cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject [1/5] git commit: updated refs/heads/4.5.2.1-security-RC20160525T1207 to 7059c29
Date Wed, 25 May 2016 09:20:43 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/4.5.2.1-security-RC20160525T1207 [created] 7059c29e9


CLOUDSTACK-9376: Restrict listTemplates API with filter=all for root admin

Restricts use of listemplates API with templatefilter=all for root admin only.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e18eca63
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e18eca63
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e18eca63

Branch: refs/heads/4.5.2.1-security-RC20160525T1207
Commit: e18eca63c9dbd203914d966f47755fafd41f254a
Parents: 7385441
Author: Murali Reddy <muralimmreddy@gmail.com>
Authored: Thu May 12 13:23:11 2016 +0530
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Wed May 25 11:27:08 2016 +0530

----------------------------------------------------------------------
 .../com/cloud/api/query/QueryManagerImpl.java   |  4 +-
 test/integration/component/test_templates.py    | 93 +++++++++++++++++++-
 2 files changed, 91 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e18eca63/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 62714ea..75fd1f9 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -2946,9 +2946,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService
{
 
         boolean listAll = false;
         if (templateFilter != null && templateFilter == TemplateFilter.all) {
-            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+            if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
                 throw new InvalidParameterValueException("Filter " + TemplateFilter.all
-                        + " can be specified by admin only");
+                        + " can be specified by root admin only");
             }
             listAll = true;
         }

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e18eca63/test/integration/component/test_templates.py
----------------------------------------------------------------------
diff --git a/test/integration/component/test_templates.py b/test/integration/component/test_templates.py
index 06b8c5f..a0edc09 100644
--- a/test/integration/component/test_templates.py
+++ b/test/integration/component/test_templates.py
@@ -22,6 +22,7 @@ from marvin.cloudstackTestCase import cloudstackTestCase, unittest
 from marvin.cloudstackAPI import listZones
 from marvin.lib.utils import (cleanup_resources)
 from marvin.lib.base import (Account,
+                             Domain,
                              Template,
                              ServiceOffering,
                              VirtualMachine,
@@ -49,8 +50,18 @@ class Services:
                                     # Random characters are appended for unique
                                     # username
                                     "password": "password",
-                         },
-                         "service_offering": {
+                        },
+                        "account1": {
+                                    "email": "test@test.com",
+                                    "firstname": "Test1",
+                                    "lastname": "User1",
+                                    "username": "test1",
+                                    # Random characters are appended for unique
+                                    # username
+                                    "password": "password",
+                        },
+                        "testdomain": {"name": "test"},
+                        "service_offering": {
                                     "name": "Tiny Instance",
                                     "displaytext": "Tiny Instance",
                                     "cpunumber": 1,
@@ -109,7 +120,7 @@ class TestCreateTemplate(cloudstackTestCase):
 
     def setUp(self):
         self.apiclient = self.testClient.getApiClient()
-        self.hypervisor = self.testClient.getHypervisorInfo() 
+        self.hypervisor = self.testClient.getHypervisorInfo()
         self.dbclient = self.testClient.getDbConnection()
         self.cleanup = []
         return
@@ -193,7 +204,7 @@ class TestCreateTemplate(cloudstackTestCase):
                                         zoneid=self.zone.id,
                                         account=self.account.name,
                                         domainid=self.account.domainid,
-                                        hypervisor=self.hypervisor 
+                                        hypervisor=self.hypervisor
                                         )
         self.debug(
                 "Registered a template of format: %s with ID: %s" % (
@@ -581,3 +592,77 @@ class TestTemplates(cloudstackTestCase):
                             "Check the state of VM created from Template"
                         )
         return
+
+
+class TestListTemplate(cloudstackTestCase):
+
+    def setUp(self):
+        self.apiclient = self.testClient.getApiClient()
+        self.hypervisor = self.testClient.getHypervisorInfo()
+        self.dbclient = self.testClient.getDbConnection()
+        self.cleanup = []
+
+        self.services = Services().services
+        # Get Zone, Domain and templates
+        self.domain = get_domain(self.apiclient)
+        self.account = Account.create(
+                            self.apiclient,
+                            self.services["account"],
+                            domainid=self.domain.id
+                            )
+        self.newdomain = Domain.create(
+                           self.apiclient,
+                           self.services["testdomain"],
+                           parentdomainid=self.domain.id
+                           )
+        self.newdomain_account = Account.create(
+                           self.apiclient,
+                           self.services["account1"],
+                           admin=True,
+                           domainid=self.newdomain.id
+                           )
+        self.cleanup = [
+                        self.account,
+                        self.newdomain_account,
+                        self.newdomain,
+                        ]
+
+
+    def tearDown(self):
+        try:
+            # Clean up, terminate the created templates
+            cleanup_resources(self.apiclient, self.cleanup)
+        except Exception as e:
+            raise Exception("Warning: Exception during cleanup : %s" % e)
+
+
+    @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false")
+    def test_01_list_templates_with_templatefilter_all_normal_user(self):
+        """
+            Test list templates with templatefilter=all is not permitted for normal user
+        """
+
+        user_api_client = self.testClient.getUserApiClient(
+                                    UserName=self.account.name,
+                                    DomainName=self.account.domain)
+        try:
+            list_template_response = Template.list(self.user_api_client, templatefilter='all')
+            self.fail("Regular User is able to use templatefilter='all' in listTemplates
API call")
+        except Exception as e:
+            self.debug("ListTemplates API with templatefilter='all' is not permitted for
normal user")
+
+
+    @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false")
+    def test_02_list_templates_with_templatefilter_all_domain_admin(self):
+        """
+            Test list templates with templatefilter=all is not permitted for domain admin
+        """
+
+        domain_user_api_client = self.testClient.getUserApiClient(
+                                    UserName=self.newdomain_account.name,
+                                    DomainName=self.newdomain_account.domain)
+        try:
+            list_template_response = Template.list(self.domain_user_api_client, templatefilter='all')
+            self.fail("Domain admin is able to use templatefilter='all' in listTemplates
API call")
+        except Exception as e:
+            self.debug("ListTemplates API with templatefilter='all' is not permitted for
domain admin user")


Mime
View raw message