Allow enforcing usage of "raw" definitions
Since the chage 72a6bc1ad1461e20b8ccc7ef41898dd13067c6dc was merged, mistralclient tries to determine if the value passed in is a definition file path name or file URI, or the actual definition. However this behavior causes problem when the client is used in server side and results in allowing access to server files or any contents in internal servers. This change introduces the new enforce_raw_definitions variable to disable that fallback behavior and ensure that client treats input as raw contents. Related-Bug: #1931558 Change-Id: I47931bdf8bbccb940d4c98c47f16a6eef27c026a
This commit is contained in:
parent
18fff747b5
commit
ab54cb9ae5
@ -19,6 +19,8 @@ from oslo_serialization import jsonutils
|
|||||||
|
|
||||||
from keystoneauth1 import exceptions
|
from keystoneauth1 import exceptions
|
||||||
|
|
||||||
|
from mistralclient import utils
|
||||||
|
|
||||||
urlparse = urllib.parse
|
urlparse = urllib.parse
|
||||||
|
|
||||||
|
|
||||||
@ -73,8 +75,15 @@ def extract_json(response, response_key):
|
|||||||
class ResourceManager(object):
|
class ResourceManager(object):
|
||||||
resource_class = None
|
resource_class = None
|
||||||
|
|
||||||
def __init__(self, http_client):
|
def __init__(self, http_client, enforce_raw_definitions=False):
|
||||||
self.http_client = http_client
|
self.http_client = http_client
|
||||||
|
self.enforce_raw_definitions = enforce_raw_definitions
|
||||||
|
|
||||||
|
def get_contents_if_file(self, contents_or_file_name):
|
||||||
|
if self.enforce_raw_definitions:
|
||||||
|
return contents_or_file_name
|
||||||
|
else:
|
||||||
|
return utils.get_contents_if_file(contents_or_file_name)
|
||||||
|
|
||||||
def find(self, **kwargs):
|
def find(self, **kwargs):
|
||||||
return [i for i in self.list() if _check_items(i, kwargs.items())]
|
return [i for i in self.list() if _check_items(i, kwargs.items())]
|
||||||
|
@ -14,7 +14,6 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
from mistralclient.api import base
|
from mistralclient.api import base
|
||||||
from mistralclient import utils
|
|
||||||
|
|
||||||
|
|
||||||
class Action(base.Resource):
|
class Action(base.Resource):
|
||||||
@ -29,7 +28,7 @@ class ActionManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
url = '/actions?scope=%s' % scope
|
url = '/actions?scope=%s' % scope
|
||||||
|
|
||||||
if namespace:
|
if namespace:
|
||||||
@ -56,7 +55,7 @@ class ActionManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
|
|
||||||
return self._update(
|
return self._update(
|
||||||
url,
|
url,
|
||||||
@ -101,7 +100,7 @@ class ActionManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
|
|
||||||
return self._validate(
|
return self._validate(
|
||||||
'/actions/validate',
|
'/actions/validate',
|
||||||
|
@ -41,10 +41,27 @@ _DEFAULT_MISTRAL_URL = "http://localhost:8989/v2"
|
|||||||
|
|
||||||
class Client(object):
|
class Client(object):
|
||||||
|
|
||||||
|
MANAGERS = {
|
||||||
|
'workbooks': workbooks.WorkbookManager,
|
||||||
|
'executions': executions.ExecutionManager,
|
||||||
|
'tasks': tasks.TaskManager,
|
||||||
|
'actions': actions.ActionManager,
|
||||||
|
'workflows': workflows.WorkflowManager,
|
||||||
|
'cron_triggers': cron_triggers.CronTriggerManager,
|
||||||
|
'event_triggers': event_triggers.EventTriggerManager,
|
||||||
|
'environments': environments.EnvironmentManager,
|
||||||
|
'action_executions': action_executions.ActionExecutionManager,
|
||||||
|
'services': services.ServiceManager,
|
||||||
|
'members': members.MemberManager,
|
||||||
|
'code_sources': code_sources.CodeSourceManager,
|
||||||
|
'dynamic_actions': dynamic_actions.DynamicActionManager,
|
||||||
|
}
|
||||||
|
|
||||||
def __init__(self, auth_type='keystone', **kwargs):
|
def __init__(self, auth_type='keystone', **kwargs):
|
||||||
# We get the session at this point, as some instances of session
|
# We get the session at this point, as some instances of session
|
||||||
# objects might have mutexes that can't be deep-copied.
|
# objects might have mutexes that can't be deep-copied.
|
||||||
session = kwargs.pop('session', None)
|
session = kwargs.pop('session', None)
|
||||||
|
enforce_raw_definitions = kwargs.pop('enforce_raw_definitions', False)
|
||||||
req = copy.deepcopy(kwargs)
|
req = copy.deepcopy(kwargs)
|
||||||
mistral_url = req.get('mistral_url')
|
mistral_url = req.get('mistral_url')
|
||||||
profile = req.get('profile')
|
profile = req.get('profile')
|
||||||
@ -77,22 +94,6 @@ class Client(object):
|
|||||||
|
|
||||||
http_client = httpclient.HTTPClient(mistral_url, session=session,
|
http_client = httpclient.HTTPClient(mistral_url, session=session,
|
||||||
**req)
|
**req)
|
||||||
|
|
||||||
# Create all resource managers.
|
# Create all resource managers.
|
||||||
self.workbooks = workbooks.WorkbookManager(http_client)
|
for name, cls in self.MANAGERS.items():
|
||||||
self.executions = executions.ExecutionManager(http_client)
|
setattr(self, name, cls(http_client, enforce_raw_definitions))
|
||||||
self.tasks = tasks.TaskManager(http_client)
|
|
||||||
self.actions = actions.ActionManager(http_client)
|
|
||||||
self.workflows = workflows.WorkflowManager(http_client)
|
|
||||||
self.cron_triggers = cron_triggers.CronTriggerManager(http_client)
|
|
||||||
self.event_triggers = event_triggers.EventTriggerManager(http_client)
|
|
||||||
self.environments = environments.EnvironmentManager(http_client)
|
|
||||||
self.action_executions = action_executions.ActionExecutionManager(
|
|
||||||
http_client
|
|
||||||
)
|
|
||||||
self.services = services.ServiceManager(http_client)
|
|
||||||
self.members = members.MemberManager(http_client)
|
|
||||||
self.code_sources = code_sources.CodeSourceManager(http_client)
|
|
||||||
self.dynamic_actions = dynamic_actions.DynamicActionManager(
|
|
||||||
http_client
|
|
||||||
)
|
|
||||||
|
@ -13,7 +13,6 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
from mistralclient.api import base
|
from mistralclient.api import base
|
||||||
from mistralclient import utils
|
|
||||||
|
|
||||||
|
|
||||||
class CodeSource(base.Resource):
|
class CodeSource(base.Resource):
|
||||||
@ -27,7 +26,7 @@ class CodeSourceManager(base.ResourceManager):
|
|||||||
self._ensure_not_empty(name=name, content=content)
|
self._ensure_not_empty(name=name, content=content)
|
||||||
|
|
||||||
# If the specified content is actually a file, read from it.
|
# If the specified content is actually a file, read from it.
|
||||||
content = utils.get_contents_if_file(content)
|
content = self.get_contents_if_file(content)
|
||||||
|
|
||||||
return self._create(
|
return self._create(
|
||||||
'/code_sources?name=%s&scope=%s&namespace=%s' %
|
'/code_sources?name=%s&scope=%s&namespace=%s' %
|
||||||
@ -41,7 +40,7 @@ class CodeSourceManager(base.ResourceManager):
|
|||||||
self._ensure_not_empty(identifier=identifier, content=content)
|
self._ensure_not_empty(identifier=identifier, content=content)
|
||||||
|
|
||||||
# If the specified content is actually a file, read from it.
|
# If the specified content is actually a file, read from it.
|
||||||
content = utils.get_contents_if_file(content)
|
content = self.get_contents_if_file(content)
|
||||||
|
|
||||||
return self._update(
|
return self._update(
|
||||||
'/code_sources?identifier=%s&scope=%s&namespace=%s' %
|
'/code_sources?identifier=%s&scope=%s&namespace=%s' %
|
||||||
|
@ -43,7 +43,7 @@ class EnvironmentManager(base.ResourceManager):
|
|||||||
# read it's contents first.
|
# read it's contents first.
|
||||||
if 'file' in kwargs:
|
if 'file' in kwargs:
|
||||||
file = kwargs['file']
|
file = kwargs['file']
|
||||||
kwargs = utils.load_content(utils.get_contents_if_file(file))
|
kwargs = utils.load_content(self.get_contents_if_file(file))
|
||||||
|
|
||||||
self._ensure_not_empty(name=kwargs.get('name', None),
|
self._ensure_not_empty(name=kwargs.get('name', None),
|
||||||
variables=kwargs.get('variables', None))
|
variables=kwargs.get('variables', None))
|
||||||
@ -59,7 +59,7 @@ class EnvironmentManager(base.ResourceManager):
|
|||||||
# read it's contents first.
|
# read it's contents first.
|
||||||
if 'file' in kwargs:
|
if 'file' in kwargs:
|
||||||
file = kwargs['file']
|
file = kwargs['file']
|
||||||
kwargs = utils.load_content(utils.get_contents_if_file(file))
|
kwargs = utils.load_content(self.get_contents_if_file(file))
|
||||||
|
|
||||||
name = kwargs.get('name', None)
|
name = kwargs.get('name', None)
|
||||||
self._ensure_not_empty(name=name)
|
self._ensure_not_empty(name=name)
|
||||||
|
@ -14,7 +14,6 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
from mistralclient.api import base
|
from mistralclient.api import base
|
||||||
from mistralclient import utils
|
|
||||||
|
|
||||||
|
|
||||||
class Workbook(base.Resource):
|
class Workbook(base.Resource):
|
||||||
@ -44,7 +43,7 @@ class WorkbookManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
|
|
||||||
return self._create(
|
return self._create(
|
||||||
self._get_workbooks_url(None, namespace, scope),
|
self._get_workbooks_url(None, namespace, scope),
|
||||||
@ -58,7 +57,7 @@ class WorkbookManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
|
|
||||||
return self._update(
|
return self._update(
|
||||||
self._get_workbooks_url(None, namespace, scope),
|
self._get_workbooks_url(None, namespace, scope),
|
||||||
@ -100,7 +99,7 @@ class WorkbookManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
|
|
||||||
return self._validate(
|
return self._validate(
|
||||||
'/workbooks/validate',
|
'/workbooks/validate',
|
||||||
|
@ -14,7 +14,6 @@
|
|||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
from mistralclient.api import base
|
from mistralclient.api import base
|
||||||
from mistralclient import utils
|
|
||||||
|
|
||||||
|
|
||||||
class Workflow(base.Resource):
|
class Workflow(base.Resource):
|
||||||
@ -29,7 +28,7 @@ class WorkflowManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
|
|
||||||
return self._create(
|
return self._create(
|
||||||
'/workflows?scope=%s&namespace=%s' % (scope, namespace),
|
'/workflows?scope=%s&namespace=%s' % (scope, namespace),
|
||||||
@ -47,7 +46,7 @@ class WorkflowManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
|
|
||||||
is_iter_resp = True
|
is_iter_resp = True
|
||||||
response_key = 'workflows'
|
response_key = 'workflows'
|
||||||
@ -106,7 +105,7 @@ class WorkflowManager(base.ResourceManager):
|
|||||||
|
|
||||||
# If the specified definition is actually a file, read in the
|
# If the specified definition is actually a file, read in the
|
||||||
# definition file
|
# definition file
|
||||||
definition = utils.get_contents_if_file(definition)
|
definition = self.get_contents_if_file(definition)
|
||||||
|
|
||||||
return self._validate(
|
return self._validate(
|
||||||
'/workflows/validate',
|
'/workflows/validate',
|
||||||
|
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The new ``enforce_raw_definitions`` variable has been added to
|
||||||
|
the ``Client`` class and each ``ResourceManager`` class. This variable is
|
||||||
|
set to False by default. Setting this parameter to True enforces the client
|
||||||
|
to use ``definition`` passed in as raw content.
|
Loading…
x
Reference in New Issue
Block a user