Merge "Handle incorrect env_id" into release-0.4

muranoapi/api/v1/services.py

@@ -38,6 +38,7 @@ def normalize_path(f):
 
 
 class Controller(object):
+    @utils.verify_env
     @normalize_path
     def get(self, request, environment_id, path):
         log.debug(_('Services:Get <EnvId: {0}, '
@@ -54,6 +55,7 @@ class Controller(object):
         return result
 
     @utils.verify_session
+    @utils.verify_env
     @normalize_path
     def post(self, request, environment_id, path, body):
         secure_data = TokenSanitizer().sanitize(body)
@@ -69,6 +71,7 @@ class Controller(object):
         return result
 
     @utils.verify_session
+    @utils.verify_env
     @normalize_path
     def put(self, request, environment_id, path, body):
         log.debug(_('Services:Put <EnvId: {0}, Path: {2}, '
@@ -84,6 +87,7 @@ class Controller(object):
         return result
 
     @utils.verify_session
+    @utils.verify_env
     @normalize_path
     def delete(self, request, environment_id, path):
         log.debug(_('Services:Put <EnvId: {0}, '

muranoapi/utils.py

@@ -16,12 +16,32 @@ import functools
 import logging
 from muranoapi.db.services.sessions import SessionServices, SessionState
 from webob import exc
-from muranoapi.db.models import Session
+from muranoapi.db.models import Session, Environment
 from muranoapi.db.session import get_session
 
 log = logging.getLogger(__name__)
 
 
+def verify_env(func):
+    @functools.wraps(func)
+    def __inner(self, request, environment_id, *args, **kwargs):
+        unit = get_session()
+        environment = unit.query(Environment).get(environment_id)
+        if environment is None:
+            log.info("Environment with id '{0}'"
+                     " not found".format(environment_id))
+            raise exc.HTTPNotFound()
+
+        if hasattr(request, 'context'):
+            if environment.tenant_id != request.context.tenant:
+                log.info('User is not authorized to access'
+                         ' this tenant resources')
+                raise exc.HTTPUnauthorized()
+
+        return func(self, request, environment_id, *args, **kwargs)
+    return __inner
+
+
 def verify_session(func):
     @functools.wraps(func)
     def __inner(self, request, *args, **kwargs):