Browse Source

Merge "Add permission check when creating restore"

Zuul 4 months ago
parent
commit
57c04d1eeb

+ 2
- 0
karbor/api/v1/restores.py View File

@@ -232,6 +232,8 @@ class RestoresController(wsgi.Controller):
232 232
         # call restore rpc API of protection service
233 233
         try:
234 234
             self.protection_api.restore(context, restoreobj, restore_auth)
235
+        except exception.AccessCheckpointNotAllowed as error:
236
+            raise exc.HTTPForbidden(explanation=error.msg)
235 237
         except Exception:
236 238
             # update the status of restore
237 239
             update_dict = {

+ 7
- 1
karbor/services/protection/manager.py View File

@@ -182,7 +182,8 @@ class ProtectionManager(manager.Manager):
182 182
                                    exception.CheckpointNotFound,
183 183
                                    exception.CheckpointNotAvailable,
184 184
                                    exception.FlowError,
185
-                                   exception.InvalidInput)
185
+                                   exception.InvalidInput,
186
+                                   exception.AccessCheckpointNotAllowed)
186 187
     def restore(self, context, restore, restore_auth):
187 188
         LOG.info("Starting restore service:restore action")
188 189
 
@@ -197,6 +198,11 @@ class ProtectionManager(manager.Manager):
197 198
         checkpoint_collection = provider.get_checkpoint_collection()
198 199
         checkpoint = checkpoint_collection.get(checkpoint_id)
199 200
 
201
+        if not context.is_admin and (
202
+                checkpoint.project_id != context.project_id):
203
+            raise exception.AccessCheckpointNotAllowed(
204
+                checkpoint_id=checkpoint_id)
205
+
200 206
         if checkpoint.status != constants.CHECKPOINT_STATUS_AVAILABLE:
201 207
             raise exception.CheckpointNotAvailable(
202 208
                 checkpoint_id=checkpoint_id)

+ 10
- 0
karbor/tests/unit/api/v1/test_restores.py View File

@@ -75,6 +75,16 @@ class RestoreApiTest(base.TestCase):
75 75
         self.assertRaises(exception.ValidationError, self.controller.create,
76 76
                           req, body=body)
77 77
 
78
+    @mock.patch('karbor.services.protection.api.API.restore')
79
+    def test_restore_create_with_checkpoint_not_allowed_exception(
80
+            self, mock_restore):
81
+        mock_restore.side_effect = exception.AccessCheckpointNotAllowed
82
+        restore = self._restore_in_request_body()
83
+        body = {"restore": restore}
84
+        req = fakes.HTTPRequest.blank('/v1/restores')
85
+        self.assertRaises(exc.HTTPForbidden, self.controller.create,
86
+                          req, body=body)
87
+
78 88
     @mock.patch(
79 89
         'karbor.api.v1.restores.RestoresController._get_all')
80 90
     def test_restore_list_detail(self, moak_get_all):

+ 14
- 0
karbor/tests/unit/protection/test_manager.py View File

@@ -146,6 +146,20 @@ class ProtectionServiceTest(base.TestCase):
146 146
                           None,
147 147
                           fakes.fake_protection_plan())
148 148
 
149
+    @mock.patch.object(provider.ProviderRegistry, 'show_provider')
150
+    def test_restore_with_project_id_not_same(self, mock_provider):
151
+        mock_provider.return_value = fakes.FakeProvider()
152
+        context = mock.MagicMock(project_id='fake_project_id_1',
153
+                                 is_admin=False)
154
+        fake_restore = {
155
+            'checkpoint_id': 'fake_checkpoint',
156
+            'provider_id': 'fake_provider_id',
157
+            'parameters': None
158
+        }
159
+        self.assertRaises(
160
+            oslo_messaging.ExpectedException, self.pro_manager.restore,
161
+            context, fake_restore, None)
162
+
149 163
     @mock.patch.object(provider.ProviderRegistry, 'show_provider')
150 164
     def test_list_checkpoints(self, mock_provider):
151 165
         fake_provider = fakes.FakeProvider()

Loading…
Cancel
Save