Glance

  1. Series grizzly
  2. Bug #1065187
  3. Comment #3

Comment 3 for bug 1065187

Revision history for this message
Mark Washenberger (markwash) wrote : Re: Non-admin users can cause public glance images to be deleted from the backend storage repository

Here is a patch that adds a test for this behavior. I did this separately so the fix could be backported alone, since this test depends on some more recent changes in master.

commit cce2af5a48de737869d53eeafdb0532eede136d4
Author: Mark Washenberger <email address hidden>
Date: Wed Oct 10 20:23:24 2012 +0000

    Add a test for bug 1065187.

    This is done separately from the bug fix to make it easier to apply the
    fix to older branches.

    Change-Id: I8964da5d074aabadbdcf8c6b7ef844b616e1aca4

diff --git a/glance/tests/stubs.py b/glance/tests/stubs.py
index fecea11..92dcf90 100644
--- a/glance/tests/stubs.py
+++ b/glance/tests/stubs.py
@@ -60,7 +60,13 @@ class FakeRegistryConnection(object):

     def getresponse(self):
         mapper = routes.Mapper()
- api = context.UnauthenticatedContextMiddleware(rserver.API(mapper))
+ server = rserver.API(mapper)
+ # NOTE(markwash): we need to pass through context auth information if
+ # we have it.
+ if 'X-Auth-Token' in self.req.headers:
+ api = utils.FakeAuthMiddleware(server)
+ else:
+ api = context.UnauthenticatedContextMiddleware(server)
         webob_res = self.req.get_response(api)

         return utils.FakeHTTPResponse(status=webob_res.status_int,
diff --git a/glance/tests/unit/v1/test_api.py b/glance/tests/unit/v1/test_api.py
index ce09aab..1a18bde 100644
--- a/glance/tests/unit/v1/test_api.py
+++ b/glance/tests/unit/v1/test_api.py
@@ -2930,6 +2930,26 @@ class TestGlanceAPI(base.IsolatedUnitTest):
         res = req.get_response(self.api)
         self.assertEquals(res.status_int, webob.exc.HTTPNotFound.code)

+ def test_delete_not_allowed(self):
+ # Verify we can get the image data
+ req = webob.Request.blank("/images/%s" % UUID2)
+ req.method = 'GET'
+ req.headers['X-Auth-Token'] = 'user:tenant:'
+ res = req.get_response(self.api)
+ self.assertEqual(res.status_int, 200)
+ self.assertEqual(len(res.body), 19)
+
+ # Verify we cannot delete the image
+ req.method = 'DELETE'
+ res = req.get_response(self.api)
+ self.assertEqual(res.status_int, 403)
+
+ # Verify the image data is still there
+ req.method = 'GET'
+ res = req.get_response(self.api)
+ self.assertEqual(res.status_int, 200)
+ self.assertEqual(len(res.body), 19)
+
     def test_delete_queued_image(self):
         """Delete an image in a queued state

diff --git a/glance/tests/utils.py b/glance/tests/utils.py
index 8054732..9971bf5 100644
--- a/glance/tests/utils.py
+++ b/glance/tests/utils.py
@@ -369,6 +369,7 @@ class FakeAuthMiddleware(wsgi.Middleware):
             'tenant': tenant,
             'roles': roles,
             'is_admin': self.is_admin,
+ 'auth_tok': auth_tok,
         }

         req.context = context.RequestContext(**kwargs)