Generic validate_request method for logging

This patch adds a generic validate_request method for logging, So
logging can be extended to other resources like firewall group.

Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>
Co-Authored-By: Kim Bao Long <longkb@vn.fujitsu.com>

Partial-Bug: #1720727
Change-Id: I9d580645131a9f1b8233ea5f6e0378cd98f023f1
This commit is contained in:
Cuong Nguyen 2017-12-22 17:09:20 +07:00 committed by Miguel Lavalle
parent 2d30981289
commit cdb973e77d
9 changed files with 290 additions and 116 deletions

View File

@ -22,6 +22,9 @@ LOGGING_PLUGIN = 'logging-plugin'
# supported logging types
SECURITY_GROUP = 'security_group'
# target resource types
PORT = 'port'
RPC_NAMESPACE_LOGGING = 'logging-plugin'
# Define for rpc_method_key

View File

@ -51,3 +51,9 @@ class LogapiDriverException(n_exc.NeutronException):
class CookieNotFound(n_exc.NotFound):
message = _("Cookie %(cookie_id)s could not be found.")
class ValidatedMethodNotFound(n_exc.NeutronException):
"""A validated method not found Exception"""
message = _('Validated method for %(resource_type)s log '
'could not be found.')

View File

@ -0,0 +1,84 @@
# Copyright (c) 2018 Fujitsu Limited
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import log as logging
from sqlalchemy.orm import exc as orm_exc
from neutron.db import _utils as db_utils
from neutron.db.models import securitygroup as sg_db
from neutron.objects import ports
from neutron.objects import securitygroup as sg_object
from neutron.services.logapi.common import constants as log_const
from neutron.services.logapi.common import exceptions as log_exc
from neutron.services.logapi.common import validators
LOG = logging.getLogger(__name__)
def _check_port_bound_sg(context, sg_id, port_id):
try:
db_utils.model_query(context, sg_db.SecurityGroupPortBinding)\
.filter_by(security_group_id=sg_id, port_id=port_id).one()
except orm_exc.NoResultFound:
raise log_exc.InvalidResourceConstraint(
resource=log_const.SECURITY_GROUP,
resource_id=sg_id,
target_resource=log_const.PORT,
target_id=port_id
)
def _check_sg_exists(context, sg_id):
if sg_object.SecurityGroup.count(context, id=sg_id) < 1:
raise log_exc.ResourceNotFound(resource_id=sg_id)
def _get_port(context, port_id):
port = ports.Port.get_object(context, id=port_id)
if not port:
raise log_exc.TargetResourceNotFound(target_id=port_id)
return port
@validators.ResourceValidateRequest.register(log_const.SECURITY_GROUP)
def validate_security_group_request(context, log_data):
"""Validate a log request
This method validates log request is satisfied or not.
A ResourceNotFound will be raised if resource_id in log_data not exists or
a TargetResourceNotFound will be raised if target_id in log_data not
exists. This method will also raise a LoggingTypeNotSupported, if there is
no log_driver supporting for resource_type in log_data.
In addition, if log_data specify both resource_id and target_id. A
InvalidResourceConstraint will be raised if there is no constraint between
resource_id and target_id.
"""
resource_id = log_data.get('resource_id')
target_id = log_data.get('target_id')
if resource_id:
_check_sg_exists(context, resource_id)
if target_id:
port = _get_port(context, target_id)
if not validators.validate_log_type_for_port(
log_const.SECURITY_GROUP, port):
raise log_exc.LoggingTypeNotSupported(
log_type=log_const.SECURITY_GROUP,
port_id=target_id)
if resource_id and target_id:
_check_port_bound_sg(context, resource_id, target_id)

View File

@ -19,13 +19,7 @@ from neutron_lib.plugins import constants as plugin_const
from neutron_lib.plugins import directory
from neutron_lib.plugins import utils
from oslo_log import log as logging
from sqlalchemy.orm import exc as orm_exc
from neutron.db import _utils as db_utils
from neutron.db.models import securitygroup as sg_db
from neutron.objects import ports
from neutron.objects import securitygroup as sg_object
from neutron.services.logapi.common import constants as log_const
from neutron.services.logapi.common import exceptions as log_exc
LOG = logging.getLogger(__name__)
@ -36,30 +30,6 @@ SKIPPED_VIF_TYPES = [
]
def _check_port_bound_sg(context, sg_id, port_id):
try:
db_utils.model_query(context, sg_db.SecurityGroupPortBinding)\
.filter_by(security_group_id=sg_id, port_id=port_id).one()
except orm_exc.NoResultFound:
raise log_exc.InvalidResourceConstraint(resource='security_group',
resource_id=sg_id,
target_resource='port',
target_id=port_id)
def _check_secgroup_exists(context, sg_id):
number_of_matching = sg_object.SecurityGroup.count(context, id=sg_id)
if number_of_matching < 1:
raise log_exc.ResourceNotFound(resource_id=sg_id)
def _get_port(context, port_id):
port = ports.Port.get_object(context, id=port_id)
if not port:
raise log_exc.TargetResourceNotFound(target_id=port_id)
return port
def _validate_vnic_type(driver, vnic_type, port_id):
if driver.is_vnic_compatible(vnic_type):
return True
@ -113,30 +83,56 @@ def validate_log_type_for_port(log_type, port):
return False
def validate_request(context, log_data):
"""Validate a log request
class ResourceValidateRequest(object):
This method validates log request is satisfied or not. A ResourceNotFound
will be raised if resource_id in log_data not exists or a
TargetResourceNotFound will be raised if target_id in log_data not exists.
This method will also raise a LoggingTypeNotSupported, if there is no
log_driver supporting for resource_type in log_data.
_instance = None
In addition, if log_data specify both resource_id and target_id. A
InvalidResourceConstraint will be raised if there is no constraint
between resource_id and target_id.
def __init__(self):
self.validate_methods = {}
"""
resource_id = log_data.get('resource_id')
target_id = log_data.get('target_id')
resource_type = log_data.get('resource_type')
if resource_type == log_const.SECURITY_GROUP:
if resource_id:
_check_secgroup_exists(context, resource_id)
if target_id:
port = _get_port(context, target_id)
if not validate_log_type_for_port(resource_type, port):
raise log_exc.LoggingTypeNotSupported(log_type=resource_type,
port_id=target_id)
if resource_id and target_id:
_check_port_bound_sg(context, resource_id, target_id)
@classmethod
def get_instance(cls):
if cls._instance is None:
cls._instance = cls()
return cls._instance
@property
def validate_methods_map(self):
return self.validate_methods
def validate_request(self, context, log_data):
"""
This method will get validated method according to resource_type. An
InvalidLogResourceType exception will be raised if there is no logging
driver that supports resource_type as logging resource. In addition,
a ValidatedMethodNotFound exception will be raised if a validate method
was not registered for resource_type.
"""
resource_type = log_data.get('resource_type')
log_plugin = directory.get_plugin(alias=plugin_const.LOG_API)
supported_logging_types = log_plugin.supported_logging_types
if resource_type in supported_logging_types:
method = self.get_validated_method(resource_type)
method(context, log_data)
else:
raise log_exc.InvalidLogResourceType(resource_type=resource_type)
def get_validated_method(self, resource_type):
"""Get the validated method for resource_type"""
method = self.validate_methods[resource_type]
if not method:
raise log_exc.ValidatedMethodNotFound(resource_type=resource_type)
return method
@classmethod
def register(cls, resource_type):
"""This is intended to be used as a decorator to register a validated
method for resource_type.
"""
def func_wrap(func):
cls.get_instance().validate_methods[resource_type] = func
return func
return func_wrap

View File

@ -16,6 +16,7 @@
from neutron_lib.api.definitions import portbindings
from neutron_lib.callbacks import resources
from oslo_log import log as logging
from oslo_utils import importutils
from neutron.services.logapi.common import constants as log_const
from neutron.services.logapi.drivers import base
@ -55,4 +56,8 @@ def register():
server_rpc.get_sg_log_info_for_log_resources}
]
DRIVER.register_rpc_methods(log_const.SECURITY_GROUP, rpc_methods)
# Trigger decorator
importutils.import_module(
'neutron.services.logapi.common.sg_validate'
)
LOG.debug('Open vSwitch logging driver registered')

View File

@ -36,6 +36,7 @@ class LoggingPlugin(log_ext.LoggingPluginBase):
def __init__(self):
super(LoggingPlugin, self).__init__()
self.driver_manager = driver_mgr.LoggingServiceDriverManager()
self.validator_mgr = validators.ResourceValidateRequest.get_instance()
@property
def supported_logging_types(self):
@ -67,11 +68,7 @@ class LoggingPlugin(log_ext.LoggingPluginBase):
def create_log(self, context, log):
"""Create a log object"""
log_data = log['log']
resource_type = log_data['resource_type']
if resource_type not in self.supported_logging_types:
raise log_exc.InvalidLogResourceType(
resource_type=resource_type)
validators.validate_request(context, log_data)
self.validator_mgr.validate_request(context, log_data)
with db_api.context_manager.writer.using(context):
# body 'log' contains both tenant_id and project_id
# but only latter needs to be used to create Log object.

View File

@ -0,0 +1,115 @@
# Copyright (c) 2018 Fujitsu Limited
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import mock
from neutron_lib.plugins import directory
from oslo_utils import importutils
from sqlalchemy.orm import exc as orm_exc
from neutron.objects import ports
from neutron.objects import securitygroup as sg_object
from neutron.services.logapi.common import exceptions as log_exc
from neutron.services.logapi.common import validators
from neutron.tests import base
class FakePlugin(object):
def __init__(self):
self.validator_mgr = validators.ResourceValidateRequest.get_instance()
self.supported_logging_types = ['security_group']
class TestSGLogRequestValidations(base.BaseTestCase):
"""Test validation for a request"""
def setUp(self):
self.log_plugin = FakePlugin()
importutils.import_module('neutron.services.logapi.common.sg_validate')
super(TestSGLogRequestValidations, self).setUp()
def test_validate_request_resource_id_not_exists(self):
log_data = {'resource_type': 'security_group',
'resource_id': 'fake_sg_id'}
with mock.patch.object(directory, 'get_plugin',
return_value=self.log_plugin):
with mock.patch.object(sg_object.SecurityGroup, 'count',
return_value=0):
self.assertRaises(
log_exc.ResourceNotFound,
self.log_plugin.validator_mgr.validate_request,
mock.ANY,
log_data)
def test_validate_request_target_id_not_exists(self):
log_data = {'resource_type': 'security_group',
'target_id': 'fake_port_id'}
with mock.patch.object(directory, 'get_plugin',
return_value=self.log_plugin):
with mock.patch.object(ports.Port, 'get_object',
return_value=None):
self.assertRaises(
log_exc.TargetResourceNotFound,
self.log_plugin.validator_mgr.validate_request,
mock.ANY,
log_data)
def test_validate_request_unsupported_logging_type(self):
log_data = {'resource_type': 'security_group',
'target_id': 'fake_port_id'}
with mock.patch.object(directory, 'get_plugin',
return_value=self.log_plugin):
with mock.patch.object(ports.Port, 'get_object',
return_value=mock.ANY):
with mock.patch.object(validators,
'validate_log_type_for_port',
return_value=False):
self.assertRaises(
log_exc.LoggingTypeNotSupported,
self.log_plugin.validator_mgr.validate_request,
mock.ANY,
log_data)
def test_validate_request_invalid_resource_constraint(self):
log_data = {'resource_type': 'security_group',
'resource_id': 'fake_sg_id',
'target_id': 'fake_port_id'}
class FakeFiltered(object):
def one(self):
raise orm_exc.NoResultFound
class FakeSGPortBinding(object):
def filter_by(self, security_group_id, port_id):
return FakeFiltered()
with mock.patch.object(directory, 'get_plugin',
return_value=self.log_plugin):
with mock.patch.object(
sg_object.SecurityGroup, 'count', return_value=1):
with mock.patch.object(
ports.Port, 'get_object', return_value=mock.ANY):
with mock.patch.object(validators,
'validate_log_type_for_port',
return_value=True):
with mock.patch('neutron.db._utils.model_query',
return_value=FakeSGPortBinding()):
self.assertRaises(
log_exc.InvalidResourceConstraint,
self.log_plugin.validator_mgr.validate_request,
mock.ANY,
log_data)

View File

@ -19,78 +19,39 @@ from neutron_lib import context
from neutron_lib.plugins import constants as plugin_const
from neutron_lib.plugins import directory
from oslo_utils import uuidutils
from sqlalchemy.orm import exc as orm_exc
from neutron.objects import ports
from neutron.objects import securitygroup as sg_object
from neutron.services.logapi.common import exceptions as log_exc
from neutron.services.logapi.common import validators
from neutron.tests import base
from neutron.tests.unit.services.logapi.drivers import (
test_manager as drv_mgr)
class TestRequestValidations(base.BaseTestCase):
"""Test validation for a request"""
class TestRegisterValidateMethods(base.BaseTestCase):
def test_validate_request_resource_sg_not_exists(self):
log_data = {'resource_type': 'security_group',
'resource_id': 'fake_sg_id'}
with mock.patch.object(sg_object.SecurityGroup, 'count',
return_value=0):
self.assertRaises(log_exc.ResourceNotFound,
validators.validate_request,
mock.ANY,
log_data)
def setUp(self):
self.validator_mgr = validators.ResourceValidateRequest.get_instance()
super(TestRegisterValidateMethods, self).setUp()
def test_validate_request_target_resource_port_not_exists(self):
log_data = {'resource_type': 'security_group',
'target_id': 'fake_port_id'}
with mock.patch.object(ports.Port, 'get_object', return_value=None):
self.assertRaises(log_exc.TargetResourceNotFound,
validators.validate_request,
mock.ANY,
log_data)
def test_register_validate_method(self):
self.validator_mgr.validate_methods.clear()
resource_type = 'fake_resource'
def test_validate_request_log_type_not_supported_on_port(self):
log_data = {'resource_type': 'security_group',
'target_id': 'fake_port_id'}
with mock.patch.object(ports.Port, 'get_object',
return_value=mock.ANY):
with mock.patch.object(validators, 'validate_log_type_for_port',
return_value=False):
self.assertRaises(log_exc.LoggingTypeNotSupported,
validators.validate_request,
mock.ANY,
log_data)
@validators.ResourceValidateRequest.register(resource_type)
def fake_method():
pass
def test_validate_request_invalid_resource_constraint(self):
log_data = {'resource_type': 'security_group',
'resource_id': 'fake_sg_id',
'target_id': 'fake_port_id'}
self.assertEqual({'fake_resource': fake_method},
self.validator_mgr.validate_methods_map)
class FakeFiltered(object):
def one(self):
raise orm_exc.NoResultFound
def test_get_validated_method(self):
class FakeSGPortBinding(object):
def filter_by(self, security_group_id, port_id):
return FakeFiltered()
@validators.ResourceValidateRequest.register('fake_resource')
def fake_method():
pass
with mock.patch.object(
sg_object.SecurityGroup, 'count', return_value=1):
with mock.patch.object(
ports.Port, 'get_object', return_value=mock.ANY):
with mock.patch.object(validators,
'validate_log_type_for_port',
return_value=True):
with mock.patch('neutron.db._utils.model_query',
return_value=FakeSGPortBinding()):
self.assertRaises(
log_exc.InvalidResourceConstraint,
validators.validate_request,
mock.ANY,
log_data)
actual = self.validator_mgr.get_validated_method('fake_resource')
self.assertEqual(fake_method, actual)
class TestLogDriversLoggingTypeValidations(drv_mgr.TestLogDriversManagerBase):

View File

@ -25,6 +25,7 @@ from neutron.objects.logapi import logging_resource as log_object
from neutron.objects import ports
from neutron.objects import securitygroup as sg_object
from neutron.services.logapi.common import exceptions as log_exc
from neutron.services.logapi.common import sg_validate
from neutron.tests.unit.services.logapi import base
DB_PLUGIN_KLASS = 'neutron.db.db_base_plugin_v2.NeutronDbPluginV2'
@ -51,6 +52,12 @@ class TestLoggingPlugin(base.BaseLogTestCase):
["neutron.services.logapi.logging_plugin.LoggingPlugin"])
manager.init()
mock.patch(
'neutron.services.logapi.common.validators.'
'ResourceValidateRequest.get_validated_method',
return_value=sg_validate.validate_security_group_request
).start()
self.log_plugin = directory.get_plugin(plugin_const.LOG_API)
self.log_plugin.driver_manager = mock.Mock()
log_types = mock.PropertyMock(return_value=SUPPORTED_LOGGING_TYPES)