Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 51F2C200AE4 for ; Wed, 25 May 2016 11:22:40 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 50F25160A29; Wed, 25 May 2016 09:22:40 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7A4C5160A17 for ; Wed, 25 May 2016 11:22:39 +0200 (CEST) Received: (qmail 90377 invoked by uid 500); 25 May 2016 09:22:38 -0000 Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list commits@cloudstack.apache.org Received: (qmail 90362 invoked by uid 99); 25 May 2016 09:22:38 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 May 2016 09:22:38 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 8BC59DFFC2; Wed, 25 May 2016 09:22:38 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: bhaisaab@apache.org To: commits@cloudstack.apache.org Date: Wed, 25 May 2016 09:22:38 -0000 Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: [1/4] git commit: updated refs/heads/4.7.1.1-RC20160525T1230 to 781775a archived-at: Wed, 25 May 2016 09:22:40 -0000 Repository: cloudstack Updated Branches: refs/heads/4.7.1.1-RC20160525T1230 [created] 781775a31 CLOUDSTACK-9376: Restrict listTemplates API with filter=all for root admin Restricts use of listemplates API with templatefilter=all for root admin only. Signed-off-by: Rohit Yadav Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e6af340e Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e6af340e Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e6af340e Branch: refs/heads/4.7.1.1-RC20160525T1230 Commit: e6af340ef762705bf3a87f608a412077c8272a9f Parents: 5ea07dc Author: Rohit Yadav Authored: Wed May 25 11:52:58 2016 +0530 Committer: Rohit Yadav Committed: Wed May 25 12:20:46 2016 +0530 ---------------------------------------------------------------------- .../com/cloud/api/query/QueryManagerImpl.java | 4 +- test/integration/component/test_templates.py | 76 ++++++++++++++++++++ 2 files changed, 78 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e6af340e/server/src/com/cloud/api/query/QueryManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index a87d9fb..99f210f 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -3054,9 +3054,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService, Confi boolean listAll = false; if (templateFilter != null && templateFilter == TemplateFilter.all) { - if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { + if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { throw new InvalidParameterValueException("Filter " + TemplateFilter.all - + " can be specified by admin only"); + + " can be specified by root admin only"); } listAll = true; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e6af340e/test/integration/component/test_templates.py ---------------------------------------------------------------------- diff --git a/test/integration/component/test_templates.py b/test/integration/component/test_templates.py index b1e7e7c..c8384d9 100644 --- a/test/integration/component/test_templates.py +++ b/test/integration/component/test_templates.py @@ -22,6 +22,7 @@ from marvin.cloudstackTestCase import cloudstackTestCase, unittest from marvin.cloudstackAPI import listZones from marvin.lib.utils import (cleanup_resources) from marvin.lib.base import (Account, + Domain, Template, ServiceOffering, VirtualMachine, @@ -51,6 +52,7 @@ class Services: # username "password": "password", }, + "testdomain": {"name": "test"}, "service_offering": { "name": "Tiny Instance", "displaytext": "Tiny Instance", @@ -602,3 +604,77 @@ class TestTemplates(cloudstackTestCase): "Check the state of VM created from Template" ) return + + +class TestListTemplate(cloudstackTestCase): + + def setUp(self): + self.apiclient = self.testClient.getApiClient() + self.hypervisor = self.testClient.getHypervisorInfo() + self.dbclient = self.testClient.getDbConnection() + self.cleanup = [] + + self.services = Services().services + # Get Zone, Domain and templates + self.domain = get_domain(self.apiclient) + self.account = Account.create( + self.apiclient, + self.services["account"], + domainid=self.domain.id + ) + self.newdomain = Domain.create( + self.apiclient, + self.services["testdomain"], + parentdomainid=self.domain.id + ) + self.newdomain_account = Account.create( + self.apiclient, + self.services["account"], + admin=True, + domainid=self.newdomain.id + ) + self.cleanup = [ + self.account, + self.newdomain_account, + self.newdomain, + ] + + + def tearDown(self): + try: + # Clean up, terminate the created templates + cleanup_resources(self.apiclient, self.cleanup) + except Exception as e: + raise Exception("Warning: Exception during cleanup : %s" % e) + + + @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false") + def test_01_list_templates_with_templatefilter_all_normal_user(self): + """ + Test list templates with templatefilter=all is not permitted for normal user + """ + + user_api_client = self.testClient.getUserApiClient( + UserName=self.account.name, + DomainName=self.account.domain) + try: + list_template_response = Template.list(self.user_api_client, templatefilter='all') + self.fail("Regular User is able to use templatefilter='all' in listTemplates API call") + except Exception as e: + self.debug("ListTemplates API with templatefilter='all' is not permitted for normal user") + + + @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false") + def test_02_list_templates_with_templatefilter_all_domain_admin(self): + """ + Test list templates with templatefilter=all is not permitted for domain admin + """ + + domain_user_api_client = self.testClient.getUserApiClient( + UserName=self.newdomain_account.name, + DomainName=self.newdomain_account.domain) + try: + list_template_response = Template.list(self.domain_user_api_client, templatefilter='all') + self.fail("Domain admin is able to use templatefilter='all' in listTemplates API call") + except Exception as e: + self.debug("ListTemplates API with templatefilter='all' is not permitted for domain admin user")