diff options
author | Steven Hardy <shardy@redhat.com> | 2013-12-02 23:59:19 +0000 |
---|---|---|
committer | Jeremy Stanley <fungi@yuggoth.org> | 2013-12-11 15:14:05 +0000 |
commit | 22f4fdafc0ac5cf86bd3b87faace5175fb8dc2c2 (patch) | |
tree | 3d4438c3a86a4041d1b1ffa5e93b59350bc68241 | |
parent | 3fc572eb9ccb3f1ab948a2bff18e35d6d6b4a088 (diff) | |
download | heat-22f4fdafc0ac5cf86bd3b87faace5175fb8dc2c2.tar.gz |
Deny API requests where context doesn't match path
We shouldn't overwrite the context tenant_id (which comes from the
scope of the auth_token) with that from the path, instead raise a
HTTPForbidden exception if the path-provided tenant_id doesn't match
the context.
Change-Id: Ib6fb9881103312f7492081a20178f12309f35d81
Closes-Bug: #1256983
-rw-r--r-- | heat/api/openstack/v1/util.py | 5 | ||||
-rw-r--r-- | heat/tests/test_api_openstack_v1.py | 12 | ||||
-rw-r--r-- | heat/tests/test_api_openstack_v1_util.py | 38 |
3 files changed, 43 insertions, 12 deletions
diff --git a/heat/api/openstack/v1/util.py b/heat/api/openstack/v1/util.py index b6dcdc5ed..ad311a8d9 100644 --- a/heat/api/openstack/v1/util.py +++ b/heat/api/openstack/v1/util.py @@ -21,12 +21,13 @@ from heat.common import identifier def tenant_local(handler): ''' - Decorator for a handler method that sets the correct tenant_id in the + Decorator for a handler method that checks the path matches the request context. ''' @wraps(handler) def handle_stack_method(controller, req, tenant_id, **kwargs): - req.context.tenant_id = tenant_id + if req.context.tenant_id != tenant_id: + raise exc.HTTPForbidden() return handler(controller, req, **kwargs) return handle_stack_method diff --git a/heat/tests/test_api_openstack_v1.py b/heat/tests/test_api_openstack_v1.py index 8f4197038..f970b005d 100644 --- a/heat/tests/test_api_openstack_v1.py +++ b/heat/tests/test_api_openstack_v1.py @@ -884,14 +884,6 @@ class StackControllerTest(ControllerTest, HeatTestCase): req = self._get('/stacks/%(stack_name)s/%(stack_id)s' % identity) - error = heat_exc.InvalidTenant(target='a', actual='b') - self.m.StubOutWithMock(rpc, 'call') - rpc.call(req.context, self.topic, - {'namespace': None, - 'method': 'show_stack', - 'args': {'stack_identity': dict(identity)}, - 'version': self.api_version}, - None).AndRaise(to_remote_error(error)) self.m.ReplayAll() resp = request_with_middleware(fault.FaultWrapper, @@ -900,8 +892,8 @@ class StackControllerTest(ControllerTest, HeatTestCase): stack_name=identity.stack_name, stack_id=identity.stack_id) - self.assertEqual(resp.json['code'], 403) - self.assertEqual(resp.json['error']['type'], 'InvalidTenant') + self.assertEqual(resp.status_int, 403) + self.assertIn('403 Forbidden', str(resp)) self.m.VerifyAll() def test_get_template(self): diff --git a/heat/tests/test_api_openstack_v1_util.py b/heat/tests/test_api_openstack_v1_util.py new file mode 100644 index 000000000..2af2b4e0f --- /dev/null +++ b/heat/tests/test_api_openstack_v1_util.py @@ -0,0 +1,38 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from webob import exc + +from heat.api.openstack.v1 import util +from heat.common import context +from heat.common.wsgi import Request +from heat.tests.common import HeatTestCase + + +class TestTenantLocal(HeatTestCase): + def setUp(self): + super(TestTenantLocal, self).setUp() + self.req = Request({}) + self.req.context = context.RequestContext(tenant_id='foo') + + def test_tenant_local(self): + @util.tenant_local + def an_action(controller, req): + return 'woot' + + self.assertEqual('woot', + an_action(None, self.req, tenant_id='foo')) + + self.assertRaises(exc.HTTPForbidden, + an_action, None, self.req, tenant_id='bar') |