Merge "Prevent direct access to conditions in templates"

2016-09-02 07:15:54 +00:00
parent 6c6dd30e4a fdcba53d30
commit d8e2bfb4da
3 changed files with 16 additions and 12 deletions
--- a/heat/engine/cfn/template.py
+++ b/heat/engine/cfn/template.py
@@ -170,6 +170,8 @@ class CfnTemplate(CfnTemplateBase):
    CONDITION = 'Condition'
    CONDITIONS = 'Conditions'
    SECTIONS = CfnTemplateBase.SECTIONS + (CONDITIONS,)
+    SECTIONS_NO_DIRECT_ACCESS = (CfnTemplateBase.SECTIONS_NO_DIRECT_ACCESS |
+                                 set([CONDITIONS]))

    RES_CONDITION = CONDITION
    _RESOURCE_KEYS = CfnTemplateBase._RESOURCE_KEYS + (RES_CONDITION,)
@@ -211,7 +213,7 @@ class CfnTemplate(CfnTemplateBase):
        self.merge_sections = [self.PARAMETERS, self.CONDITIONS]

    def get_condition_definitions(self):
-        return self[self.CONDITIONS]
+        return self.t.get(self.CONDITIONS, {})

    def has_condition_section(self, snippet):
        if snippet and self.CONDITION in snippet:
--- a/heat/engine/hot/template.py
+++ b/heat/engine/hot/template.py
@@ -393,6 +393,9 @@ class HOTemplate20161014(HOTemplate20160408):

    SECTIONS = HOTemplate20160408.SECTIONS + (CONDITIONS,)

+    SECTIONS_NO_DIRECT_ACCESS = (HOTemplate20160408.SECTIONS_NO_DIRECT_ACCESS |
+                                 set([CONDITIONS]))
+
    _CFN_TO_HOT_SECTIONS = HOTemplate20160408._CFN_TO_HOT_SECTIONS
    _CFN_TO_HOT_SECTIONS.update({
        cfn_template.CfnTemplate.CONDITIONS: CONDITIONS})
@@ -484,7 +487,7 @@ class HOTemplate20161014(HOTemplate20160408):
        self.merge_sections = [self.PARAMETERS, self.CONDITIONS]

    def get_condition_definitions(self):
-        return self[self.CONDITIONS]
+        return self.t.get(self.CONDITIONS, {})

    def validate_resource_definition(self, name, data):
        super(HOTemplate20161014, self).validate_resource_definition(
--- a/heat/engine/template_common.py
+++ b/heat/engine/template_common.py
@@ -90,16 +90,15 @@ class CommonTemplate(template.Template):
    def resolve_conditions(self, stack):
        cd_snippet = self.get_condition_definitions()
        result = {}
-        if cd_snippet:
-            for cd_key, cd_value in six.iteritems(cd_snippet):
-                # hasn't been resolved yet
-                if not isinstance(cd_value, bool):
-                    condition_func = self.parse_condition(
-                        stack, cd_value)
-                    resolved_cd_value = function.resolve(condition_func)
-                    result[cd_key] = resolved_cd_value
-                else:
-                    result[cd_key] = cd_value
+        for cd_key, cd_value in six.iteritems(cd_snippet):
+            # hasn't been resolved yet
+            if not isinstance(cd_value, bool):
+                condition_func = self.parse_condition(
+                    stack, cd_value)
+                resolved_cd_value = function.resolve(condition_func)
+                result[cd_key] = resolved_cd_value
+            else:
+                result[cd_key] = cd_value

        return result