secrets.get should verify that the request is for a single secret

Added sanity checking to the requested URI path to make sure it is a properly formed secret UUID value. Change-Id: Ie6598303e502cd19458e0beef24d7fd032f9f14a Closes-Bug: #1259654
2013-12-10 14:20:52 -05:00
parent 020d1e05a6
commit 7d02541047
3 changed files with 24 additions and 3 deletions
--- a/barbicanclient/secrets.py
+++ b/barbicanclient/secrets.py
@@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import logging
+import urlparse
+import re

 from barbicanclient import base
 from barbicanclient.openstack.common.timeutils import parse_isotime
@@ -35,7 +37,10 @@ class Secret(object):
        self.status = secret_dict.get('status')
        self.content_types = secret_dict.get('content_types')

-        self.created = parse_isotime(secret_dict.get('created'))
+        if secret_dict.get('created') is not None:
+            self.created = parse_isotime(secret_dict['created'])
+        else:
+            self.created = None
        if secret_dict.get('expiration') is not None:
            self.expiration = parse_isotime(secret_dict['expiration'])
        else:
@@ -123,6 +128,16 @@ class SecretManager(base.BaseEntityManager):
        """
        if not secret_ref:
            raise ValueError('secret_ref is required.')
+        try:
+            url = urlparse.urlparse(secret_ref)
+            parts = url.path.rstrip('/').split('/')
+            reuuid = re.compile(r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-'
+                                '[0-9a-f]{4}-[0-9a-f]{12}', re.I)
+            if not reuuid.findall(parts[-1]):
+                raise ValueError('secret uuid format error.')
+        except:
+            raise ValueError('secret incorrectly specified.')
+
        resp = self.api.get(secret_ref)
        return Secret(resp)

--- a/barbicanclient/test/test_client.py
+++ b/barbicanclient/test/test_client.py
@@ -117,7 +117,8 @@ class WhenTestingClientWithSession(unittest.TestCase):
        self.entity = 'dummy-entity'
        base = self.endpoint + self.tenant_id + "/"
        self.entity_base = base + self.entity + "/"
-        self.entity_href = self.entity_base + '1234'
+        self.entity_href = self.entity_base + \
+            'abcd1234-eabc-5678-9abc-abcdef012345'

        self.entity_name = 'name'
        self.entity_dict = {'name': self.entity_name}
@@ -198,7 +199,8 @@ class BaseEntityResource(unittest.TestCase):
        self.entity = entity
        base = self.endpoint + self.tenant_id + "/"
        self.entity_base = base + self.entity + "/"
-        self.entity_href = self.entity_base + '1234'
+        self.entity_href = self.entity_base + \
+            'abcd1234-eabc-5678-9abc-abcdef012345'

        self.api = mock.MagicMock()
        self.api.base_url = base[:-1]
--- a/barbicanclient/test/test_client_secrets.py
+++ b/barbicanclient/test/test_client_secrets.py
@@ -162,6 +162,10 @@ class WhenTestingSecrets(test_client.BaseEntityResource):
        self.assertEqual(10, params['limit'])
        self.assertEqual(5, params['offset'])

+    def test_should_fail_get_invalid_secret(self):
+        with self.assertRaises(ValueError):
+            self.manager.get('12345')
+
    def test_should_fail_get_no_href(self):
        with self.assertRaises(ValueError):
            self.manager.get(None)