raise exceptions.PoolInUseByL7Policy(
|
||||||
|
id=db_pool.id, l7policy_id=db_pool.l7policies[0].id)
|
||||||
|
|
||||||
# Load the driver early as it also provides validation
|
# Load the driver early as it also provides validation
|
||||||
driver = driver_factory.get_driver(provider)
|
driver = driver_factory.get_driver(provider)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue