diff --git a/quark/db/api.py b/quark/db/api.py index 156ce05..a420b13 100644 --- a/quark/db/api.py +++ b/quark/db/api.py @@ -143,21 +143,22 @@ def _model_query(context, model, filters, fields=None): if filters.get("cidr"): model_filters.append(model.cidr == filters["cidr"]) + # Inject the tenant id if none is set. We don't need unqualified queries. + # This works even when a non-shared, other-tenant owned network is passed + # in because the authZ checks that happen in Neutron above us yank it back + # out of the result set. + if not filters and not context.is_admin: + filters["tenant_id"] = [context.tenant_id] # Begin:Added for RM6299 if filters.get("used_by_tenant_id"): model_filters.append(model.used_by_tenant_id.in_( filters["used_by_tenant_id"])) - - if not filters.get("shared"): - filters["tenant_id"] = [context.tenant_id] - if filters.get("tenant_id"): if model == models.IPAddress: model_filters.append(model.used_by_tenant_id.in_( filters["tenant_id"])) else: model_filters.append(model.tenant_id.in_(filters["tenant_id"])) - # End: Added for RM6299 if filters.get("device_owner"): model_filters.append(model.device_owner.in_(filters["device_owner"])) @@ -194,8 +195,6 @@ def scoped(f): @scoped def port_find(context, fields=None, **filters): - filters.pop("shared", None) - query = context.session.query(models.Port).options( orm.joinedload(models.Port.ip_addresses)) model_filters = _model_query(context, models.Port, filters) @@ -311,7 +310,6 @@ def ip_address_find(context, lock_mode=False, **filters): @scoped def mac_address_find(context, lock_mode=False, **filters): - filters.pop("shared", None) query = context.session.query(models.MacAddress) if lock_mode: query = query.with_lockmode("update") @@ -336,7 +334,6 @@ def mac_address_range_find_allocation_counts(context, address=None): @scoped def mac_address_range_find(context, **filters): - filters.pop("shared", None) query = context.session.query(models.MacAddressRange) model_filters = _model_query(context, models.MacAddressRange, filters) return query.filter(*model_filters) @@ -399,6 +396,7 @@ def network_find(context, fields=None, **filters): return [] else: defaults.insert(0, INVERT_DEFAULTS) + filters.pop("shared") return _network_find(context, fields, defaults=defaults, **filters) @@ -457,7 +455,6 @@ def network_delete(context, network): def subnet_find_allocation_counts(context, net_id, **filters): - filters.pop("shared", None) query = context.session.query(models.Subnet, sql_func.count(models.IPAddress.address). label("count")).with_lockmode('update') @@ -494,7 +491,6 @@ def subnet_find(context, **filters): def subnet_count_all(context, **filters): - filters.pop("shared", None) query = context.session.query(sql_func.count(models.Subnet.id)) if filters.get("network_id"): query = query.filter( @@ -523,7 +519,6 @@ def subnet_update(context, subnet, **kwargs): @scoped def route_find(context, fields=None, **filters): - filters.pop("shared", None) query = context.session.query(models.Route) model_filters = _model_query(context, models.Route, filters) return query.filter(*model_filters) @@ -563,7 +558,6 @@ def dns_delete(context, dns): @scoped def security_group_find(context, **filters): - filters.pop("shared", None) query = context.session.query(models.SecurityGroup).options( orm.joinedload(models.SecurityGroup.rules)) model_filters = _model_query(context, models.SecurityGroup, filters) @@ -590,7 +584,6 @@ def security_group_delete(context, group): @scoped def security_group_rule_find(context, **filters): - filters.pop("shared", None) query = context.session.query(models.SecurityGroupRule) model_filters = _model_query(context, models.SecurityGroupRule, filters) return query.filter(*model_filters) @@ -629,7 +622,6 @@ def ip_policy_create(context, **ip_policy_dict): @scoped def ip_policy_find(context, **filters): - filters.pop("shared", None) query = context.session.query(models.IPPolicy) model_filters = _model_query(context, models.IPPolicy, filters) return query.filter(*model_filters) diff --git a/quark/tests/functional/test_ip.py b/quark/tests/functional/test_ip.py index b23da5d..be49ac3 100644 --- a/quark/tests/functional/test_ip.py +++ b/quark/tests/functional/test_ip.py @@ -95,10 +95,9 @@ class QuarkTestIPFiltering(QuarkIpamBaseFunctionalTest): id = int(res[0].get("id")) self.assertEqual(self.ip_address1["id"], id) res = self.plugin.get_ip_addresses(self.context, tenant_id="456") - self.assertEqual(2, len(res)) - self.assertEqual(self.ip_address1["id"], int(res[0].get("id"))) - self.assertEqual(int(self.context.tenant_id), - int(res[0]["used_by_tenant_id"])) + self.assertEqual(1, len(res)) + id = int(res[0].get("id")) + self.assertEqual(self.ip_address2["id"], id) def test_basic_ip_filtering_with_same_tenant_id_with_different_ip(self): with self._stubs(self.network, self.subnet, @@ -115,18 +114,15 @@ class QuarkTestIPFiltering(QuarkIpamBaseFunctionalTest): with self._stubs(self.network, self.subnet, self.ip_address1, self.ip_address2, self.ip_address3): res = self.plugin.get_ip_addresses(self.context) - self.assertEqual(2, len(res)) + self.assertEqual(3, len(res)) def test_basic_ip_filtering_with_tenant_id_without_ip(self): with self._stubs(self.network, self.subnet, self.ip_address1, self.ip_address2, self.ip_address3): - res = self.plugin.get_ip_addresses(self.context) - self.assertEqual(2, len(res)) - self.assertEqual(self.ip_address1["id"], int(res[0].get("id"))) - self.assertEqual(int(self.context.tenant_id), - int(res[0]["used_by_tenant_id"])) + res = self.plugin.get_ip_addresses(self.context, tenant_id="1234") + self.assertEqual(0, len(res)) def test_basic_ip_filtering_with_used_by_tenant_id(self): with self._stubs(self.network, self.subnet, self.ip_address1, @@ -138,7 +134,9 @@ class QuarkTestIPFiltering(QuarkIpamBaseFunctionalTest): self.assertEqual(self.ip_address1["id"], id) res = self.plugin.get_ip_addresses(self.context, used_by_tenant_id="456") - self.assertEqual(0, len(res)) + self.assertEqual(1, len(res)) + id = int(res[0].get("id")) + self.assertEqual(self.ip_address2["id"], id) def test_filtering_with_same_used_by_tenant_id_with_different_ip(self): with self._stubs(self.network, self.subnet, diff --git a/quark/tests/plugin_modules/test_networks.py b/quark/tests/plugin_modules/test_networks.py index 2331758..1a173d1 100644 --- a/quark/tests/plugin_modules/test_networks.py +++ b/quark/tests/plugin_modules/test_networks.py @@ -1,4 +1,4 @@ -# Copyright 2014 Openstack Foundation +# Copyright 2013 Openstack Foundation # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -154,7 +154,6 @@ class TestQuarkGetNetworksShared(test_quark_plugin.TestQuarkPlugin): self.assertEqual(1, len(net['subnets'])) net_find.assert_called_with(self.context, None, join_subnets=True, - shared=[True], defaults=["public_network"]) def test_get_networks_shared_false(self): @@ -166,7 +165,6 @@ class TestQuarkGetNetworksShared(test_quark_plugin.TestQuarkPlugin): invert = db_api.INVERT_DEFAULTS self.plugin.get_networks(self.context, {"shared": [False]}) net_find.assert_called_with(self.context, None, join_subnets=True, - shared=[False], defaults=[invert, "public_network"]) def test_get_networks_no_shared(self):