Repository: cloudstack Updated Branches: refs/heads/4.5.2.1-security-RC20160525T1207 [created] 7059c29e9
CLOUDSTACK-9376: Restrict listTemplates API with filter=all for root admin Restricts use of listemplates API with templatefilter=all for root admin only. Signed-off-by: Rohit Yadav <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e18eca63 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e18eca63 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e18eca63 Branch: refs/heads/4.5.2.1-security-RC20160525T1207 Commit: e18eca63c9dbd203914d966f47755fafd41f254a Parents: 7385441 Author: Murali Reddy <[email protected]> Authored: Thu May 12 13:23:11 2016 +0530 Committer: Rohit Yadav <[email protected]> Committed: Wed May 25 11:27:08 2016 +0530 ---------------------------------------------------------------------- .../com/cloud/api/query/QueryManagerImpl.java | 4 +- test/integration/component/test_templates.py | 93 +++++++++++++++++++- 2 files changed, 91 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e18eca63/server/src/com/cloud/api/query/QueryManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 62714ea..75fd1f9 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -2946,9 +2946,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { boolean listAll = false; if (templateFilter != null && templateFilter == TemplateFilter.all) { - if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { + if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { throw new InvalidParameterValueException("Filter " + TemplateFilter.all - + " can be specified by admin only"); + + " can be specified by root admin only"); } listAll = true; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e18eca63/test/integration/component/test_templates.py ---------------------------------------------------------------------- diff --git a/test/integration/component/test_templates.py b/test/integration/component/test_templates.py index 06b8c5f..a0edc09 100644 --- a/test/integration/component/test_templates.py +++ b/test/integration/component/test_templates.py @@ -22,6 +22,7 @@ from marvin.cloudstackTestCase import cloudstackTestCase, unittest from marvin.cloudstackAPI import listZones from marvin.lib.utils import (cleanup_resources) from marvin.lib.base import (Account, + Domain, Template, ServiceOffering, VirtualMachine, @@ -49,8 +50,18 @@ class Services: # Random characters are appended for unique # username "password": "password", - }, - "service_offering": { + }, + "account1": { + "email": "[email protected]", + "firstname": "Test1", + "lastname": "User1", + "username": "test1", + # Random characters are appended for unique + # username + "password": "password", + }, + "testdomain": {"name": "test"}, + "service_offering": { "name": "Tiny Instance", "displaytext": "Tiny Instance", "cpunumber": 1, @@ -109,7 +120,7 @@ class TestCreateTemplate(cloudstackTestCase): def setUp(self): self.apiclient = self.testClient.getApiClient() - self.hypervisor = self.testClient.getHypervisorInfo() + self.hypervisor = self.testClient.getHypervisorInfo() self.dbclient = self.testClient.getDbConnection() self.cleanup = [] return @@ -193,7 +204,7 @@ class TestCreateTemplate(cloudstackTestCase): zoneid=self.zone.id, account=self.account.name, domainid=self.account.domainid, - hypervisor=self.hypervisor + hypervisor=self.hypervisor ) self.debug( "Registered a template of format: %s with ID: %s" % ( @@ -581,3 +592,77 @@ class TestTemplates(cloudstackTestCase): "Check the state of VM created from Template" ) return + + +class TestListTemplate(cloudstackTestCase): + + def setUp(self): + self.apiclient = self.testClient.getApiClient() + self.hypervisor = self.testClient.getHypervisorInfo() + self.dbclient = self.testClient.getDbConnection() + self.cleanup = [] + + self.services = Services().services + # Get Zone, Domain and templates + self.domain = get_domain(self.apiclient) + self.account = Account.create( + self.apiclient, + self.services["account"], + domainid=self.domain.id + ) + self.newdomain = Domain.create( + self.apiclient, + self.services["testdomain"], + parentdomainid=self.domain.id + ) + self.newdomain_account = Account.create( + self.apiclient, + self.services["account1"], + admin=True, + domainid=self.newdomain.id + ) + self.cleanup = [ + self.account, + self.newdomain_account, + self.newdomain, + ] + + + def tearDown(self): + try: + # Clean up, terminate the created templates + cleanup_resources(self.apiclient, self.cleanup) + except Exception as e: + raise Exception("Warning: Exception during cleanup : %s" % e) + + + @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false") + def test_01_list_templates_with_templatefilter_all_normal_user(self): + """ + Test list templates with templatefilter=all is not permitted for normal user + """ + + user_api_client = self.testClient.getUserApiClient( + UserName=self.account.name, + DomainName=self.account.domain) + try: + list_template_response = Template.list(self.user_api_client, templatefilter='all') + self.fail("Regular User is able to use templatefilter='all' in listTemplates API call") + except Exception as e: + self.debug("ListTemplates API with templatefilter='all' is not permitted for normal user") + + + @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false") + def test_02_list_templates_with_templatefilter_all_domain_admin(self): + """ + Test list templates with templatefilter=all is not permitted for domain admin + """ + + domain_user_api_client = self.testClient.getUserApiClient( + UserName=self.newdomain_account.name, + DomainName=self.newdomain_account.domain) + try: + list_template_response = Template.list(self.domain_user_api_client, templatefilter='all') + self.fail("Domain admin is able to use templatefilter='all' in listTemplates API call") + except Exception as e: + self.debug("ListTemplates API with templatefilter='all' is not permitted for domain admin user")
