octavia 12.0.0.0rc2__py3-none-any.whl → 13.0.0.0rc1__py3-none-any.whl

octavia/api/v2/controllers/l7rule.py

@@ -28,7 +28,6 @@ from octavia.common import constants
 from octavia.common import data_models
 from octavia.common import exceptions
 from octavia.common import validate
-from octavia.db import api as db_api
 from octavia.db import prepare as db_prepare
 
 
@@ -47,8 +46,9 @@ class L7RuleController(base.BaseController):
     def get(self, id, fields=None):
         """Gets a single l7rule's details."""
         context = pecan_request.context.get('octavia_context')
-        db_l7rule = self._get_db_l7rule(context.session, id,
-                                        show_deleted=False)
+        with context.session.begin():
+            db_l7rule = self._get_db_l7rule(context.session, id,
+                                            show_deleted=False)
 
         self._auth_validate_action(context, db_l7rule.project_id,
                                    constants.RBAC_GET_ONE)
@@ -66,15 +66,17 @@ class L7RuleController(base.BaseController):
         pcontext = pecan_request.context
         context = pcontext.get('octavia_context')
 
-        l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
-                                         show_deleted=False)
+        with context.session.begin():
+            l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
+                                             show_deleted=False)
 
-        self._auth_validate_action(context, l7policy.project_id,
-                                   constants.RBAC_GET_ALL)
+            self._auth_validate_action(context, l7policy.project_id,
+                                       constants.RBAC_GET_ALL)
 
-        db_l7rules, links = self.repositories.l7rule.get_all_API_list(
-            context.session, show_deleted=False, l7policy_id=self.l7policy_id,
-            pagination_helper=pcontext.get(constants.PAGINATION_HELPER))
+            db_l7rules, links = self.repositories.l7rule.get_all_API_list(
+                context.session, show_deleted=False,
+                l7policy_id=self.l7policy_id,
+                pagination_helper=pcontext.get(constants.PAGINATION_HELPER))
         result = self._convert_db_to_type(
             db_l7rules, [l7rule_types.L7RuleResponse])
         if fields is not None:
@@ -109,7 +111,9 @@ class L7RuleController(base.BaseController):
 
     def _validate_create_l7rule(self, lock_session, l7rule_dict):
         try:
-            return self.repositories.l7rule.create(lock_session, **l7rule_dict)
+            ret = self.repositories.l7rule.create(lock_session, **l7rule_dict)
+            lock_session.flush()
+            return ret
         except odb_exceptions.DBDuplicateEntry as e:
             raise exceptions.IDAlreadyExists() from e
         except odb_exceptions.DBReferenceError as e:
@@ -125,30 +129,33 @@ class L7RuleController(base.BaseController):
         l7rule = rule_.rule
         context = pecan_request.context.get('octavia_context')
 
-        db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
-                                            show_deleted=False)
-        load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
-            db_l7policy)
-        l7rule.project_id, provider = self._get_lb_project_id_provider(
-            context.session, load_balancer_id)
-        self._auth_validate_action(context, l7rule.project_id,
-                                   constants.RBAC_POST)
+        with context.session.begin():
+            db_l7policy = self._get_db_l7policy(context.session,
+                                                self.l7policy_id,
+                                                show_deleted=False)
+            load_balancer_id, listener_id = (
+                self._get_listener_and_loadbalancer_id(db_l7policy))
+            l7rule.project_id, provider = self._get_lb_project_id_provider(
+                context.session, load_balancer_id)
 
-        try:
-            validate.l7rule_data(l7rule)
-        except Exception as e:
-            raise exceptions.L7RuleValidation(error=e)
+            self._auth_validate_action(context, l7rule.project_id,
+                                       constants.RBAC_POST)
+
+            try:
+                validate.l7rule_data(l7rule)
+            except Exception as e:
+                raise exceptions.L7RuleValidation(error=e)
 
-        self._check_l7policy_max_rules(context.session)
+            self._check_l7policy_max_rules(context.session)
 
         # Load the driver early as it also provides validation
         driver = driver_factory.get_driver(provider)
 
-        lock_session = db_api.get_session(autocommit=False)
+        context.session.begin()
         try:
             if self.repositories.check_quota_met(
                     context.session,
-                    lock_session,
+                    context.session,
                     data_models.L7Rule,
                     l7rule.project_id):
                 raise exceptions.QuotaException(
@@ -157,9 +164,10 @@ class L7RuleController(base.BaseController):
             l7rule_dict = db_prepare.create_l7rule(
                 l7rule.to_dict(render_unsets=True), self.l7policy_id)
 
-            self._test_lb_listener_policy_statuses(lock_session)
+            self._test_lb_listener_policy_statuses(context.session)
 
-            db_l7rule = self._validate_create_l7rule(lock_session, l7rule_dict)
+            db_l7rule = self._validate_create_l7rule(context.session,
+                                                     l7rule_dict)
 
             # Prepare the data for the driver data model
             provider_l7rule = (
@@ -171,12 +179,13 @@ class L7RuleController(base.BaseController):
             driver_utils.call_provider(
                 driver.name, driver.l7rule_create, provider_l7rule)
 
-            lock_session.commit()
+            context.session.commit()
         except Exception:
             with excutils.save_and_reraise_exception():
-                lock_session.rollback()
+                context.session.rollback()
 
-        db_l7rule = self._get_db_l7rule(context.session, db_l7rule.id)
+        with context.session.begin():
+            db_l7rule = self._get_db_l7rule(context.session, db_l7rule.id)
         result = self._convert_db_to_type(db_l7rule,
                                           l7rule_types.L7RuleResponse)
         return l7rule_types.L7RuleRootResponse(rule=result)
@@ -198,14 +207,16 @@ class L7RuleController(base.BaseController):
         """Updates a l7rule."""
         l7rule = l7rule_.rule
         context = pecan_request.context.get('octavia_context')
-        db_l7rule = self._get_db_l7rule(context.session, id,
-                                        show_deleted=False)
-        db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
+        with context.session.begin():
+            db_l7rule = self._get_db_l7rule(context.session, id,
                                             show_deleted=False)
-        load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
-            db_l7policy)
-        project_id, provider = self._get_lb_project_id_provider(
-            context.session, load_balancer_id)
+            db_l7policy = self._get_db_l7policy(context.session,
+                                                self.l7policy_id,
+                                                show_deleted=False)
+            load_balancer_id, listener_id = (
+                self._get_listener_and_loadbalancer_id(db_l7policy))
+            project_id, provider = self._get_lb_project_id_provider(
+                context.session, load_balancer_id)
 
         self._auth_validate_action(context, project_id, constants.RBAC_PUT)
 
@@ -225,9 +236,8 @@ class L7RuleController(base.BaseController):
         # Load the driver early as it also provides validation
         driver = driver_factory.get_driver(provider)
 
-        with db_api.get_lock_session() as lock_session:
-
-            self._test_lb_listener_policy_statuses(lock_session)
+        with context.session.begin():
+            self._test_lb_listener_policy_statuses(context.session)
 
             # Prepare the data for the driver data model
             l7rule_dict = l7rule.to_dict(render_unsets=False)
@@ -250,12 +260,14 @@ class L7RuleController(base.BaseController):
             # Update the database to reflect what the driver just accepted
             l7rule.provisioning_status = constants.PENDING_UPDATE
             db_l7rule_dict = l7rule.to_dict(render_unsets=False)
-            self.repositories.l7rule.update(lock_session, id, **db_l7rule_dict)
+            self.repositories.l7rule.update(context.session, id,
+                                            **db_l7rule_dict)
 
         # Force SQL alchemy to query the DB, otherwise we get inconsistent
         # results
         context.session.expire_all()
-        db_l7rule = self._get_db_l7rule(context.session, id)
+        with context.session.begin():
+            db_l7rule = self._get_db_l7rule(context.session, id)
         result = self._convert_db_to_type(db_l7rule,
                                           l7rule_types.L7RuleResponse)
         return l7rule_types.L7RuleRootResponse(rule=result)
@@ -264,15 +276,17 @@ class L7RuleController(base.BaseController):
     def delete(self, id):
         """Deletes a l7rule."""
         context = pecan_request.context.get('octavia_context')
-        db_l7rule = self._get_db_l7rule(context.session, id,
-                                        show_deleted=False)
-
-        db_l7policy = self._get_db_l7policy(context.session, self.l7policy_id,
+        with context.session.begin():
+            db_l7rule = self._get_db_l7rule(context.session, id,
                                             show_deleted=False)
-        load_balancer_id, listener_id = self._get_listener_and_loadbalancer_id(
-            db_l7policy)
-        project_id, provider = self._get_lb_project_id_provider(
-            context.session, load_balancer_id)
+
+            db_l7policy = self._get_db_l7policy(context.session,
+                                                self.l7policy_id,
+                                                show_deleted=False)
+            load_balancer_id, listener_id = (
+                self._get_listener_and_loadbalancer_id(db_l7policy))
+            project_id, provider = self._get_lb_project_id_provider(
+                context.session, load_balancer_id)
 
         self._auth_validate_action(context, project_id, constants.RBAC_DELETE)
 
@@ -282,12 +296,11 @@ class L7RuleController(base.BaseController):
         # Load the driver early as it also provides validation
         driver = driver_factory.get_driver(provider)
 
-        with db_api.get_lock_session() as lock_session:
-
-            self._test_lb_listener_policy_statuses(lock_session)
+        with context.session.begin():
+            self._test_lb_listener_policy_statuses(context.session)
 
             self.repositories.l7rule.update(
-                lock_session, db_l7rule.id,
+                context.session, db_l7rule.id,
                 provisioning_status=constants.PENDING_DELETE)
 
             LOG.info("Sending delete L7 Rule %s to provider %s", id,

octavia/api/v2/controllers/listener.py

@@ -35,7 +35,6 @@ from octavia.common import exceptions
 from octavia.common import stats
 from octavia.common import utils as common_utils
 from octavia.common import validate
-from octavia.db import api as db_api
 from octavia.db import prepare as db_prepare
 from octavia.i18n import _
 
@@ -55,8 +54,9 @@ class ListenersController(base.BaseController):
     def get_one(self, id, fields=None):
         """Gets a single listener's details."""
         context = pecan_request.context.get('octavia_context')
-        db_listener = self._get_db_listener(context.session, id,
-                                            show_deleted=False)
+        with context.session.begin():
+            db_listener = self._get_db_listener(context.session, id,
+                                                show_deleted=False)
 
         if not db_listener:
             raise exceptions.NotFound(resource=data_models.Listener._name(),
@@ -80,10 +80,11 @@ class ListenersController(base.BaseController):
 
         query_filter = self._auth_get_all(context, project_id)
 
-        db_listeners, links = self.repositories.listener.get_all_API_list(
-            context.session, show_deleted=False,
-            pagination_helper=pcontext.get(constants.PAGINATION_HELPER),
-            **query_filter)
+        with context.session.begin():
+            db_listeners, links = self.repositories.listener.get_all_API_list(
+                context.session, show_deleted=False,
+                pagination_helper=pcontext.get(constants.PAGINATION_HELPER),
+                **query_filter)
         result = self._convert_db_to_type(
             db_listeners, [listener_types.ListenerResponse])
         if fields is not None:
@@ -156,14 +157,18 @@ class ListenersController(base.BaseController):
                     value=headers,
                     option='%s protocol listener.' % listener_protocol)
 
-    def _validate_cidr_compatible_with_vip(self, vip, allowed_cidrs):
+    def _validate_cidr_compatible_with_vip(self, vips, allowed_cidrs):
         for cidr in allowed_cidrs:
-            # Check if CIDR IP version matches VIP IP version
-            if common_utils.is_cidr_ipv6(cidr) != common_utils.is_ipv6(vip):
-                msg = _("CIDR %(cidr)s IP version incompatible with VIP "
-                        "%(vip)s IP version.")
+            for vip in vips:
+                # Check if CIDR IP version matches VIP IP version
+                if (common_utils.is_cidr_ipv6(cidr) ==
+                        common_utils.is_ipv6(vip)):
+                    break
+            else:
+                msg = _("CIDR %(cidr)s IP version incompatible with all VIPs "
+                        "%(vips)s IP version.")
                 raise exceptions.ValidationException(
-                    detail=msg % {'cidr': cidr, 'vip': vip})
+                    detail=msg % {'cidr': cidr, 'vips': vips})
 
     def _validate_create_listener(self, lock_session, listener_dict):
         """Validate listener for wrong protocol or duplicate listeners
@@ -306,10 +311,11 @@ class ListenersController(base.BaseController):
         # Validate allowed CIDRs
         allowed_cidrs = listener_dict.get('allowed_cidrs', []) or []
         lb_id = listener_dict.get('load_balancer_id')
-        vip_db = self.repositories.vip.get(
-            lock_session, load_balancer_id=lb_id)
-        vip_address = vip_db.ip_address
-        self._validate_cidr_compatible_with_vip(vip_address, allowed_cidrs)
+        lb_db = self.repositories.load_balancer.get(
+            lock_session, id=lb_id)
+        vip_addresses = [lb_db.vip.ip_address]
+        vip_addresses.extend([vip.ip_address for vip in lb_db.additional_vips])
+        self._validate_cidr_compatible_with_vip(vip_addresses, allowed_cidrs)
 
         if _can_tls_offload:
             # Validate TLS version list
@@ -319,15 +325,19 @@ class ListenersController(base.BaseController):
             # Validate ALPN protocol list
             validate.check_alpn_protocols(listener_dict['alpn_protocols'])
 
+        validate.check_hsts_options(listener_dict)
+
         try:
             db_listener = self.repositories.listener.create(
                 lock_session, **listener_dict)
+            lock_session.flush()
             if sni_containers:
                 for container in sni_containers:
                     sni_dict = {'listener_id': db_listener.id,
                                 'tls_container_id': container.get(
                                     'tls_container_id')}
                     self.repositories.sni.create(lock_session, **sni_dict)
+                lock_session.flush()
                 # DB listener needs to be refreshed
                 db_listener = self.repositories.listener.get(
                     lock_session, id=db_listener.id)
@@ -340,7 +350,6 @@ class ListenersController(base.BaseController):
         except odb_exceptions.DBError as e:
             raise exceptions.InvalidOption(value=listener_dict.get('protocol'),
                                            option='protocol') from e
-        return None
 
     @wsme_pecan.wsexpose(listener_types.ListenerRootResponse,
                          body=listener_types.ListenerRootPOST, status_code=201)
@@ -350,8 +359,9 @@ class ListenersController(base.BaseController):
         context = pecan_request.context.get('octavia_context')
 
         load_balancer_id = listener.loadbalancer_id
-        listener.project_id, provider = self._get_lb_project_id_provider(
-            context.session, load_balancer_id)
+        with context.session.begin():
+            listener.project_id, provider = self._get_lb_project_id_provider(
+                context.session, load_balancer_id)
 
         self._auth_validate_action(context, listener.project_id,
                                    constants.RBAC_POST)
@@ -359,11 +369,11 @@ class ListenersController(base.BaseController):
         # Load the driver early as it also provides validation
         driver = driver_factory.get_driver(provider)
 
-        lock_session = db_api.get_session(autocommit=False)
+        context.session.begin()
         try:
             if self.repositories.check_quota_met(
                     context.session,
-                    lock_session,
+                    context.session,
                     data_models.Listener,
                     listener.project_id):
                 raise exceptions.QuotaException(
@@ -382,10 +392,10 @@ class ListenersController(base.BaseController):
                                     listener.protocol)
 
             self._test_lb_and_listener_statuses(
-                lock_session, lb_id=load_balancer_id)
+                context.session, lb_id=load_balancer_id)
 
             db_listener = self._validate_create_listener(
-                lock_session, listener_dict)
+                context.session, listener_dict)
 
             # Prepare the data for the driver data model
             provider_listener = (
@@ -403,12 +413,14 @@ class ListenersController(base.BaseController):
             driver_utils.call_provider(
                 driver.name, driver.listener_create, provider_listener)
 
-            lock_session.commit()
+            context.session.commit()
         except Exception:
             with excutils.save_and_reraise_exception():
-                lock_session.rollback()
+                context.session.rollback()
 
-        db_listener = self._get_db_listener(context.session, db_listener.id)
+        with context.session.begin():
+            db_listener = self._get_db_listener(context.session,
+                                                db_listener.id)
         result = self._convert_db_to_type(db_listener,
                                           listener_types.ListenerResponse)
         return listener_types.ListenerRootResponse(listener=result)
@@ -525,9 +537,13 @@ class ListenersController(base.BaseController):
 
         # Validate allowed CIDRs
         if (listener.allowed_cidrs and listener.allowed_cidrs != wtypes.Unset):
-            vip_address = db_listener.load_balancer.vip.ip_address
+            vip_addresses = [db_listener.load_balancer.vip.ip_address]
+            vip_addresses.extend(
+                [vip.ip_address
+                 for vip in db_listener.load_balancer.additional_vips]
+            )
             self._validate_cidr_compatible_with_vip(
-                vip_address, listener.allowed_cidrs)
+                vip_addresses, listener.allowed_cidrs)
 
         # Check TLS cipher prohibit list
         if listener.tls_ciphers:
@@ -548,6 +564,8 @@ class ListenersController(base.BaseController):
             # Validate ALPN protocol list
             validate.check_alpn_protocols(listener.alpn_protocols)
 
+        validate.check_hsts_options_put(listener, db_listener)
+
     def _set_default_on_none(self, listener):
         """Reset settings to their default values if None/null was passed in
 
@@ -583,19 +601,24 @@ class ListenersController(base.BaseController):
         if listener.alpn_protocols is None:
             listener.alpn_protocols = (
                 CONF.api_settings.default_listener_alpn_protocols)
+        if listener.hsts_include_subdomains is None:
+            listener.hsts_include_subdomains = False
+        if listener.hsts_preload is None:
+            listener.hsts_preload = False
 
     @wsme_pecan.wsexpose(listener_types.ListenerRootResponse, wtypes.text,
                          body=listener_types.ListenerRootPUT, status_code=200)
-    def put(self, id, listener_):
+    def put(self, id, listener_: listener_types.ListenerRootPUT):
         """Updates a listener on a load balancer."""
         listener = listener_.listener
         context = pecan_request.context.get('octavia_context')
-        db_listener = self._get_db_listener(context.session, id,
-                                            show_deleted=False)
-        load_balancer_id = db_listener.load_balancer_id
+        with context.session.begin():
+            db_listener = self._get_db_listener(context.session, id,
+                                                show_deleted=False)
+            load_balancer_id = db_listener.load_balancer_id
 
-        project_id, provider = self._get_lb_project_id_provider(
-            context.session, load_balancer_id)
+            project_id, provider = self._get_lb_project_id_provider(
+                context.session, load_balancer_id)
 
         self._auth_validate_action(context, project_id, constants.RBAC_PUT)
 
@@ -607,14 +630,16 @@ class ListenersController(base.BaseController):
             if db_listener.protocol == lib_consts.PROTOCOL_PROMETHEUS:
                 raise exceptions.ListenerNoChildren(
                     protocol=lib_consts.PROTOCOL_PROMETHEUS)
-            self._validate_pool(context.session, load_balancer_id,
-                                listener.default_pool_id, db_listener.protocol)
+            with context.session.begin():
+                self._validate_pool(context.session, load_balancer_id,
+                                    listener.default_pool_id,
+                                    db_listener.protocol)
 
         # Load the driver early as it also provides validation
         driver = driver_factory.get_driver(provider)
 
-        with db_api.get_lock_session() as lock_session:
-            self._test_lb_and_listener_statuses(lock_session,
+        with context.session.begin():
+            self._test_lb_and_listener_statuses(context.session,
                                                 load_balancer_id, id=id)
 
             # Prepare the data for the driver data model
@@ -639,12 +664,13 @@ class ListenersController(base.BaseController):
 
             # Update the database to reflect what the driver just accepted
             self.repositories.listener.update(
-                lock_session, id, **listener.to_dict(render_unsets=False))
+                context.session, id, **listener.to_dict(render_unsets=False))
 
         # Force SQL alchemy to query the DB, otherwise we get inconsistent
         # results
         context.session.expire_all()
-        db_listener = self._get_db_listener(context.session, id)
+        with context.session.begin():
+            db_listener = self._get_db_listener(context.session, id)
         result = self._convert_db_to_type(db_listener,
                                           listener_types.ListenerResponse)
         return listener_types.ListenerRootResponse(listener=result)
@@ -653,22 +679,22 @@ class ListenersController(base.BaseController):
     def delete(self, id):
         """Deletes a listener from a load balancer."""
         context = pecan_request.context.get('octavia_context')
-        db_listener = self._get_db_listener(context.session, id,
-                                            show_deleted=False)
-        load_balancer_id = db_listener.load_balancer_id
+        with context.session.begin():
+            db_listener = self._get_db_listener(context.session, id,
+                                                show_deleted=False)
+            load_balancer_id = db_listener.load_balancer_id
 
-        project_id, provider = self._get_lb_project_id_provider(
-            context.session, load_balancer_id)
+            project_id, provider = self._get_lb_project_id_provider(
+                context.session, load_balancer_id)
 
         self._auth_validate_action(context, project_id, constants.RBAC_DELETE)
 
         # Load the driver early as it also provides validation
         driver = driver_factory.get_driver(provider)
 
-        with db_api.get_lock_session() as lock_session:
-
+        with context.session.begin():
             self._test_lb_and_listener_statuses(
-                lock_session, load_balancer_id,
+                context.session, load_balancer_id,
                 id=id, listener_status=constants.PENDING_DELETE)
 
             LOG.info("Sending delete Listener %s to provider %s", id,
@@ -702,18 +728,19 @@ class StatisticsController(base.BaseController, stats.StatsMixin):
                          status_code=200)
     def get(self):
         context = pecan_request.context.get('octavia_context')
-        db_listener = self._get_db_listener(context.session, self.id,
-                                            show_deleted=False)
-        if not db_listener:
-            LOG.info("Listener %s not found.", id)
-            raise exceptions.NotFound(
-                resource=data_models.Listener._name(),
-                id=id)
-
-        self._auth_validate_action(context, db_listener.project_id,
-                                   constants.RBAC_GET_STATS)
-
-        listener_stats = self.get_listener_stats(context.session, self.id)
+        with context.session.begin():
+            db_listener = self._get_db_listener(context.session, self.id,
+                                                show_deleted=False)
+            if not db_listener:
+                LOG.info("Listener %s not found.", id)
+                raise exceptions.NotFound(
+                    resource=data_models.Listener._name(),
+                    id=id)
+
+            self._auth_validate_action(context, db_listener.project_id,
+                                       constants.RBAC_GET_STATS)
+
+            listener_stats = self.get_listener_stats(context.session, self.id)
 
         result = self._convert_db_to_type(
             listener_stats, listener_types.ListenerStatisticsResponse)