Ensure that request body in v2 contains valid fields

Currently 'id' and other fields like 'created_at' and 'updated_at' can be set in the request body. Some of these fields are ignored and some like 'id' can actual set the id. With this change - remove 'id' from the list of valid keys and ensure that only valid keys are present in the request body. Closes-Bug: #1291518 Change-Id: I99f3f106c0004fa5521869e46da85f1053241eb5
2014-03-12 17:11:35 -05:00 · 2014-03-12 17:11:35 -05:00 · a19e434cba
parent 5e7da3e282
commit a19e434cba
7 changed files with 51 additions and 45 deletions
--- a/designate/api/v2/views/base.py
+++ b/designate/api/v2/views/base.py
@ -15,6 +15,7 @@
 # under the License.
 import urllib
 from oslo.config import cfg
+from designate import exceptions
 from designate.openstack.common import log as logging


@ -84,6 +85,29 @@ class BaseView(object):
        """ Detailed view of a item """
        return self.show_basic(context, request, item)

+    def _load(self, context, request, body, valid_keys):
+        """ Extract a "central" compatible dict from an API call """
+        result = {}
+        item = body[self._resource_name]
+        error_keys = []
+
+        # Copy keys which need no alterations
+        for k in item:
+            if k in valid_keys:
+                result[k] = item[k]
+            else:
+                error_keys.append(k)
+
+        if error_keys:
+            error_message = str.format(
+                'Provided object does not match schema.  Keys {0} are not '
+                'valid in the request body',
+                error_keys)
+
+            raise exceptions.InvalidObject(error_message)
+
+        return result
+
    def _get_resource_links(self, request, item, parents=None):
        return {
            "self": self._get_resource_href(request, item, parents),
--- a/designate/api/v2/views/blacklists.py
+++ b/designate/api/v2/views/blacklists.py
@ -40,12 +40,5 @@ class BlacklistsView(base_view.BaseView):

    def load(self, context, request, body):
        """ Extract a "central" compatible dict from an API call """
-        result = {}
-        item = body[self._resource_name]
-
-        # Copy keys which need no alterations
-        for k in ('id', 'pattern', 'description',):
-            if k in item:
-                result[k] = item[k]
-
-        return result
+        valid_keys = ('pattern', 'description')
+        return self._load(context, request, body, valid_keys)
--- a/designate/api/v2/views/records.py
+++ b/designate/api/v2/views/records.py
@ -52,12 +52,5 @@ class RecordsView(base_view.BaseView):

    def load(self, context, request, body):
        """ Extract a "central" compatible dict from an API call """
-        result = {}
-        item = body[self._resource_name]
-
-        # Copy keys which need no alterations
-        for k in ('id', 'data', 'description',):
-            if k in item:
-                result[k] = item[k]
-
-        return result
+        valid_keys = ('data', 'description')
+        return self._load(context, request, body, valid_keys)
--- a/designate/api/v2/views/recordsets.py
+++ b/designate/api/v2/views/recordsets.py
@ -51,12 +51,5 @@ class RecordSetsView(base_view.BaseView):

    def load(self, context, request, body):
        """ Extract a "central" compatible dict from an API call """
-        result = {}
-        item = body[self._resource_name]
-
-        # Copy keys which need no alterations
-        for k in ('id', 'name', 'type', 'ttl', 'description',):
-            if k in item:
-                result[k] = item[k]
-
-        return result
+        valid_keys = ('name', 'type', 'ttl', 'description')
+        return self._load(context, request, body, valid_keys)
--- a/designate/api/v2/views/tlds.py
+++ b/designate/api/v2/views/tlds.py
@ -38,12 +38,5 @@ class TldsView(base_view.BaseView):

    def load(self, context, request, body):
        """ Extract a "central" compatible dict from an API call """
-        result = {}
-        item = body[self._resource_name]
-
-        # Copy keys which need no alterations
-        for k in ('id', 'name', 'description'):
-            if k in item:
-                result[k] = item[k]
-
-        return result
+        valid_keys = ('name', 'description')
+        return self._load(context, request, body, valid_keys)
--- a/designate/api/v2/views/zones.py
+++ b/designate/api/v2/views/zones.py
@ -47,12 +47,5 @@ class ZonesView(base_view.BaseView):

    def load(self, context, request, body):
        """ Extract a "central" compatible dict from an API call """
-        result = {}
-        item = body[self._resource_name]
-
-        # Copy keys which need no alterations
-        for k in ('id', 'name', 'email', 'description', 'ttl'):
-            if k in item:
-                result[k] = item[k]
-
-        return result
+        valid_keys = ('name', 'email', 'description', 'ttl')
+        return self._load(context, request, body, valid_keys)
--- a/designate/tests/test_api/test_v2/test_zones.py
+++ b/designate/tests/test_api/test_v2/test_zones.py
@ -76,6 +76,23 @@ class ApiV2ZonesTest(ApiV2TestCase):
        self._assert_exception('invalid_object', 400, self.client.post_json,
                               '/zones', body)

+    def test_create_zone_body_validation(self):
+        fixture = self.get_domain_fixture(0)
+        # Add id to the body
+        fixture['id'] = '2fdadfb1-cf96-4259-ac6b-bb7b6d2ff980'
+        # Ensure it fails with a 400
+        body = {'zone': fixture}
+        self._assert_exception('invalid_object', 400, self.client.post_json,
+                               '/zones', body)
+
+        fixture = self.get_domain_fixture(0)
+        # Add created_at to the body
+        fixture['created_at'] = '2014-03-12T19:07:53.000000'
+        # Ensure it fails with a 400
+        body = {'zone': fixture}
+        self._assert_exception('invalid_object', 400, self.client.post_json,
+                               '/zones', body)
+
    def test_create_zone_invalid_name(self):
        # Try to create a zone with an invalid name
        fixture = self.get_domain_fixture(-1)