Merge "Disallow user modifing ACTIVE_IMMUTABLE of deactivated images"
This commit is contained in:
commit
e3b8753d27
@ -937,9 +937,11 @@ class Controller(controller.BaseController):
|
||||
# Once an image is 'active' only an admin can
|
||||
# modify certain core metadata keys
|
||||
for key in ACTIVE_IMMUTABLE:
|
||||
if (orig_status == 'active' and key in image_meta
|
||||
if ((orig_status == 'active' or orig_status == 'deactivated')
|
||||
and key in image_meta
|
||||
and image_meta.get(key) != orig_image_meta.get(key)):
|
||||
msg = _("Forbidden to modify '%s' of active image.") % key
|
||||
msg = _("Forbidden to modify '%(key)s' of %(status)s "
|
||||
"image.") % {'key': key, 'status': orig_status}
|
||||
raise HTTPForbidden(explanation=msg,
|
||||
request=req,
|
||||
content_type="text/plain")
|
||||
|
@ -101,7 +101,7 @@ class TestGlanceAPI(base.IsolatedUnitTest):
|
||||
'updated_at': timeutils.utcnow(),
|
||||
'deleted_at': None,
|
||||
'deleted': False,
|
||||
'checksum': None,
|
||||
'checksum': '13',
|
||||
'size': 13,
|
||||
'locations': [{'url': "file:///%s/%s" % (self.test_dir, UUID1),
|
||||
'metadata': {}, 'status': 'active'}],
|
||||
@ -3075,6 +3075,40 @@ class TestGlanceAPI(base.IsolatedUnitTest):
|
||||
self.assertEqual(200, res.status_int)
|
||||
self.assertEqual(orig_value, res.headers[k])
|
||||
|
||||
def test_deactivated_image_immutable_props_for_user(self):
|
||||
"""
|
||||
Tests user cannot update immutable props of deactivated image
|
||||
"""
|
||||
test_router_api = router.API(self.mapper)
|
||||
self.api = test_utils.FakeAuthMiddleware(
|
||||
test_router_api, is_admin=False)
|
||||
fixture_header_list = [{'x-image-meta-checksum': '1234'},
|
||||
{'x-image-meta-size': '12345'}]
|
||||
for fixture_header in fixture_header_list:
|
||||
req = webob.Request.blank('/images/%s' % UUID3)
|
||||
req.method = 'PUT'
|
||||
for k, v in six.iteritems(fixture_header):
|
||||
req = webob.Request.blank('/images/%s' % UUID3)
|
||||
req.method = 'HEAD'
|
||||
res = req.get_response(self.api)
|
||||
self.assertEqual(200, res.status_int)
|
||||
orig_value = res.headers[k]
|
||||
|
||||
req = webob.Request.blank('/images/%s' % UUID3)
|
||||
req.headers[k] = v
|
||||
req.method = 'PUT'
|
||||
res = req.get_response(self.api)
|
||||
self.assertEqual(403, res.status_int)
|
||||
prop = k[len('x-image-meta-'):]
|
||||
self.assertNotEqual(-1, res.body.find(
|
||||
"Forbidden to modify '%s' of deactivated image" % prop))
|
||||
|
||||
req = webob.Request.blank('/images/%s' % UUID3)
|
||||
req.method = 'HEAD'
|
||||
res = req.get_response(self.api)
|
||||
self.assertEqual(200, res.status_int)
|
||||
self.assertEqual(orig_value, res.headers[k])
|
||||
|
||||
def test_props_of_active_image_mutable_for_admin(self):
|
||||
"""
|
||||
Tests admin can update 'immutable' props of active image
|
||||
@ -3105,6 +3139,36 @@ class TestGlanceAPI(base.IsolatedUnitTest):
|
||||
self.assertEqual(200, res.status_int)
|
||||
self.assertEqual(v, res.headers[k])
|
||||
|
||||
def test_props_of_deactivated_image_mutable_for_admin(self):
|
||||
"""
|
||||
Tests admin can update 'immutable' props of deactivated image
|
||||
"""
|
||||
test_router_api = router.API(self.mapper)
|
||||
self.api = test_utils.FakeAuthMiddleware(
|
||||
test_router_api, is_admin=True)
|
||||
fixture_header_list = [{'x-image-meta-checksum': '1234'},
|
||||
{'x-image-meta-size': '12345'}]
|
||||
for fixture_header in fixture_header_list:
|
||||
req = webob.Request.blank('/images/%s' % UUID3)
|
||||
req.method = 'PUT'
|
||||
for k, v in six.iteritems(fixture_header):
|
||||
req = webob.Request.blank('/images/%s' % UUID3)
|
||||
req.method = 'HEAD'
|
||||
res = req.get_response(self.api)
|
||||
self.assertEqual(200, res.status_int)
|
||||
|
||||
req = webob.Request.blank('/images/%s' % UUID3)
|
||||
req.headers[k] = v
|
||||
req.method = 'PUT'
|
||||
res = req.get_response(self.api)
|
||||
self.assertEqual(200, res.status_int)
|
||||
|
||||
req = webob.Request.blank('/images/%s' % UUID3)
|
||||
req.method = 'HEAD'
|
||||
res = req.get_response(self.api)
|
||||
self.assertEqual(200, res.status_int)
|
||||
self.assertEqual(v, res.headers[k])
|
||||
|
||||
def test_replace_members_non_existing_image(self):
|
||||
"""
|
||||
Tests replacing image members raises right exception
|
||||
|
Loading…
Reference in New Issue
Block a user