Merge "Throw 405 when specified method not allowed in Secret Metadatum"

2016-03-16 21:36:18 +00:00 · 2016-03-16 21:36:18 +00:00 · 2909a26158
commit 2909a26158
parent 91da494521 6f97d23ce7
2 changed files with 25 additions and 3 deletions
--- a/barbican/api/controllers/secrets.py
+++ b/barbican/api/controllers/secrets.py
@ -78,8 +78,15 @@ class SecretController(controllers.ACLMixin):
                return secretmeta.SecretMetadataController(self.secret), \
                    remainder
            else:
-                return secretmeta.SecretMetadatumController(self.secret), \
-                    remainder
+                request_method = pecan.request.method
+                allowed_methods = ['GET', 'PUT', 'DELETE']
+
+                if request_method in allowed_methods:
+                    return secretmeta.SecretMetadatumController(self.secret), \
+                        remainder
+                else:
+                    # methods cannot be handled at controller level
+                    pecan.abort(405)
        else:
            # only 'acl' and 'metadata' as sub-resource is supported
            pecan.abort(405)
--- a/barbican/tests/api/controllers/test_secretmeta.py
+++ b/barbican/tests/api/controllers/test_secretmeta.py
@ -1,4 +1,4 @@
-# Copyright (c) 2016 IBM
+# Copyright (c) 2017 IBM
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -255,6 +255,21 @@ class WhenTestingSecretMetadatumResource(utils.BarbicanAPIBaseTestCase):
                               expect_errors=True)
        self.assertEqual(405, resp.status_int)

+    @mock.patch('barbican.model.repositories.SecretUserMetadatumRepo.'
+                'get_metadata_for_secret')
+    def test_returns_405_for_head_on_metadatum(self, mocked_get):
+        secret_id, secret_resp = create_secret(self.app)
+
+        mocked_get.return_value = self.valid_metadata['metadata']
+        meta_resp = create_secret_metadatum(self.app,
+                                            self.valid_metadatum,
+                                            secret_id)
+        self.assertEqual(201, meta_resp.status_int)
+
+        resp = self.app.head('/secrets/{0}/metadata/access-limit'.format(
+            secret_id), expect_errors=True)
+        self.assertEqual(405, resp.status_int)
+

 # ----------------------- Helper Functions ---------------------------
 def create_secret(app, name=None, algorithm=None, bit_length=None, mode=None,