openstack/deb-murano
Code Issues Proposed changes

Merge "Forbid setting is_public via querystring"

Browse Source
This commit is contained in:
Jenkins 2015-04-10 10:35:09 +00:00 committed by Gerrit Code Review
commit 348d0908d6
3 changed files with 35 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
murano/api/v1/catalog.py
View File

@ -237,10 +237,6 @@ class Controller(object):
if hasattr(pkg_to_upload, k): if hasattr(pkg_to_upload, k):
package_meta[v] = getattr(pkg_to_upload, k) package_meta[v] = getattr(pkg_to_upload, k)
if req.params.get('is_public', '').lower() == 'true':
policy.check('publicize_package', req.context)
package_meta['is_public'] = True
try: try:
package = db_api.package_upload(package_meta, req.context.tenant) package = db_api.package_upload(package_meta, req.context.tenant)
except db_exc.DBDuplicateEntry: except db_exc.DBDuplicateEntry:

3
murano/tests/unit/api/base.py
View File

@ -183,7 +183,8 @@ class ControllerTest(object):
environ['REQUEST_METHOD'] = method environ['REQUEST_METHOD'] = method
req = wsgi.Request(environ) req = wsgi.Request(environ)
req.context = utils.dummy_context(user, tenant) req.context = utils.dummy_context(user, tenant,
is_admin=self.is_admin)
self.context = req.context self.context = req.context
req.content_type = content_type req.content_type = content_type
req.body = data req.body = data

49
murano/tests/unit/api/v1/test_catalog.py
View File

@ -60,7 +60,7 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
'ui_definition': pkg.raw_ui, 'ui_definition': pkg.raw_ui,
'class_definitions': pkg.classes, 'class_definitions': pkg.classes,
'archive': pkg.blob, 'archive': pkg.blob,
'categories': [] 'categories': [],
} }
return pkg, package return pkg, package
@ -90,9 +90,12 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
def test_add_public_unauthorized(self): def test_add_public_unauthorized(self):
policy.set_rules({ policy.set_rules({
'upload_package': '@', 'upload_package': '@',
'publicize_package': 'role:is_admin or is_admin:True' 'publicize_package': 'is_admin:True',
'delete_package': 'is_admin:True',
}) })
self.expect_policy_check('upload_package')
self.expect_policy_check('delete_package', mock.ANY)
self.expect_policy_check('upload_package') self.expect_policy_check('upload_package')
self.expect_policy_check('publicize_package') self.expect_policy_check('publicize_package')
self.expect_policy_check('upload_package') self.expect_policy_check('upload_package')
@ -106,37 +109,51 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
body = '''\ body = '''\
--BOUNDARY --BOUNDARY
Content-Disposition: form-data; name="ziparchive" Content-Disposition: form-data; name="__metadata__"
Content-Type: text/plain:
{0}
--BOUNDARY
Content-Disposition: form-data; name="ziparchive"; filename="file.zip"
This is a fake zip archive This is a fake zip archive
--BOUNDARY --BOUNDARY--'''
Content-Disposition: form-data; name="metadata"; filename="test.json"
Content-Type: application/json
%s
--BOUNDARY--''' % package_metadata
with mock.patch('murano.packages.load_utils.load_from_file') as lff: with mock.patch('murano.packages.load_utils.load_from_file') as lff:
lff.return_value = package_from_dir lff.return_value = package_from_dir
# Uploading a non-public package
req = self._post( req = self._post(
'/catalog/packages', '/catalog/packages',
body, body.format(json.dumps({'is_public': False})),
content_type='multipart/form-data; ; boundary=BOUNDARY', content_type='multipart/form-data; ; boundary=BOUNDARY',
params={"is_public": "true"}) )
res = req.get_response(self.api)
self.assertEqual(200, res.status_code)
self.is_admin = True
app_id = json.loads(res.body)['id']
req = self._delete('/catalog/packages/{0}'.format(app_id))
res = req.get_response(self.api) res = req.get_response(self.api)
# Nobody has access to upload public images self.is_admin = False
# Uploading a public package fails
req = self._post(
'/catalog/packages',
body.format(json.dumps({'is_public': True})),
content_type='multipart/form-data; ; boundary=BOUNDARY',
)
res = req.get_response(self.api)
self.assertEqual(403, res.status_code) self.assertEqual(403, res.status_code)
# Uploading a public package passes for admin
self.is_admin = True self.is_admin = True
req = self._post( req = self._post(
'/catalog/packages', '/catalog/packages',
body, body.format(json.dumps({'is_public': True})),
content_type='multipart/form-data; ; boundary=BOUNDARY', content_type='multipart/form-data; ; boundary=BOUNDARY',
params={"is_public": "true"}) )
res = req.get_response(self.api) res = req.get_response(self.api)
self.assertEqual(403, res.status_code) self.assertEqual(200, res.status_code)
def test_add_category(self): def test_add_category(self):
"""Check that category added successfully """Check that category added successfully