From 5256514389dc5d46270a67d5cf4e127e08c0bc1b Mon Sep 17 00:00:00 2001
From: Matt Riedemann <mriedem@us.ibm.com>
Date: Fri, 13 Jan 2017 21:42:07 -0500
Subject: [PATCH] placement: validate member_of values are uuids

The 1.3 microversion adds the member_of query parameter
for listing resource providers which are members of
one or more aggregates based on the aggregate uuids. However
the REST API handler code is simply parsing and passing the
member_of values through to the object code which is doing a
SQL IN statement which will result in no resource providers if
an invalidate aggregate uuid is provided, i.e. not actually a
uuid.

This patch adds simple uuid validation to the handler code
that's parsing the member_of query parameter.

Change-Id: I912f731e0d75979aea0a0f22c15e6cfb84a95050
Closes-Bug: #1656482
---
 .../openstack/placement/handlers/resource_provider.py    | 9 +++++++--
 .../placement/gabbits/resource-provider-aggregates.yaml  | 6 ++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/nova/api/openstack/placement/handlers/resource_provider.py b/nova/api/openstack/placement/handlers/resource_provider.py
index 2148cb498..2fdff3626 100644
--- a/nova/api/openstack/placement/handlers/resource_provider.py
+++ b/nova/api/openstack/placement/handlers/resource_provider.py
@@ -66,8 +66,6 @@ GET_RPS_SCHEMA_1_0 = {
 # Placement API microversion 1.3 adds support for a member_of attribute
 GET_RPS_SCHEMA_1_3 = copy.deepcopy(GET_RPS_SCHEMA_1_0)
 GET_RPS_SCHEMA_1_3['properties']['member_of'] = {
-    # TODO(mriedem): At some point we need to do jsonschema and/or uuid
-    # validation of the value(s) here.
     "type": "string"
 }
 
@@ -290,6 +288,13 @@ def list_resource_providers(req):
                     value = value[3:].split(',')
                 else:
                     value = [value]
+                # Make sure the values are actually UUIDs.
+                for aggr_uuid in value:
+                    if not uuidutils.is_uuid_like(aggr_uuid):
+                        raise webob.exc.HTTPBadRequest(
+                            _('Invalid uuid value: %(uuid)s') %
+                            {'uuid': aggr_uuid},
+                            json_formatter=util.json_error_formatter)
             filters[attr] = value
     if 'resources' in req.GET:
         resources = _normalize_resources_qs_param(req.GET['resources'])
diff --git a/nova/tests/functional/api/openstack/placement/gabbits/resource-provider-aggregates.yaml b/nova/tests/functional/api/openstack/placement/gabbits/resource-provider-aggregates.yaml
index ef6c37ccb..530367cc5 100644
--- a/nova/tests/functional/api/openstack/placement/gabbits/resource-provider-aggregates.yaml
+++ b/nova/tests/functional/api/openstack/placement/gabbits/resource-provider-aggregates.yaml
@@ -47,6 +47,12 @@ tests:
   response_json_paths:
       $.resource_providers[0].uuid: 893337e9-1e55-49f0-bcfe-6a2f16fbf2f7
 
+- name: get by aggregates no result not a uuid
+  GET: '/resource_providers?member_of=not+a+uuid'
+  status: 400
+  response_strings:
+      - 'Invalid uuid value: not a uuid'
+
 - name: associate an aggregate with rp2
   PUT: /resource_providers/5202c48f-c960-4eec-bde3-89c4f22a17b9/aggregates
   data: