placement: validate member_of values are uuids

The 1.3 microversion adds the member_of query parameter
for listing resource providers which are members of
one or more aggregates based on the aggregate uuids. However
the REST API handler code is simply parsing and passing the
member_of values through to the object code which is doing a
SQL IN statement which will result in no resource providers if
an invalidate aggregate uuid is provided, i.e. not actually a
uuid.

This patch adds simple uuid validation to the handler code
that's parsing the member_of query parameter.

Change-Id: I912f731e0d75979aea0a0f22c15e6cfb84a95050
Closes-Bug: #1656482
This commit is contained in:
Matt Riedemann 2017-01-13 21:42:07 -05:00
parent 2da73ce46b
commit 5256514389
2 changed files with 13 additions and 2 deletions

View File

@ -66,8 +66,6 @@ GET_RPS_SCHEMA_1_0 = {
# Placement API microversion 1.3 adds support for a member_of attribute # Placement API microversion 1.3 adds support for a member_of attribute
GET_RPS_SCHEMA_1_3 = copy.deepcopy(GET_RPS_SCHEMA_1_0) GET_RPS_SCHEMA_1_3 = copy.deepcopy(GET_RPS_SCHEMA_1_0)
GET_RPS_SCHEMA_1_3['properties']['member_of'] = { GET_RPS_SCHEMA_1_3['properties']['member_of'] = {
# TODO(mriedem): At some point we need to do jsonschema and/or uuid
# validation of the value(s) here.
"type": "string" "type": "string"
} }
@ -290,6 +288,13 @@ def list_resource_providers(req):
value = value[3:].split(',') value = value[3:].split(',')
else: else:
value = [value] value = [value]
# Make sure the values are actually UUIDs.
for aggr_uuid in value:
if not uuidutils.is_uuid_like(aggr_uuid):
raise webob.exc.HTTPBadRequest(
_('Invalid uuid value: %(uuid)s') %
{'uuid': aggr_uuid},
json_formatter=util.json_error_formatter)
filters[attr] = value filters[attr] = value
if 'resources' in req.GET: if 'resources' in req.GET:
resources = _normalize_resources_qs_param(req.GET['resources']) resources = _normalize_resources_qs_param(req.GET['resources'])

View File

@ -47,6 +47,12 @@ tests:
response_json_paths: response_json_paths:
$.resource_providers[0].uuid: 893337e9-1e55-49f0-bcfe-6a2f16fbf2f7 $.resource_providers[0].uuid: 893337e9-1e55-49f0-bcfe-6a2f16fbf2f7
- name: get by aggregates no result not a uuid
GET: '/resource_providers?member_of=not+a+uuid'
status: 400
response_strings:
- 'Invalid uuid value: not a uuid'
- name: associate an aggregate with rp2 - name: associate an aggregate with rp2
PUT: /resource_providers/5202c48f-c960-4eec-bde3-89c4f22a17b9/aggregates PUT: /resource_providers/5202c48f-c960-4eec-bde3-89c4f22a17b9/aggregates
data: data: