From aacd8e0d043367d84ff9e50bad83c5c361852980 Mon Sep 17 00:00:00 2001
From: Brandon Logan <brandon.logan@rackspace.com>
Date: Tue, 20 Dec 2016 14:56:31 -0600
Subject: [PATCH] Pecan: Fix subresource policy check

THe policy enforcement hook was not inserting the parent resource name
when checking that a policy action was supported.

Change-Id: Iee5dd06c4c2ff8e73337946ab40faa455873aa4d
---
 neutron/pecan_wsgi/hooks/policy_enforcement.py |  9 +++++++--
 .../functional/pecan_wsgi/test_controllers.py  | 18 +++++++++++++++++-
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/neutron/pecan_wsgi/hooks/policy_enforcement.py b/neutron/pecan_wsgi/hooks/policy_enforcement.py
index 0191a61c04a..0eec9d77ab1 100644
--- a/neutron/pecan_wsgi/hooks/policy_enforcement.py
+++ b/neutron/pecan_wsgi/hooks/policy_enforcement.py
@@ -161,11 +161,16 @@ class PolicyHook(hooks.PecanHook):
             return
         if state.request.method not in pecan_constants.ACTION_MAP:
             return
-        action = '%s_%s' % (pecan_constants.ACTION_MAP[state.request.method],
-                            resource)
         if not data or (resource not in data and collection not in data):
             return
         is_single = resource in data
+        action_type = pecan_constants.ACTION_MAP[state.request.method]
+        if action_type == 'get' and is_single:
+            action = controller.plugin_handlers[controller.SHOW]
+        elif action_type == 'get':
+            action = controller.plugin_handlers[controller.LIST]
+        else:
+            action = controller.plugin_handlers[action_type]
         key = resource if is_single else collection
         to_process = [data[resource]] if is_single else data[collection]
         # in the single case, we enforce which raises on violation
diff --git a/neutron/tests/functional/pecan_wsgi/test_controllers.py b/neutron/tests/functional/pecan_wsgi/test_controllers.py
index 138a5d113dd..cf06ac86006 100644
--- a/neutron/tests/functional/pecan_wsgi/test_controllers.py
+++ b/neutron/tests/functional/pecan_wsgi/test_controllers.py
@@ -938,6 +938,7 @@ class TestParentSubresourceController(test_functional.PecanFunctionalTest):
         policy._ENFORCER.set_rules(
             oslo_policy.Rules.from_dict(
                 {'get_fake_duplicate': '',
+                 'get_fake_duplicates': '',
                  'get_meh_meh_fake_duplicates': ''}),
             overwrite=False)
         self.addCleanup(policy.reset)
@@ -961,7 +962,22 @@ class TestParentSubresourceController(test_functional.PecanFunctionalTest):
 
     def test_get_parent_resource_and_duplicate_subresources(self):
         url = '/v2.0/{0}/something/{1}'.format(self.collection,
-                                             self.fake_collection)
+                                               self.fake_collection)
+        resp = self.app.get(url)
+        self.assertEqual(200, resp.status_int)
+        self.assertEqual({'fake_duplicates': [{'fake': 'something'}]},
+                         resp.json)
+
+    def test_get_child_resource_policy_check(self):
+        policy.reset()
+        policy.init()
+        policy._ENFORCER.set_rules(
+            oslo_policy.Rules.from_dict(
+                {'get_meh_meh_fake_duplicates': ''}
+            )
+        )
+        url = '/v2.0/{0}/something/{1}'.format(self.collection,
+                                               self.fake_collection)
         resp = self.app.get(url)
         self.assertEqual(200, resp.status_int)
         self.assertEqual({'fake_duplicates': [{'fake': 'something'}]},