From 13a690144ab91362560aa034816cebb534d8b899 Mon Sep 17 00:00:00 2001 From: Tom Barron Date: Wed, 11 Jan 2017 13:56:45 +0000 Subject: [PATCH] Do policy check when getting export locations Tenants can list and show export locations for non-public shares belonging to another tenant. Add policy check when verifying the share whose exports are being listed or shown when the share is not public. Also check policy on the share when listing or showing export locations for the share's instances. Closes-Bug: #1654598 Change-Id: I07a3d36a031a198df76322fe79e4796585eca445 --- manila/api/v2/share_export_locations.py | 5 ++++- manila/api/v2/share_instance_export_locations.py | 7 ++++++- manila_tempest_tests/tests/api/admin/test_export_locations.py | 3 +++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/manila/api/v2/share_export_locations.py b/manila/api/v2/share_export_locations.py index 17fcc25..25a7b63 100644 --- a/manila/api/v2/share_export_locations.py +++ b/manila/api/v2/share_export_locations.py @@ -20,6 +20,7 @@ from manila.api.views import export_locations as export_locations_views from manila.db import api as db_api from manila import exception from manila.i18n import _ +from manila import policy class ShareExportLocationController(wsgi.Controller): @@ -32,7 +33,9 @@ class ShareExportLocationController(wsgi.Controller): def _verify_share(self, context, share_id): try: - db_api.share_get(context, share_id) + share = db_api.share_get(context, share_id) + if not share['is_public']: + policy.check_policy(context, 'share', 'get', share) except exception.NotFound: msg = _("Share '%s' not found.") % share_id raise exc.HTTPNotFound(explanation=msg) diff --git a/manila/api/v2/share_instance_export_locations.py b/manila/api/v2/share_instance_export_locations.py index e31e4a8..6a68a33 100644 --- a/manila/api/v2/share_instance_export_locations.py +++ b/manila/api/v2/share_instance_export_locations.py @@ -21,6 +21,7 @@ from manila.api.views import export_locations as export_locations_views from manila.db import api as db_api from manila import exception from manila.i18n import _ +from manila import policy class ShareInstanceExportLocationController(wsgi.Controller): @@ -33,7 +34,11 @@ class ShareInstanceExportLocationController(wsgi.Controller): def _verify_share_instance(self, context, share_instance_id): try: - db_api.share_instance_get(context, share_instance_id) + share_instance = db_api.share_instance_get(context, + share_instance_id) + share = db_api.share_get(context, share_instance['share_id']) + if not share['is_public']: + policy.check_policy(context, 'share', 'get', share) except exception.NotFound: msg = _("Share instance '%s' not found.") % share_instance_id raise exc.HTTPNotFound(explanation=msg) diff --git a/manila_tempest_tests/tests/api/admin/test_export_locations.py b/manila_tempest_tests/tests/api/admin/test_export_locations.py index 3817178..1ca281f 100644 --- a/manila_tempest_tests/tests/api/admin/test_export_locations.py +++ b/manila_tempest_tests/tests/api/admin/test_export_locations.py @@ -18,6 +18,7 @@ from oslo_utils import timeutils from oslo_utils import uuidutils import six from tempest import config +import testtools from testtools import testcase as tc from manila_tempest_tests.tests.api import base @@ -129,6 +130,7 @@ class ExportLocationsTest(base.BaseSharesMixedTest): self._verify_export_location_structure(el, format='detail') @tc.attr(base.TAG_POSITIVE, base.TAG_API_WITH_BACKEND) + @testtools.skip("Bug 1655427") def test_list_share_export_locations_by_member(self): export_locations = self.member_client.list_share_export_locations( self.share['id']) @@ -136,6 +138,7 @@ class ExportLocationsTest(base.BaseSharesMixedTest): self._verify_export_location_structure(export_locations, role='member') @tc.attr(base.TAG_POSITIVE, base.TAG_API_WITH_BACKEND) + @testtools.skip("Bug 1655427") def test_get_share_export_location_by_member(self): export_locations = self.admin_client.list_share_export_locations( self.share['id']) -- 2.7.4