As part of the Secure RBAC community goal, we should switch options
"enforce_new_defaults" and "enforce_scope" to be True by default.
It will be still possible to fallback to old policy rules by configuring
those config options to False in Neutron config.
Change-Id: I09c0026ccf87e6c0bb1fa59165c03dc508fba6fa
Now that we are python3 only, we should move to using the built
in version of mock that supports all of our testing needs and
remove the dependency on the "mock" package.
This completes removal of all references to "import mock",
changing to "from unittest import mock" in fullstack and
functional tests.
Added a hacking check to enforce it in future patches.
Change-Id: Ifcaf1c21bea0ec3c35278e49cecc90a101a82113
In patch [1] I changed most of functional tests classes to
inherit from neutron.tests.functional.base.BaseLoggingTestCase
class to enable logging of results for such tests.
I missed two classes then, so this patch fixes it and adds
inherit from same base class to tests which still didn't have
logging enabled.
[1] https://review.openstack.org/#/c/619266/
Change-Id: I9afbe241ee26c8cdc807d2f4fa1c285ff1f07d60
This option is no longer needed as we have switched to pecan
and will be deleting the legacy API layer.
Implements: blueprint wsgi-pecan-switch
Change-Id: Ib153d75bb10375e048a8417139873bdf9dca8769
The well known service type constants are in
neutron_lib.plugins.constants, but for legacy reasons a few still exist
and are referenced from neutron_lib.constants that we'd like to remove.
This patch switches references over to neutron_lib's plugin constants.
Change-Id: I1861448cec303725b30cef8f42029f467f9e03a3
This sets up the factory methods needed to have paste deploy create the
pecan app and return it. It also changes the legacy factory methods to
conditionally use the pecan factory methods if the web_framework config
option is set to 'pecan'. This way, all deployments of neutron will not
need to change their api-paste.ini files to get pecan toggled on. It
should just happen without notice once pecan becomes the default.
Also, by moving this to be loaded by paste deploy, there is a good chunk of
code that has been removed because it is no longer necessary.
Co-Authored-By: Brandon Logan <brandon.logan@rackspace.com>
Change-Id: I8b1bbea8d90fdc62715cd8b6738ad955df53d7cd
Make use of the constant defined in the neutron-lib project.
NeutronLibImpact
Change-Id: I46d48f731b557383d00c0abd5fd582a1c0fb78c1
Partially-implements: blueprint neutron-lib
Neutron Manager is loaded at the very startup of the neutron
server process and with it plugins are loaded and stored for
lookup purposes as their references are widely used across the
entire neutron codebase.
Rather than holding these references directly in NeutronManager
this patch refactors the code so that these references are held
by a plugin directory.
This allows subprojects and other parts of the Neutron codebase
to use the directory in lieu of the manager. The result is a
leaner, cleaner, and more decoupled code.
Usage pattern [1,2] can be translated to [3,4] respectively.
[1] manager.NeutronManager.get_service_plugins()[FOO]
[2] manager.NeutronManager.get_plugin()
[3] directory.get_plugin(FOO)
[4] directory.get_plugin()
The more entangled part is in the neutron unit tests, where the
use of the manager can be simplified as mocking is typically
replaced by a call to the directory add_plugin() method. This is
safe as each test case gets its own copy of the plugin directory.
That said, unit tests that look more like API tests and that rely on
the entire plugin machinery, need some tweaking to avoid stumbling
into plugin loading failures.
Due to the massive use of the manager, deprecation warnings are
considered impractical as they cause logs to bloat out of proportion.
Follow-up patches that show how to adopt the directory in neutron
subprojects are tagged with topic:plugin-directory.
NeutronLibImpact
Partially-implements: blueprint neutron-lib
Change-Id: I7331e914234c5f0b7abe836604fdd7e4067551cf
Stevedore documentation suggest that full import paths are not supposed
to be user visible. Since unit tests emulate users when configuring
oslo.config, we better off relying on well known plugin aliases than
internal details.
For in-tree that may be not a big deal, but with it we set a bad example
for third parties that may later find their tests broken eg. when we
decide to move code around.
TrivialFix
Change-Id: I7bd036ac3df7e7f4c678356d0a793e7d38599dda
A simple replace of hyphens to underscores is needed on a
check to see if a collection needed to be shimmed or not.
This also adds a fake extension and service plugin to test
this. This should allow for easier testing of other test
cases.
Change-Id: Id2ddd01a4c437f14c67aed37a182871c1fceff13
The current API allows listings of the neturon server
version without authentication. Because pecan was treating
this like a normal controller, it was requiring keystone
authentication.
This adjusts the version listing to behave as a wrapper so
it can be placed outside of the keystone authentication
wrapper to allow anonymous queries.
Closes-Bug: #1556038
Change-Id: I9f5aa3bea0e11c5e179fc286f9fa350b3930364f
This patch refactors the pecan controllers and functional tests
by spliting the code in several modules in order to avoid excessive
growth and ensure some level of consistency as regards function
and classes defined in each module.
To this aim:
- The generic resource controllers are moved into their own module
- Other controllers, such as extension and quotas, are moved into
their own module
- Functional tests are split into 3 modules: one for generic tests,
one for request processing tests, and the latter for testing hooks.
Related blueprint wsgi-pecan-switch
Change-Id: Id76cd88208dfd273bccadc15a1c6febbcc4fc030
This patch fixes quota management APIs in the Pecan framework.
To this aim:
1) an ad-hoc pair of collection/item controllers are introduced
for the quota resource; as the new controllers have been added
in a separate module, the neutron.pecan_wsgi.controllers.utils
module has been added as well for helpers, routines and classes
used by all pecan controllers;
2) the quota API extension is made pecan-aware, meaning that it
simply returns a Pecan controller instance rather than deferring
the task to the startup process that builds controllers using the
home-grown WSGI framework ext manager;
3) the quota resource is now "almost" a standard neutron resource;
unfortunately since it does not yet have its own service plugin a
special provision is made in the attribute population hook in
order to ensure the object is loaded for allowing correct
policy enforcement.
4) Functional tests for the quota controller have been added.
Closes-Bug: #1505843
Change-Id: I44a1fd73f678e493d5b1163e5f183d9efdc678ac
As PolicyNotAuthorizedException is raised in a hook, the
ExceptionTranslationHook is not invoked for it; therefore a 500
response is returned whereas a 403 was expected. This patch
explicitly handles the exception in the hook in order to ensure
the appropriate response code is returned.
Moreover, the structure of the 'before' hook prevented checks
on DELETE requests from being performed. As a result the check
was not performed at all (checks on the 'after' hook only pertain
GET requests). This patch changes the logic of the 'before' hook
by ensuring the item to authorize acces to is loaded both on PUT
and DELETE requests.
This patch also adds functional tests specific for the policy
enforcement hook.
Change-Id: I8c76cb05568df47648cff71a107cfe701b286bb7
Closes-Bug: #1520180
Closes-Bug: #1505831
The pecan controllers were not parsing out the case when a service
plugin is being used that changes the URI to
/v2.0/service_plugin/resource
This will check to see if the first resource after v2.0 is an
extension to a service plugin, and if it is it'll check the next
resource for a controller.
Change-Id: I9b6bd7afbbe91f1c8f0c1835b320dc41bfccff3f
This patch simplifies the process for validating the request body for
POST and PUT requests and preparing it for dispatching to plugins.
In particular it removes the need for parsing the URL to find the
resource identifier, and instead leverages Pecan's routing engine
to extract it. As a result the attribute population hook now simply
deals with request body validation, and has been renamed accordingly.
The logic for loading the current state of the object from the plugin
in order to enforce authZ policy on PUT requests has been moved to
the appropriate hook, PolicyEnforcementHook.
The logic for managing plural/singular names for resource has also been
improved, and two helper functions to retrieve a resource's attributes
have been added to neutron.api.v2.attributes
The logic for aborting requests with unsupported HTTP methods has also
been moved to the REST controllers. It used to be in PolicyEnforcementHook,
which was probably not the right thing to do.
This patch also unskips a functional test concerning ownership checks,
and add functional tests for verifying correct request processing.
Unit tests for the newly added helper functions are also provided.
Related blueprint wsgi-pecan-switch
Change-Id: Ib26998b37bdeec8af7a97f77b66d421b8cd271da
Keystone V3 renamed tenant to project. In order to deal with keystone
V3, start pulling X-Project-Id from the headers.
Since keystonemiddleware authtoken sets both X-Project-* and
X-Tenant-*, we don't need to look up X-Tenant-*.
Don't do anything with renaming the internal variables - that will come
later.
Change-Id: I5e27cf6a54fb603b81d41b8b4f085d59354627fb
Depends-On: I1f754a9a949ef92f4e427a91bbd1b1e73e86c8c4
Closes-Bug: #1503428
Pecan defines several efficient mechanism for routing requests to
the appropriate controller, but the current code for Neutron's
Pecan WSGI server basically uses Pecan hooks to route requests.
This patch partially fixes that, removing the 'resource_identifier'
pecan hook and replacing it with explicit pecan routes between
controllers added at resource registration time.
All the remaining hooks, like attribute_population and
policy_enforments, which were relying on finding the resource
name in the pecan.request threadlocal variable have been updated.
This patch also:
- ensures the appropriate plugin is always selected for a given
resource
- add a common NeutronPecanController base class for the classes
CollectionsController and ItemaController
- Fixes the way in which plurals and singulars are handled in
neutron.api.v2.resource_heper
Change-Id: I4ec0d2276c3974117b497228d289c3fb0dc5a140
Our API tests have HTTP code assertions that our controller
was not honoring in the create and delete cases.
Change-Id: I3b00348c854b5d887d74c115d06984222f20ccc1
This patch simply ensures a 405 error is returned when a HTTP
method different from GET is invoked on '/'.
This differs from the eventlet WSGI server behaviour; however
returning the same response as for a GET for any method, even
made up ones - like 'meh' - is a mistake that should not be
repeated in the Pecan WSGI server.
Change-Id: I4305f374e4aacab718daa6f131f278cc69e8d699
'newapi' was too generic and not really descriptive of the conversion
to pecan. Since there isn't any ambiguity, we will just keep all of
the pecan components in a directory called 'pecan_wsgi'.
Change-Id: I61f1cfcad4ff00582e0a481400642dd656d5245e
Slawek Kaplonski