Make os_glance namespace reserved

This adds a general mechanism for reserving property names that start
with os_glance. This has been done informally already, but no
enforcement was performed, except for specific keys on update. As a
result, banning these keys from create, for example, was missed and
users are able to set these keys during an POST /images operation.

Depends-On: https://review.opendev.org/c/openstack/nova/+/771234
Change-Id: I31b4dae018d52ead773db25472013d783066ee17
Closes-Bug: #1912001

glance/api/v2/images.py

@@ -872,8 +872,8 @@ class RequestDeserializer(wsgi.JSONRequestDeserializer):
                             'size', 'virtual_size', 'direct_url', 'self',
                             'file', 'schema', 'id', 'os_hash_algo',
                             'os_hash_value')
-    _reserved_properties = ('location', 'deleted', 'deleted_at',
-                            'os_glance_import_task')
+    _reserved_properties = ('location', 'deleted', 'deleted_at')
+    _reserved_namespaces = ('os_glance',)
     _base_properties = ('checksum', 'created_at', 'container_format',
                         'disk_format', 'id', 'min_disk', 'min_ram', 'name',
                         'size', 'virtual_size', 'status', 'tags', 'owner',
@@ -939,6 +939,13 @@ class RequestDeserializer(wsgi.JSONRequestDeserializer):
                          "characters."))
                 raise webob.exc.HTTPBadRequest(explanation=msg)
 
+            if key in self._reserved_properties:
+                msg = _("Attribute '%s' is reserved.") % key
+                raise webob.exc.HTTPForbidden(msg)
+            if any(key.startswith(ns) for ns in self._reserved_namespaces):
+                msg = _("Attribute '%s' is reserved.") % key
+                raise webob.exc.HTTPForbidden(msg)
+
         return dict(image=image, extra_properties=properties, tags=tags)
 
     def _get_change_operation_d10(self, raw_change):
@@ -1033,6 +1040,9 @@ class RequestDeserializer(wsgi.JSONRequestDeserializer):
         if path_root in self._reserved_properties:
             msg = _("Attribute '%s' is reserved.") % path_root
             raise webob.exc.HTTPForbidden(explanation=six.text_type(msg))
+        if any(path_root.startswith(ns) for ns in self._reserved_namespaces):
+            msg = _("Attribute '%s' is reserved.") % path_root
+            raise webob.exc.HTTPForbidden(explanation=msg)
 
         if change['op'] == 'remove':
             return

glance/tests/unit/v2/test_images_resource.py

@@ -3662,6 +3662,7 @@ class TestImagesDeserializer(test_utils.BaseTestCase):
             {'self': 'http://example.com'},
             {'file': 'http://example.com'},
             {'schema': 'http://example.com'},
+            {'os_glance_foo': 'foo'},
         ]
 
         for body in bodies:
@@ -3953,6 +3954,10 @@ class TestImagesDeserializer(test_utils.BaseTestCase):
         samples = {
             'deleted': False,
             'deleted_at': ISOTIME,
+            'os_glance_import_task': 'foo',
+            'os_glance_anything': 'bar',
+            'os_glance_': 'baz',
+            'os_glance': 'bat',
         }
 
         for key, value in samples.items():