CLOUDSTACK-9376: Restrict listTemplates API with filter=all for root admin

Restricts use of listemplates API with templatefilter=all for root admin only. Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2016-05-25 11:52:58 +05:30 · 2016-05-25 11:52:58 +05:30 · 0cb60a72fe
parent 566e7d9fac
commit 0cb60a72fe
2 changed files with 78 additions and 2 deletions
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@ -3054,9 +3054,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService, Confi

        boolean listAll = false;
        if (templateFilter != null && templateFilter == TemplateFilter.all) {
-            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+            if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
                throw new InvalidParameterValueException("Filter " + TemplateFilter.all
-                        + " can be specified by admin only");
+                        + " can be specified by root admin only");
            }
            listAll = true;
        }
--- a/test/integration/component/test_templates.py
+++ b/test/integration/component/test_templates.py
@ -22,6 +22,7 @@ from marvin.cloudstackTestCase import cloudstackTestCase, unittest
 from marvin.cloudstackAPI import listZones
 from marvin.lib.utils import (cleanup_resources)
 from marvin.lib.base import (Account,
+                             Domain,
                             Template,
                             ServiceOffering,
                             VirtualMachine,
@ -51,6 +52,7 @@ class Services:
                # username
                "password": "password",
            },
+            "testdomain": {"name": "test"},
            "service_offering": {
                "name": "Tiny Instance",
                "displaytext": "Tiny Instance",
@ -602,3 +604,77 @@ class TestTemplates(cloudstackTestCase):
            "Check the state of VM created from Template"
        )
        return
+
+
+class TestListTemplate(cloudstackTestCase):
+
+    def setUp(self):
+        self.apiclient = self.testClient.getApiClient()
+        self.hypervisor = self.testClient.getHypervisorInfo()
+        self.dbclient = self.testClient.getDbConnection()
+        self.cleanup = []
+
+        self.services = Services().services
+        # Get Zone, Domain and templates
+        self.domain = get_domain(self.apiclient)
+        self.account = Account.create(
+                            self.apiclient,
+                            self.services["account"],
+                            domainid=self.domain.id
+                            )
+        self.newdomain = Domain.create(
+                           self.apiclient,
+                           self.services["testdomain"],
+                           parentdomainid=self.domain.id
+                           )
+        self.newdomain_account = Account.create(
+                           self.apiclient,
+                           self.services["account"],
+                           admin=True,
+                           domainid=self.newdomain.id
+                           )
+        self.cleanup = [
+                        self.account,
+                        self.newdomain_account,
+                        self.newdomain,
+                        ]
+
+
+    def tearDown(self):
+        try:
+            # Clean up, terminate the created templates
+            cleanup_resources(self.apiclient, self.cleanup)
+        except Exception as e:
+            raise Exception("Warning: Exception during cleanup : %s" % e)
+
+
+    @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false")
+    def test_01_list_templates_with_templatefilter_all_normal_user(self):
+        """
+            Test list templates with templatefilter=all is not permitted for normal user
+        """
+
+        user_api_client = self.testClient.getUserApiClient(
+                                    UserName=self.account.name,
+                                    DomainName=self.account.domain)
+        try:
+            list_template_response = Template.list(self.user_api_client, templatefilter='all')
+            self.fail("Regular User is able to use templatefilter='all' in listTemplates API call")
+        except Exception as e:
+            self.debug("ListTemplates API with templatefilter='all' is not permitted for normal user")
+
+
+    @attr(tags=["devcloud", "advanced", "advancedns", "smoke", "basic", "sg"], required_hardware="false")
+    def test_02_list_templates_with_templatefilter_all_domain_admin(self):
+        """
+            Test list templates with templatefilter=all is not permitted for domain admin
+        """
+
+        domain_user_api_client = self.testClient.getUserApiClient(
+                                    UserName=self.newdomain_account.name,
+                                    DomainName=self.newdomain_account.domain)
+        try:
+            list_template_response = Template.list(self.domain_user_api_client, templatefilter='all')
+            self.fail("Domain admin is able to use templatefilter='all' in listTemplates API call")
+        except Exception as e:
+            self.debug("ListTemplates API with templatefilter='all' is not permitted for domain admin user")