openstack/nova
Code Issues Proposed changes

Handle ImageNotAuthorized exception

Browse Source 
Handle ImageNotAuthorized exception if user have no access to update image metadata

Change-Id: I558cc2c31174f7f619061882bfdab6df35203254
Fixes: bug #1194768
This commit is contained in:
Pavel Kirpichyov
2013-06-26 11:21:51 +03:00
parent 16ed451020
commit d851b332a2
8 changed files with 94 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
nova/api/openstack/compute/image_metadata.py
View File

@@ -87,7 +87,10 @@ class Controller(object):
image['properties'][id] = meta[id]
common.check_img_metadata_properties_quota(context,
image['properties'])
self.image_service.update(context, image_id, image, None)
try:
self.image_service.update(context, image_id, image, None)
except exception.ImageNotAuthorized as e:
raise exc.HTTPForbidden(explanation=str(e))
return dict(meta=meta)
@wsgi.serializers(xml=common.MetadataTemplate)

5
nova/api/openstack/compute/plugins/v3/image_metadata.py
View File

@@ -98,7 +98,10 @@ class ImageMetadataController(object):
image['properties'][id] = meta[id]
common.check_img_metadata_properties_quota(context,
image['properties'])
self.image_service.update(context, image_id, image, None)
try:
self.image_service.update(context, image_id, image, None)
except exception.ImageNotAuthorized as e:
raise exc.HTTPForbidden(explanation=str(e))
return dict(meta=meta)
@wsgi.serializers(xml=common.MetadataTemplate)

14
nova/tests/api/openstack/compute/plugins/v3/test_image_metadata.py
View File

@@ -209,3 +209,17 @@ class ImageMetaDataTest(test.TestCase):
self.assertRaises(webob.exc.HTTPRequestEntityTooLarge,
self.controller.update, req, '123', 'blah', body)
def test_image_not_authorized(self):
image_id = 131
# see nova.tests.api.openstack.fakes:_make_image_fixtures
req = fakes.HTTPRequestV3.blank(
'/v3/os-images/%s/os-image-metadata/key1' % image_id)
req.method = 'PUT'
body = {"meta": {"key1": "value1"}}
req.body = jsonutils.dumps(body)
req.headers["content-type"] = "application/json"
self.assertRaises(webob.exc.HTTPForbidden,
self.controller.update, req, image_id, 'key1', body)

25
nova/tests/api/openstack/compute/plugins/v3/test_images.py
View File

@@ -465,6 +465,31 @@ class ImagesControllerTest(test.TestCase):
"href": "%s/fake/images/130" % glance.generate_glance_url()
}],
},
{
'id': '131',
'name': None,
'metadata': {},
'updated': NOW_API_FORMAT,
'created': NOW_API_FORMAT,
'status': 'ACTIVE',
'progress': 100,
"size": 0,
'minDisk': 0,
'minRam': 0,
"links": [{
"rel": "self",
"href": "http://localhost/v3/images/131",
},
{
"rel": "bookmark",
"href": "http://localhost/images/131",
},
{
"rel": "alternate",
"type": "application/vnd.openstack.image",
"href": "%s/fake/images/131" % glance.generate_glance_url()
}],
},
]
self.assertThat(expected, matchers.DictListMatches(response_list))

14
nova/tests/api/openstack/compute/test_image_metadata.py
View File

@@ -197,3 +197,17 @@ class ImageMetaDataTest(test.TestCase):
self.assertRaises(webob.exc.HTTPRequestEntityTooLarge,
self.controller.update, req, '123', 'blah', body)
def test_image_not_authorized(self):
image_id = 131
# see nova.tests.api.openstack.fakes:_make_image_fixtures
req = fakes.HTTPRequest.blank('/v2/fake/images/%s/metadata/key1'
% image_id)
req.method = 'PUT'
body = {"meta": {"key1": "value1"}}
req.body = jsonutils.dumps(body)
req.headers["content-type"] = "application/json"
self.assertRaises(webob.exc.HTTPForbidden,
self.controller.update, req, image_id, 'key1', body)

24
nova/tests/api/openstack/compute/test_images.py
View File

@@ -455,6 +455,30 @@ class ImagesControllerTest(test.TestCase):
"href": "%s/fake/images/130" % glance.generate_glance_url()
}],
},
{
'id': '131',
'name': None,
'metadata': {},
'updated': NOW_API_FORMAT,
'created': NOW_API_FORMAT,
'status': 'ACTIVE',
'progress': 100,
'minDisk': 0,
'minRam': 0,
"links": [{
"rel": "self",
"href": "http://localhost/v2/fake/images/131",
},
{
"rel": "bookmark",
"href": "http://localhost/fake/images/131",
},
{
"rel": "alternate",
"type": "application/vnd.openstack.image",
"href": "%s/fake/images/131" % glance.generate_glance_url()
}],
},
]
self.assertThat(expected, matchers.DictListMatches(response_list))

4
nova/tests/api/openstack/fakes.py
View File

@@ -271,6 +271,10 @@ def _make_image_fixtures():
# Image without a name
add_fixture(id=image_id, is_public=True, status='active', properties={})
# Image for permission tests
image_id += 1
add_fixture(id=image_id, is_public=True, status='active', properties={},
owner='authorized_fake')
return fixtures

5
nova/tests/glance/stubs.py
View File

@@ -75,6 +75,11 @@ class StubGlanceClient(object):
def update(self, image_id, **metadata):
for i, image in enumerate(self._images):
if image.id == str(image_id):
# If you try to update a non-authorized image, it raises
# HTTPForbidden
if image.owner == 'authorized_fake':
raise glanceclient.exc.HTTPForbidden
for k, v in metadata.items():
setattr(self._images[i], k, v)
return self._images[i]