From 13232a5145b1e3e7af3c6e344fda55c567660cdc Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Mon, 8 Jan 2018 10:56:43 +0200 Subject: [PATCH] TVD project plugin mappings validations Only admin user will be able to create a mapping, and the project id should have the uuid format Change-Id: Ia87b8fd024d0b9c6fe2d3317134f54526b328b11 --- vmware_nsx/extensions/projectpluginmap.py | 8 ++++++ vmware_nsx/plugins/nsx/plugin.py | 27 +++++++++++++++----- vmware_nsx/plugins/nsx_v/md_proxy.py | 3 ++- vmware_nsx/tests/unit/nsx_tvd/test_plugin.py | 15 ++--------- 4 files changed, 33 insertions(+), 20 deletions(-) diff --git a/vmware_nsx/extensions/projectpluginmap.py b/vmware_nsx/extensions/projectpluginmap.py index 9c50616515..4d23f779de 100644 --- a/vmware_nsx/extensions/projectpluginmap.py +++ b/vmware_nsx/extensions/projectpluginmap.py @@ -107,6 +107,14 @@ class ProjectPluginAlreadyExists(nexception.Conflict): "%(project_id)s.") +class ProjectPluginAdminOnly(nexception.NotAuthorized): + message = _("Project Plugin map can be added only by an admin user.") + + +class ProjectPluginIllegalId(nexception.Conflict): + message = _("Project ID %(project_id)s is illegal.") + + class ProjectPluginMapPluginBase(object): @abc.abstractmethod diff --git a/vmware_nsx/plugins/nsx/plugin.py b/vmware_nsx/plugins/nsx/plugin.py index 166468ce9d..1a09900944 100644 --- a/vmware_nsx/plugins/nsx/plugin.py +++ b/vmware_nsx/plugins/nsx/plugin.py @@ -25,6 +25,7 @@ from neutron_lib.plugins import directory from oslo_config import cfg from oslo_log import log as logging from oslo_utils import excutils +from oslo_utils import uuidutils from neutron.db import _resource_extend as resource_extend from neutron.db import _utils as db_utils @@ -708,13 +709,27 @@ class NsxTVDPlugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, 'plugin': data['plugin'], 'tenant_id': data['project']} - def create_project_plugin_map(self, context, project_plugin_map): - # TODO(asarfaty): Validate project id exists + def create_project_plugin_map(self, context, project_plugin_map, + internal=False): data = project_plugin_map['project_plugin_map'] + + # validations: + # 1. validate it doesn't already exist if nsx_db.get_project_plugin_mapping( context.session, data['project']): raise projectpluginmap.ProjectPluginAlreadyExists( project_id=data['project']) + if not internal: + # 2. only admin user is allowed + if not context.is_admin: + raise projectpluginmap.ProjectPluginAdminOnly() + # 3. Validate the project id + # TODO(asarfaty): Validate project id exists in keystone + if not uuidutils.is_uuid_like(data['project']): + raise projectpluginmap.ProjectPluginIllegalId( + project_id=data['project']) + + # Add the entry to the DB and return it LOG.info("Adding mapping between project %(project)s and plugin " "%(plugin)s", {'project': data['project'], 'plugin': data['plugin']}) @@ -756,11 +771,11 @@ class NsxTVDPlugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin, else: # add a new entry with the default plugin try: - # TODO(asarfaty) we get timeout here when called under - # _ext_extend_network_dict of the first create_network - self.create_project_plugin_map(context, + self.create_project_plugin_map( + context, {'project_plugin_map': {'plugin': plugin_type, - 'project': project_id}}) + 'project': project_id}}, + internal=True) except projectpluginmap.ProjectPluginAlreadyExists: # Maybe added by another thread pass diff --git a/vmware_nsx/plugins/nsx_v/md_proxy.py b/vmware_nsx/plugins/nsx_v/md_proxy.py index 843e1a7a96..15126c28c4 100644 --- a/vmware_nsx/plugins/nsx_v/md_proxy.py +++ b/vmware_nsx/plugins/nsx_v/md_proxy.py @@ -128,7 +128,8 @@ class NsxVMetadataProxyHandler(object): context, {'project_plugin_map': {'plugin': projectpluginmap.NsxPlugins.NSX_V, - 'project': nsxv_constants.INTERNAL_TENANT_ID}}) + 'project': nsxv_constants.INTERNAL_TENANT_ID}}, + internal=True) except projectpluginmap.ProjectPluginAlreadyExists: pass self.internal_net, self.internal_subnet = ( diff --git a/vmware_nsx/tests/unit/nsx_tvd/test_plugin.py b/vmware_nsx/tests/unit/nsx_tvd/test_plugin.py index 5d4ce4df8a..717f02923d 100644 --- a/vmware_nsx/tests/unit/nsx_tvd/test_plugin.py +++ b/vmware_nsx/tests/unit/nsx_tvd/test_plugin.py @@ -47,7 +47,7 @@ class NsxTVDPluginTestCase(v_tests.NsxVPluginV2TestCase, super(NsxTVDPluginTestCase, self).setUp( plugin=plugin, ext_mgr=ext_mgr) - + self._project_id = _uuid() self.core_plugin = directory.get_plugin() # create a context with this tenant @@ -62,7 +62,7 @@ class NsxTVDPluginTestCase(v_tests.NsxVPluginV2TestCase, @property def project_id(self): - pass + return self._project_id @property def plugin_type(self): @@ -186,9 +186,6 @@ class NsxTVDPluginTestCase(v_tests.NsxVPluginV2TestCase, class TestPluginWithDefaultPlugin(NsxTVDPluginTestCase): """Test TVD plugin with the NSX-T (default) sub plugin""" - @property - def project_id(self): - return 'project_t' @property def plugin_type(self): @@ -372,10 +369,6 @@ class TestPluginWithDefaultPlugin(NsxTVDPluginTestCase): class TestPluginWithNsxv(TestPluginWithDefaultPlugin): """Test TVD plugin with the NSX-V sub plugin""" - @property - def project_id(self): - return 'project_v' - @property def plugin_type(self): return 'nsx-v' @@ -398,10 +391,6 @@ class TestPluginWithNsxv(TestPluginWithDefaultPlugin): class TestPluginWithDvs(TestPluginWithDefaultPlugin): """Test TVD plugin with the DVS sub plugin""" - @property - def project_id(self): - return 'project_dvs' - @property def plugin_type(self): return 'dvs'