From 701e05bb387f1926494f4928c8c8590bd1222dce Mon Sep 17 00:00:00 2001
From: Nagasai Vinaykumar Kapalavai <vkapalav@redhat.com>
Date: Fri, 29 Jun 2018 15:59:14 +0000
Subject: [PATCH] Validation Check for 'query' params of alarm type 'event'

Currently an alarm rule is created even though the query is not
adhered to the format.
Now it does a validation check against the input and gives a
http 400 error message.

Closes-Bug: #1467317

Change-Id: Ibfca9c7e4ec0c1b37272fc410df36ff43a3eb3f2
---
 aodh/api/controllers/v2/alarm_rules/event.py  | 15 +++++
 .../functional/gabbi/gabbits/alarms.yaml      | 66 +++++++++++++++++++
 requirements.txt                              |  1 +
 3 files changed, 82 insertions(+)

diff --git a/aodh/api/controllers/v2/alarm_rules/event.py b/aodh/api/controllers/v2/alarm_rules/event.py
index 60d0fbe86..7c217e458 100644
--- a/aodh/api/controllers/v2/alarm_rules/event.py
+++ b/aodh/api/controllers/v2/alarm_rules/event.py
@@ -13,6 +13,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import voluptuous
 import wsme
 from wsme import types as wtypes
 
@@ -20,6 +21,13 @@ from aodh.api.controllers.v2 import base
 from aodh.i18n import _
 
 
+# Schema validation for the event type query.
+_q_validator = voluptuous.Schema(
+    {"field": voluptuous.Match(r"^[a-zA-Z.',0-9_-]*$"),
+     "op": voluptuous.In(base.operation_kind),
+     "value": voluptuous.In(["string", "integer", "float", "boolean", ""])})
+
+
 class AlarmEventRule(base.AlarmRule):
     """Alarm Event Rule.
 
@@ -40,8 +48,15 @@ class AlarmEventRule(base.AlarmRule):
 
     @classmethod
     def validate_alarm(cls, alarm):
+        super(AlarmEventRule, cls).validate_alarm(alarm)
         for i in alarm.event_rule.query:
             i._get_value_as_type()
+            try:
+                _q_validator({"field": i.field, "op": i.op,
+                              "value": i.type})
+            except voluptuous.MultipleInvalid as e:
+                raise base.ClientSideError(
+                    _("Query value or traits invalid: %s") % str(e))
 
     @property
     def default_description(self):
diff --git a/aodh/tests/functional/gabbi/gabbits/alarms.yaml b/aodh/tests/functional/gabbi/gabbits/alarms.yaml
index d59b12f93..b011fbe7e 100644
--- a/aodh/tests/functional/gabbi/gabbits/alarms.yaml
+++ b/aodh/tests/functional/gabbi/gabbits/alarms.yaml
@@ -28,6 +28,72 @@ tests:
   response_headers:
       allow: GET, POST
 
+- name: try to POST an event type alarm
+  desc: what does POST response be
+  POST: /v2/alarms
+  request_headers:
+      content-type: application/json
+  data:
+      name: instance_off
+      type: event
+      event_rule:
+          query: [{'field': "{=:", 'op': "eq", 'type': "string", 'value': "sample_string"}]
+  status: 400
+  response_strings:
+      - "Query value or traits invalid:"
+
+- name: try to POST an event type alarm2
+  desc: what does POST response be
+  POST: /v2/alarms
+  request_headers:
+      content-type: application/json
+  data:
+      name: instance_off
+      type: event
+      event_rule:
+          query: [{'field': "traits.instance_id", 'op': "eq", 'type': "", 'value': "default_string_datatype_isconsidered"}]
+  status: 201
+
+- name: try to POST an event type alarm3
+  desc: what does POST response be
+  POST: /v2/alarms
+  request_headers:
+      content-type: application/json
+  data:
+      name: instance_off
+      type: event
+      event_rule:
+          query: [{'field': "traits.instance_id", 'op': "lt", 'type': "integer", 'value': "1234567"}]
+  status: 201
+
+- name: try to POST an event type alarm4
+  desc: what does POST response be
+  POST: /v2/alarms
+  request_headers:
+      content-type: application/json
+  data:
+      name: instance_off
+      type: event
+      event_rule:
+          query: [{'field': "traits.instance_id", 'op': "lt", 'type': "integer", 'value': "hello"}]
+  status: 400
+  response_strings:
+      - "Unable to convert the value hello to the expected data type integer"
+
+- name: try to POST an event type alarm5
+  desc: what does POST response be
+  POST: /v2/alarms
+  request_headers:
+      content-type: application/json
+  data:
+      name: instance_off
+      type: event
+      event_rule:
+          query: [{'field': "traits.instance_id", 'op': "ltt", 'type': "integer", 'value': "1234567"}]
+  status: 400
+  response_strings:
+      - "Query value or traits invalid:"
+
 - name: createAlarm
   desc: Creates an alarm.
   POST: /v2/alarms
diff --git a/requirements.txt b/requirements.txt
index d5eb10fa8..36afb3169 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -27,6 +27,7 @@ requests>=2.5.2
 six>=1.9.0
 stevedore>=1.5.0 # Apache-2.0
 tooz>=1.28.0 # Apache-2.0
+voluptuous>=0.8.10
 WebOb>=1.2.3
 WSME>=0.8
 cachetools>=1.1.6