Add snapshot id validation during volume creation

Return bad request response if shapshot id has a bad format. APIImpact Change-Id: Ifa216e73d62b772de7aa0ae43d8472c4284fc92b Closes-Bug: #1626474
2016-09-22 13:21:52 +03:00 · 2016-09-22 13:21:52 +03:00 · d1a035fa47
commit d1a035fa47
parent 4e2e29d1e5
6 changed files with 50 additions and 0 deletions
--- a/cinder/api/v1/volumes.py
+++ b/cinder/api/v1/volumes.py
@ -233,6 +233,9 @@ class VolumeController(wsgi.Controller):

        snapshot_id = volume.get('snapshot_id')
        if snapshot_id is not None:
+            if not uuidutils.is_uuid_like(snapshot_id):
+                msg = _("Snapshot ID must be in UUID form.")
+                raise exc.HTTPBadRequest(explanation=msg)
            # Not found exception will be handled at the wsgi level
            kwargs['snapshot'] = self.volume_api.get_snapshot(context,
                                                              snapshot_id)
--- a/cinder/api/v2/volumes.py
+++ b/cinder/api/v2/volumes.py
@ -203,6 +203,9 @@ class VolumeController(wsgi.Controller):

        snapshot_id = volume.get('snapshot_id')
        if snapshot_id is not None:
+            if not uuidutils.is_uuid_like(snapshot_id):
+                msg = _("Snapshot ID must be in UUID form.")
+                raise exc.HTTPBadRequest(explanation=msg)
            # Not found exception will be handled at the wsgi level
            kwargs['snapshot'] = self.volume_api.get_snapshot(context,
                                                              snapshot_id)
--- a/cinder/api/v3/volumes.py
+++ b/cinder/api/v3/volumes.py
@ -14,6 +14,7 @@
 """The volumes V3 api."""

 from oslo_log import log as logging
+from oslo_utils import uuidutils
 from webob import exc

 from cinder.api import common
@ -160,6 +161,9 @@ class VolumeController(volumes_v2.VolumeController):

        snapshot_id = volume.get('snapshot_id')
        if snapshot_id is not None:
+            if not uuidutils.is_uuid_like(snapshot_id):
+                msg = _("Snapshot ID must be in UUID form.")
+                raise exc.HTTPBadRequest(explanation=msg)
            # Not found exception will be handled at the wsgi level
            kwargs['snapshot'] = self.volume_api.get_snapshot(context,
                                                              snapshot_id)
--- a/cinder/tests/unit/api/v1/test_volumes.py
+++ b/cinder/tests/unit/api/v1/test_volumes.py
@ -16,6 +16,7 @@
 import datetime
 import iso8601

+import ddt
 import mock
 from oslo_config import cfg
 import webob
@ -39,6 +40,7 @@ NS = '{http://docs.openstack.org/api/openstack-block-storage/1.0/content}'
 CONF = cfg.CONF


+@ddt.ddt
 class VolumeApiTest(test.TestCase):
    def setUp(self):
        super(VolumeApiTest, self).setUp()
@ -856,6 +858,19 @@ class VolumeApiTest(test.TestCase):
            sort_keys=['created_at'], limit=None, filters={'id': 'd+'},
            marker=None)

+    @ddt.data({'s': 'ea895e29-8485-4930-bbb8-c5616a309c0e'},
+              ['ea895e29-8485-4930-bbb8-c5616a309c0e'],
+              42)
+    def test_volume_creation_fails_with_invalid_snapshot_type(self, value):
+        snapshot_id = value
+        vol = {"size": 1,
+               "snapshot_id": snapshot_id}
+        body = {"volume": vol}
+        req = fakes.HTTPRequest.blank('/v1/volumes')
+        # Raise 400 when snapshot has not uuid type.
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
+                          req, body)
+

 class VolumesUnprocessableEntityTestCase(test.TestCase):

--- a/cinder/tests/unit/api/v2/test_volumes.py
+++ b/cinder/tests/unit/api/v2/test_volumes.py
@ -272,6 +272,18 @@ class VolumeApiTest(test.TestCase):
        get_snapshot.assert_called_once_with(self.controller.volume_api,
                                             context, snapshot_id)

+    @ddt.data({'s': 'ea895e29-8485-4930-bbb8-c5616a309c0e'},
+              ['ea895e29-8485-4930-bbb8-c5616a309c0e'],
+              42)
+    def test_volume_creation_fails_with_invalid_snapshot_type(self, value):
+        snapshot_id = value
+        vol = self._vol_in_request_body(snapshot_id=snapshot_id)
+        body = {"volume": vol}
+        req = fakes.HTTPRequest.blank('/v2/volumes')
+        # Raise 400 when snapshot has not uuid type.
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
+                          req, body)
+
    @mock.patch.object(db.sqlalchemy.api, '_volume_type_get_full',
                       autospec=True)
    @mock.patch.object(volume_api.API, 'get_volume', autospec=True)
--- a/cinder/tests/unit/api/v3/test_volumes.py
+++ b/cinder/tests/unit/api/v3/test_volumes.py
@ -16,6 +16,7 @@ import ddt
 import iso8601

 import mock
+import webob

 from cinder.api import extensions
 from cinder.api.openstack import api_version_request as api_version
@ -358,3 +359,15 @@ class VolumeApiTest(test.TestCase):
        create.assert_called_once_with(self.controller.volume_api, context,
                                       vol['size'], stubs.DEFAULT_VOL_NAME,
                                       stubs.DEFAULT_VOL_DESCRIPTION, **kwargs)
+
+    @ddt.data({'s': 'ea895e29-8485-4930-bbb8-c5616a309c0e'},
+              ['ea895e29-8485-4930-bbb8-c5616a309c0e'],
+              42)
+    def test_volume_creation_fails_with_invalid_snapshot_type(self, value):
+        snapshot_id = value
+        vol = self._vol_in_request_body(snapshot_id=snapshot_id)
+        body = {"volume": vol}
+        req = fakes.HTTPRequest.blank('/v3/volumes')
+        # Raise 400 when snapshot has not uuid type.
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
+                          req, body)