Merge "Properly validate metadef objects"

2017-12-01 08:11:00 +00:00 · 2017-12-01 08:11:00 +00:00 · cc6ef904b3
parent ee874a4dea 8b4f955a7a
commit cc6ef904b3
3 changed files with 30 additions and 3 deletions
--- a/glance/api/v2/metadef_objects.py
+++ b/glance/api/v2/metadef_objects.py
@ -23,6 +23,7 @@ from wsme.rest import json

 from glance.api import policy
 from glance.api.v2 import metadef_namespaces as namespaces
+import glance.api.v2.metadef_properties as properties
 from glance.api.v2.model.metadef_object import MetadefObject
 from glance.api.v2.model.metadef_object import MetadefObjects
 from glance.common import exception
@ -250,6 +251,10 @@ class RequestDeserializer(wsgi.JSONRequestDeserializer):
        self._check_allowed(body)
        try:
            self.schema.validate(body)
+            if 'properties' in body:
+                for propertyname in body['properties']:
+                    schema = properties.get_schema(require_name=False)
+                    schema.validate(body['properties'][propertyname])
        except exception.InvalidObject as e:
            raise webob.exc.HTTPBadRequest(explanation=e.msg)
        metadata_object = json.fromjson(MetadefObject, body)
--- a/glance/api/v2/metadef_properties.py
+++ b/glance/api/v2/metadef_properties.py
@ -283,12 +283,13 @@ def _get_base_properties():
    return base_def['property']['additionalProperties']['properties']


-def get_schema():
+def get_schema(require_name=True):
    definitions = _get_base_definitions()
    properties = _get_base_properties()
    mandatory_attrs = PropertyType.get_mandatory_attrs()
-    # name is required attribute when use as single property type
-    mandatory_attrs.append('name')
+    if require_name:
+        # name is required attribute when use as single property type
+        mandatory_attrs.append('name')
    schema = glance.schema.Schema(
        'property',
        properties,
--- a/glance/tests/unit/v2/test_metadef_resources.py
+++ b/glance/tests/unit/v2/test_metadef_resources.py
@ -1405,6 +1405,27 @@ class TestMetadefsControllers(base.IsolatedUnitTest):
        self.assertEqual([], object.required)
        self.assertEqual({}, object.properties)

+    def test_object_create_invalid_properties(self):
+        request = unit_test_utils.get_fake_request('/metadefs/namespaces/'
+                                                   'Namespace3/'
+                                                   'objects')
+        body = {
+            "name": "My Object",
+            "description": "object1 description.",
+            "properties": {
+                "property1": {
+                    "type": "integer",
+                    "title": "property",
+                    "description": "property description",
+                    "test-key": "test-value",
+                }
+            }
+        }
+        request.body = jsonutils.dump_as_bytes(body)
+        self.assertRaises(webob.exc.HTTPBadRequest,
+                          self.deserializer.create,
+                          request)
+
    def test_object_create_overlimit_name(self):
        request = unit_test_utils.get_fake_request('/metadefs/namespaces/'
                                                   'Namespace3/'