From f1335051ef8f9845d2345e6c1176a9a8f1627881 Mon Sep 17 00:00:00 2001 From: Deepinder Setia Date: Tue, 31 May 2016 10:39:54 -0700 Subject: [PATCH] Do no override default owner unless tenant ID is present in incoming token. Change-Id: Iac495978ec5a50bd0dc9340699e3b14ffb4680fd Closes-Bug: #1528796 --- src/config/api-server/tests/test_perms2.py | 30 +++++++++++++++++++++ src/config/api-server/vnc_cfg_api_server.py | 18 ++++++------- 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/src/config/api-server/tests/test_perms2.py b/src/config/api-server/tests/test_perms2.py index bf36cc1c513..733c35b6907 100644 --- a/src/config/api-server/tests/test_perms2.py +++ b/src/config/api-server/tests/test_perms2.py @@ -798,6 +798,36 @@ def test_check_obj_perms_api(self): perms = user.check_perms(vn.get_uuid()) self.assertEquals(perms, ExpectedPerms[user.name]) + # check owner of internally created ri is cloud-admin (bug #1528796) + def test_ri_owner(self): + """ + 1) Create a virtual network as a non-admin user. + 2) Verify owner of automatically created routing instance is cloud-admin + """ + + alice = self.alice + bob = self.bob + admin = self.admin + + # allow permission to create virtual-network + for user in self.users: + logger.info( "%s: project %s to allow full access to role %s" % \ + (user.name, user.project, user.role)) + # note that collection API is set for create operation + vnc_fix_api_access_list(self.admin.vnc_lib, user.project_obj, + rule_str = 'virtual-networks %s:CRUD' % user.role) + + # Create VN as non-admin user + vn_fq_name = [self.domain_name, alice.project, self.vn_name] + vn = VirtualNetwork(self.vn_name, self.alice.project_obj) + self.alice.vnc_lib.virtual_network_create(vn) + vn_obj = vnc_read_obj(self.admin.vnc_lib, 'virtual-network', name = vn_fq_name) + self.assertNotEquals(vn_obj, None) + + # Verify owner of automatically created routing instance is cloud-admin + ri_name = [self.domain_name, alice.project, self.vn_name, self.vn_name] + ri = vnc_read_obj(self.admin.vnc_lib, 'routing-instance', name = ri_name) + self.assertEquals(ri.get_perms2().owner, 'cloud-admin') def tearDown(self): super(TestPermissions, self).tearDown() diff --git a/src/config/api-server/vnc_cfg_api_server.py b/src/config/api-server/vnc_cfg_api_server.py index 927b5dd6bdf..87684c69f14 100644 --- a/src/config/api-server/vnc_cfg_api_server.py +++ b/src/config/api-server/vnc_cfg_api_server.py @@ -2472,13 +2472,19 @@ def _get_default_id_perms(self, obj_type): return id_perms_dict # end _get_default_id_perms - def _ensure_perms2_present(self, obj_type, obj_uuid, obj_dict): + def _ensure_perms2_present(self, obj_type, obj_uuid, obj_dict, project_id=None): """ Called at resource creation to ensure that id_perms is present in obj """ # retrieve object and permissions perms2 = self._get_default_perms2(obj_type) + # set ownership of object to creator tenant + if obj_type == 'project' and 'uuid' in obj_dict: + perms2['owner'] = str(obj_dict['uuid']).replace('-','') + elif project_id: + perms2['owner'] = project_id + if (('perms2' not in obj_dict) or (obj_dict['perms2'] is None)): # Resource creation @@ -2988,14 +2994,8 @@ def _http_post_common(self, request, obj_type, obj_dict): # Ensure object has at least default permissions set self._ensure_id_perms_present(obj_type, None, obj_dict) - self._ensure_perms2_present(obj_type, None, obj_dict) - - # set ownership of object to creator tenant - if obj_type == 'project': - owner = str(obj_dict['uuid']).replace('-','') - else: - owner = request.headers.environ.get('HTTP_X_PROJECT_ID', None) - obj_dict['perms2']['owner'] = owner + self._ensure_perms2_present(obj_type, None, obj_dict, + request.headers.environ.get('HTTP_X_PROJECT_ID', None)) # TODO check api + resource perms etc.