Repository: cloudstack Updated Branches: refs/heads/4.6.2.1-RC20160525T1218 [created] bc2e2cf42
CLOUDSTACK-9376: Restrict listTemplates API with filter=all for root admin Restricts use of listemplates API with templatefilter=all for root admin only. Signed-off-by: Rohit Yadav <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/44731ca1 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/44731ca1 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/44731ca1 Branch: refs/heads/4.6.2.1-RC20160525T1218 Commit: 44731ca15d71f495f0f2e4e70019262d06e19dec Parents: 10e0130 Author: Rohit Yadav <[email protected]> Authored: Wed May 25 11:52:58 2016 +0530 Committer: Rohit Yadav <[email protected]> Committed: Wed May 25 11:52:58 2016 +0530 ---------------------------------------------------------------------- .../com/cloud/api/query/QueryManagerImpl.java | 4 +- test/integration/component/test_templates.py | 76 ++++++++++++++++++++ 2 files changed, 78 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/44731ca1/server/src/com/cloud/api/query/QueryManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index d64b2ac..b2edd2e 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -3055,9 +3055,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService, Confi boolean listAll = false; if (templateFilter != null && templateFilter == TemplateFilter.all) { - if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { + if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { throw new InvalidParameterValueException("Filter " + TemplateFilter.all - + " can be specified by admin only"); + + " can be specified by root admin only"); } listAll = true; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/44731ca1/test/integration/component/test_templates.py ---------------------------------------------------------------------- diff --git a/test/integration/component/test_templates.py b/test/integration/component/test_templates.py index b1e7e7c..c8384d9 100644 --- a/test/integration/component/test_templates.py +++ b/test/integration/component/test_templates.py @@ -22,6 +22,7 @@ from marvin.cloudstackTestCase import cloudstackTestCase, unittest from marvin.cloudstackAPI import listZones from marvin.lib.utils import (cleanup_resources) from marvin.lib.base import (Account, + Domain, Template, ServiceOffering, VirtualMachine, @@ -51,6 +52,7 @@ class Services: # username "password": "password", }, + "testdomain": {"name": "test"}, "service_offering": { "name": "Tiny Instance", "displaytext": "Tiny Instance", @@ -602,3 +604,77 @@ class TestTemplates(cloudstackTestCase): "Check the state of VM created from Template" ) return + + +class TestListTemplate(cloudstackTestCase): + + def setUp(self): + self.apiclient = self.testClient.getApiClient() + self.hypervisor = self.testClient.getHypervisorInfo() + self.dbclient = self.testClient.getDbConnection() + self.cleanup = [] + + self.services = Services().services + # Get Zone, Domain and templates + self.domain = get_domain(self.apiclient) + self.account = Account.create( + self.apiclient, + self.services["account"], + domainid=self.domain.id + ) + self.newdomain = Domain.create( + self.apiclient, + self.services["testdomain"], + parentdomainid=self.domain.id + ) + self.newdomain_account = Account.create( + self.apiclient, + self.services["account"], + admin=True, + domainid=self.newdomain.id + ) + self.cleanup = [ + self.account, + self.newdomain_account, + self.newdomain, + ] + + + def tearDown(self): + try: + # Clean up, terminate the created templates + cleanup_resources(self.apiclient, self.cleanup) + except Exception as e: + raise Exception("Warning: Exception during cleanup : %s" % e) + + + @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false") + def test_01_list_templates_with_templatefilter_all_normal_user(self): + """ + Test list templates with templatefilter=all is not permitted for normal user + """ + + user_api_client = self.testClient.getUserApiClient( + UserName=self.account.name, + DomainName=self.account.domain) + try: + list_template_response = Template.list(self.user_api_client, templatefilter='all') + self.fail("Regular User is able to use templatefilter='all' in listTemplates API call") + except Exception as e: + self.debug("ListTemplates API with templatefilter='all' is not permitted for normal user") + + + @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false") + def test_02_list_templates_with_templatefilter_all_domain_admin(self): + """ + Test list templates with templatefilter=all is not permitted for domain admin + """ + + domain_user_api_client = self.testClient.getUserApiClient( + UserName=self.newdomain_account.name, + DomainName=self.newdomain_account.domain) + try: + list_template_response = Template.list(self.domain_user_api_client, templatefilter='all') + self.fail("Domain admin is able to use templatefilter='all' in listTemplates API call") + except Exception as e: + self.debug("ListTemplates API with templatefilter='all' is not permitted for domain admin user")
