Merge "Call policy.init() once per API request"

2014-04-07 11:03:53 +00:00
parent 877386f431 1d41ba485f
commit 9009a2296b
3 changed files with 14 additions and 7 deletions
--- a/neutron/api/v2/base.py
+++ b/neutron/api/v2/base.py
@@ -175,6 +175,8 @@ class Controller(object):
        if name in self._member_actions:
            def _handle_action(request, id, **kwargs):
                arg_list = [request.context, id]
+                # Ensure policy engine is initialized
+                policy.init()
                # Fetch the resource and verify if the user can access it
                try:
                    resource = self._item(request, id, True)
@@ -185,9 +187,6 @@ class Controller(object):
                # Explicit comparison with None to distinguish from {}
                if body is not None:
                    arg_list.append(body)
-                # TODO(salvatore-orlando): bp/make-authz-ortogonal
-                # The body of the action request should be included
-                # in the info passed to the policy engine
                # It is ok to raise a 403 because accessibility to the
                # object was checked earlier in this method
                policy.enforce(request.context, name, resource)
@@ -253,7 +252,6 @@ class Controller(object):
        pagination_links = pagination_helper.get_links(obj_list)
        if pagination_links:
            collection[self._collection + "_links"] = pagination_links
-
        return collection

    def _item(self, request, id, do_authz=False, field_list=None,
@@ -284,6 +282,8 @@ class Controller(object):
    def index(self, request, **kwargs):
        """Returns a list of the requested entity."""
        parent_id = kwargs.get(self._parent_id_name)
+        # Ensure policy engine is initialized
+        policy.init()
        return self._items(request, True, parent_id)

    def show(self, request, id, **kwargs):
@@ -295,6 +295,8 @@ class Controller(object):
            field_list, added_fields = self._do_field_list(
                api_common.list_args(request, "fields"))
            parent_id = kwargs.get(self._parent_id_name)
+            # Ensure policy engine is initialized
+            policy.init()
            return {self._resource:
                    self._view(request.context,
                               self._item(request,
@@ -363,6 +365,8 @@ class Controller(object):
        else:
            items = [body]
            bulk = False
+        # Ensure policy engine is initialized
+        policy.init()
        for item in items:
            self._validate_network_tenant_ownership(request,
                                                    item[self._resource])
@@ -433,6 +437,7 @@ class Controller(object):
        action = self._plugin_handlers[self.DELETE]

        # Check authz
+        policy.init()
        parent_id = kwargs.get(self._parent_id_name)
        obj = self._item(request, id, parent_id=parent_id)
        try:
@@ -484,6 +489,8 @@ class Controller(object):
                      if (value.get('required_by_policy') or
                          value.get('primary_key') or
                          'default' not in value)]
+        # Ensure policy engine is initialized
+        policy.init()
        orig_obj = self._item(request, id, field_list=field_list,
                              parent_id=parent_id)
        orig_object_copy = copy.copy(orig_obj)
--- a/neutron/policy.py
+++ b/neutron/policy.py
@@ -164,7 +164,6 @@ def _build_match_rule(action, target):
       action is being executed
       (e.g.: create_router:external_gateway_info:network_id)
    """
-
    match_rule = policy.RuleCheck('rule', action)
    resource, is_write = get_resource_and_action(action)
    # Attribute-based checks shall not be enforced on GETs
@@ -317,7 +316,6 @@ class FieldCheck(policy.Check):

 def _prepare_check(context, action, target):
    """Prepare rule, target, and credentials for the policy engine."""
-    init()
    # Compare with None to distinguish case in which target is {}
    if target is None:
        target = {}
@@ -374,7 +372,6 @@ def enforce(context, action, target, plugin=None):
    :raises neutron.exceptions.PolicyNotAuthorized: if verification fails.
    """

-    init()
    rule, target, credentials = _prepare_check(context, action, target)
    result = policy.check(rule, target, credentials, action=action)
    if not result:
--- a/neutron/tests/unit/test_policy.py
+++ b/neutron/tests/unit/test_policy.py
@@ -53,12 +53,14 @@ class PolicyFileTestCase(base.BaseTestCase):
            action = "example:test"
            with open(tmpfilename, "w") as policyfile:
                policyfile.write("""{"example:test": ""}""")
+            policy.init()
            policy.enforce(self.context, action, self.target)
            with open(tmpfilename, "w") as policyfile:
                policyfile.write("""{"example:test": "!"}""")
            # NOTE(vish): reset stored policy cache so we don't have to
            # sleep(1)
            policy._POLICY_CACHE = {}
+            policy.init()
            self.assertRaises(exceptions.PolicyNotAuthorized,
                              policy.enforce,
                              self.context,
@@ -471,6 +473,7 @@ class NeutronPolicyTestCase(base.BaseTestCase):
        # Trigger a policy with rule admin_or_owner
        action = "create_network"
        target = {'tenant_id': 'fake'}
+        policy.init()
        self.assertRaises(exceptions.PolicyCheckError,
                          policy.enforce,
                          self.context, action, target)