diff --git a/octavia/api/v2/controllers/health_monitor.py b/octavia/api/v2/controllers/health_monitor.py index e8879923ca..cbcaf06020 100644 --- a/octavia/api/v2/controllers/health_monitor.py +++ b/octavia/api/v2/controllers/health_monitor.py @@ -196,16 +196,19 @@ class HealthMonitorController(base.BaseController): context = pecan_request.context.get('octavia_context') health_monitor = health_monitor_.healthmonitor - if (not CONF.api_settings.allow_ping_health_monitors and - health_monitor.type == consts.HEALTH_MONITOR_PING): - raise exceptions.DisabledOption( - option='type', value=consts.HEALTH_MONITOR_PING) - pool = self._get_db_pool(context.session, health_monitor.pool_id) health_monitor.project_id, provider = self._get_lb_project_id_provider( context.session, pool.load_balancer_id) + self._auth_validate_action(context, health_monitor.project_id, + consts.RBAC_POST) + + if (not CONF.api_settings.allow_ping_health_monitors and + health_monitor.type == consts.HEALTH_MONITOR_PING): + raise exceptions.DisabledOption( + option='type', value=consts.HEALTH_MONITOR_PING) + if pool.protocol == consts.PROTOCOL_UDP: self._validate_healthmonitor_request_for_udp(health_monitor) else: @@ -215,9 +218,6 @@ class HealthMonitorController(base.BaseController): "%(protocol)s.") % {'type': health_monitor.type, 'protocol': consts.PROTOCOL_UDP}) - self._auth_validate_action(context, health_monitor.project_id, - consts.RBAC_POST) - # Load the driver early as it also provides validation driver = driver_factory.get_driver(provider) diff --git a/octavia/api/v2/controllers/l7policy.py b/octavia/api/v2/controllers/l7policy.py index 4d31011c1d..9e15ae7eff 100644 --- a/octavia/api/v2/controllers/l7policy.py +++ b/octavia/api/v2/controllers/l7policy.py @@ -117,6 +117,7 @@ class L7PolicyController(base.BaseController): """Creates a l7policy on a listener.""" l7policy = l7policy_.l7policy context = pecan_request.context.get('octavia_context') + # Verify the parent listener exists listener_id = l7policy.listener_id listener = self._get_db_listener( @@ -124,15 +125,16 @@ class L7PolicyController(base.BaseController): load_balancer_id = listener.load_balancer_id l7policy.project_id, provider = self._get_lb_project_id_provider( context.session, load_balancer_id) + + self._auth_validate_action(context, l7policy.project_id, + constants.RBAC_POST) + # Make sure any pool specified by redirect_pool_id exists if l7policy.redirect_pool_id: db_pool = self._get_db_pool( context.session, l7policy.redirect_pool_id) self._validate_protocol(listener.protocol, db_pool.protocol) - self._auth_validate_action(context, l7policy.project_id, - constants.RBAC_POST) - # Load the driver early as it also provides validation driver = driver_factory.get_driver(provider) @@ -200,6 +202,16 @@ class L7PolicyController(base.BaseController): def put(self, id, l7policy_): """Updates a l7policy.""" l7policy = l7policy_.l7policy + context = pecan_request.context.get('octavia_context') + db_l7policy = self._get_db_l7policy(context.session, id, + show_deleted=False) + load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id( + db_l7policy) + project_id, provider = self._get_lb_project_id_provider( + context.session, load_balancer_id) + + self._auth_validate_action(context, project_id, constants.RBAC_PUT) + l7policy_dict = validate.sanitize_l7policy_api_args( l7policy.to_dict(render_unsets=False)) # Reset renamed attributes @@ -207,10 +219,7 @@ class L7PolicyController(base.BaseController): if val in l7policy_dict: l7policy_dict[attr] = l7policy_dict.pop(val) sanitized_l7policy = l7policy_types.L7PolicyPUT(**l7policy_dict) - context = pecan_request.context.get('octavia_context') - db_l7policy = self._get_db_l7policy(context.session, id, - show_deleted=False) listener = self._get_db_listener( context.session, db_l7policy.listener_id) # Make sure any specified redirect_pool_id exists @@ -218,12 +227,6 @@ class L7PolicyController(base.BaseController): db_pool = self._get_db_pool( context.session, l7policy_dict['redirect_pool_id']) self._validate_protocol(listener.protocol, db_pool.protocol) - load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id( - db_l7policy) - project_id, provider = self._get_lb_project_id_provider( - context.session, load_balancer_id) - - self._auth_validate_action(context, project_id, constants.RBAC_PUT) # Load the driver early as it also provides validation driver = driver_factory.get_driver(provider) diff --git a/octavia/api/v2/controllers/l7rule.py b/octavia/api/v2/controllers/l7rule.py index fda37097e4..96718042b8 100644 --- a/octavia/api/v2/controllers/l7rule.py +++ b/octavia/api/v2/controllers/l7rule.py @@ -123,10 +123,6 @@ class L7RuleController(base.BaseController): def post(self, rule_): """Creates a l7rule on an l7policy.""" l7rule = rule_.rule - try: - validate.l7rule_data(l7rule) - except Exception as e: - raise exceptions.L7RuleValidation(error=e) context = pecan_request.context.get('octavia_context') db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id, @@ -135,12 +131,16 @@ class L7RuleController(base.BaseController): db_l7policy) l7rule.project_id, provider = self._get_lb_project_id_provider( context.session, load_balancer_id) - - self._check_l7policy_max_rules(context.session) - self._auth_validate_action(context, l7rule.project_id, constants.RBAC_POST) + try: + validate.l7rule_data(l7rule) + except Exception as e: + raise exceptions.L7RuleValidation(error=e) + + self._check_l7policy_max_rules(context.session) + # Load the driver early as it also provides validation driver = driver_factory.get_driver(provider) @@ -192,15 +192,6 @@ class L7RuleController(base.BaseController): context = pecan_request.context.get('octavia_context') db_l7rule = self._get_db_l7rule(context.session, id, show_deleted=False) - - # Handle the invert unset - if l7rule.invert is None: - l7rule.invert = False - - new_l7rule = db_l7rule.to_dict() - new_l7rule.update(l7rule.to_dict()) - new_l7rule = data_models.L7Rule.from_dict(new_l7rule) - db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id, show_deleted=False) load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id( @@ -210,6 +201,14 @@ class L7RuleController(base.BaseController): self._auth_validate_action(context, project_id, constants.RBAC_PUT) + # Handle the invert unset + if l7rule.invert is None: + l7rule.invert = False + + new_l7rule = db_l7rule.to_dict() + new_l7rule.update(l7rule.to_dict()) + new_l7rule = data_models.L7Rule.from_dict(new_l7rule) + try: validate.l7rule_data(new_l7rule) except Exception as e: diff --git a/octavia/api/v2/controllers/member.py b/octavia/api/v2/controllers/member.py index eb3ed15a3d..c2d43c0a52 100644 --- a/octavia/api/v2/controllers/member.py +++ b/octavia/api/v2/controllers/member.py @@ -146,12 +146,6 @@ class MemberController(base.BaseController): member = member_.member context = pecan_request.context.get('octavia_context') - validate.ip_not_reserved(member.address) - - # Validate member subnet - if (member.subnet_id and - not validate.subnet_exists(member.subnet_id, context=context)): - raise exceptions.NotFound(resource='Subnet', id=member.subnet_id) pool = self.repositories.pool.get(context.session, id=self.pool_id) member.project_id, provider = self._get_lb_project_id_provider( context.session, pool.load_balancer_id) @@ -159,6 +153,13 @@ class MemberController(base.BaseController): self._auth_validate_action(context, member.project_id, constants.RBAC_POST) + validate.ip_not_reserved(member.address) + + # Validate member subnet + if (member.subnet_id and + not validate.subnet_exists(member.subnet_id, context=context)): + raise exceptions.NotFound(resource='Subnet', id=member.subnet_id) + # Load the driver early as it also provides validation driver = driver_factory.get_driver(provider) @@ -232,7 +233,6 @@ class MemberController(base.BaseController): context = pecan_request.context.get('octavia_context') db_member = self._get_db_member(context.session, id, show_deleted=False) - pool = self.repositories.pool.get(context.session, id=db_member.pool_id) project_id, provider = self._get_lb_project_id_provider( diff --git a/octavia/api/v2/controllers/pool.py b/octavia/api/v2/controllers/pool.py index 1ad210f7ef..af0f2c9396 100644 --- a/octavia/api/v2/controllers/pool.py +++ b/octavia/api/v2/controllers/pool.py @@ -190,22 +190,13 @@ class PoolsController(base.BaseController): # pool_dict: pool = pool_.pool context = pecan_request.context.get('octavia_context') - if pool.protocol == constants.PROTOCOL_UDP: - self._validate_pool_request_for_udp(pool) - else: - if (pool.session_persistence and ( - pool.session_persistence.persistence_timeout or - pool.session_persistence.persistence_granularity)): - raise exceptions.ValidationException(detail=_( - "persistence_timeout and persistence_granularity " - "is only for UDP protocol pools.")) + listener = None if pool.loadbalancer_id: pool.project_id, provider = self._get_lb_project_id_provider( context.session, pool.loadbalancer_id) elif pool.listener_id: listener = self.repositories.listener.get( context.session, id=pool.listener_id) - self._validate_protocol(listener.protocol, pool.protocol) pool.loadbalancer_id = listener.load_balancer_id pool.project_id, provider = self._get_lb_project_id_provider( context.session, pool.loadbalancer_id) @@ -217,6 +208,19 @@ class PoolsController(base.BaseController): self._auth_validate_action(context, pool.project_id, constants.RBAC_POST) + if pool.listener_id and listener: + self._validate_protocol(listener.protocol, pool.protocol) + + if pool.protocol == constants.PROTOCOL_UDP: + self._validate_pool_request_for_udp(pool) + else: + if (pool.session_persistence and ( + pool.session_persistence.persistence_timeout or + pool.session_persistence.persistence_granularity)): + raise exceptions.ValidationException(detail=_( + "persistence_timeout and persistence_granularity " + "is only for UDP protocol pools.")) + if pool.session_persistence: sp_dict = pool.session_persistence.to_dict(render_unsets=False) validate.check_session_persistence(sp_dict) @@ -441,15 +445,16 @@ class PoolsController(base.BaseController): """Deletes a pool from a load balancer.""" context = pecan_request.context.get('octavia_context') db_pool = self._get_db_pool(context.session, id, show_deleted=False) - if db_pool.l7policies: - raise exceptions.PoolInUseByL7Policy( - id=db_pool.id, l7policy_id=db_pool.l7policies[0].id) project_id, provider = self._get_lb_project_id_provider( context.session, db_pool.load_balancer_id) self._auth_validate_action(context, project_id, constants.RBAC_DELETE) + if db_pool.l7policies: + raise exceptions.PoolInUseByL7Policy( + id=db_pool.id, l7policy_id=db_pool.l7policies[0].id) + # Load the driver early as it also provides validation driver = driver_factory.get_driver(provider)