enforce network domain boundaries between networks

qrkourier · qrkourier · commit 50cffe63bd66 · 2022-04-08T15:57:06.000-04:00
diff --git a/netfoundry/ctl.py b/netfoundry/ctl.py
@@ -1034,7 +1034,7 @@ def use_organization(prompt: bool = True, spinner: object = None):
                 sysexit(1)
 
             try:
-                spinner.text = "Trying token for profile '{:s}'".format(cli.config.general.profile)
+                spinner.text = f"Trying token for profile '{cli.config.general.profile}'"
                 with spinner:
                     organization = Organization(
                         token=token_from_prompt,
diff --git a/netfoundry/exceptions.py b/netfoundry/exceptions.py
@@ -57,3 +57,7 @@ def __str__(self):
 
 class NeedUserInput(NFAPIError):
     """Need user input to confirm action."""
+
+
+class NetworkBoundaryViolation(NFAPIError):
+    """Network domain resource accessed across a network boundary."""
diff --git a/netfoundry/network.py b/netfoundry/network.py
@@ -5,7 +5,7 @@
 import re
 import time
 
-from netfoundry.exceptions import UnknownResourceType
+from netfoundry.exceptions import UnknownResourceType, NetworkBoundaryViolation
 
 from .utility import (DC_PROVIDERS, MUTABLE_NET_RESOURCES, NET_RESOURCES, PROCESS_STATUS_SYMBOLS, RESOURCES, STATUS_CODES, VALID_SEPARATORS, VALID_SERVICE_PROTOCOLS, any_in, docstring_parameters, find_generic_resources, get_generic_resource, http,
                       is_uuidv4, normalize_caseless, plural, singular)
@@ -375,12 +375,10 @@ def get_resource_by_id(self, type: str, id: str, accept: str = None):
 
         headers = {"authorization": "Bearer " + self.token}
         url = self.audience+'core/v2/'+plural(type)+'/'+id
-        try:
-            resource, status_symbol = get_generic_resource(url=url, headers=headers, proxies=self.proxies, verify=self.verify)
-        except Exception as e:
-            raise RuntimeError(f"failed to get resource from url: '{url}', caught {e}")
-        else:
-            return(resource)
+        resource, status_symbol = get_generic_resource(url=url, headers=headers, proxies=self.proxies, verify=self.verify)
+        if not resource['networkId'] == self.id:
+            raise NetworkBoundaryViolation("resource ID is from another network")
+        return(resource)
     get_resource = get_resource_by_id
 
     def find_resources(self, type: str, accept: str = None, deleted: bool = False, **kwargs):
diff --git a/netfoundry/network_group.py b/netfoundry/network_group.py
@@ -248,7 +248,8 @@ def create_network(self, name: str, network_group_id: str = None, location: str
                 resource = self.get_resource_by_id(type="network", id=resource['id'])
                 return(resource)
             else:    # only wait for the process to start, not finish, or timeout
-                self.Networks.wait_for_process(process_id, RESOURCES['process-executions'].status_symbols['progress'] + RESOURCES['process-executions'].status_symbols['complete'], type="process-executions", wait=9, sleep=3)
+                # FIXME: commented to allow create to succeed to workaround MOP-18095
+                # self.Networks.wait_for_process(process_id, RESOURCES['process-executions'].status_symbols['progress'] + RESOURCES['process-executions'].status_symbols['complete'], wait=9, sleep=3)
                 return(resource)
         elif wait:
             logging.warning("unable to wait for async complete because response did not provide a process execution id")
