diff --git a/glance/api/v1/images.py b/glance/api/v1/images.py index c468531649..3e55926d46 100644 --- a/glance/api/v1/images.py +++ b/glance/api/v1/images.py @@ -479,6 +479,10 @@ def create(self, req, image_meta, image_data): if location: image_meta = self._activate(req, image_id, location) + # Prevent client from learning the location, as it + # could contain security credentials + image_meta.pop('location', None) + return {'image_meta': image_meta} def update(self, req, id, image_meta, image_data): @@ -523,6 +527,10 @@ def update(self, req, id, image_meta, image_data): else: self.notifier.info('image.update', image_meta) + # Prevent client from learning the location, as it + # could contain security credentials + image_meta.pop('location', None) + return {'image_meta': image_meta} def delete(self, req, id): diff --git a/glance/tests/unit/test_api.py b/glance/tests/unit/test_api.py index 2e05b9e603..bbceede11d 100644 --- a/glance/tests/unit/test_api.py +++ b/glance/tests/unit/test_api.py @@ -2067,10 +2067,6 @@ def test_add_image_basic_file_store(self): res = req.get_response(self.api) self.assertEquals(res.status_int, httplib.CREATED) - res_body = json.loads(res.body)['image'] - self.assertEquals(res_body['location'], - 'file:///tmp/glance-tests/3') - # Test that the Location: header is set to the URI to # edit the newly-created image, as required by APP. # See LP Bug #719825 @@ -2238,6 +2234,29 @@ def test_store_location_not_revealed(self): self.assertEqual(res.status_int, 200) self.assertFalse('X-Image-Meta-Location' in res.headers) + # Check PUT + req = webob.Request.blank("/images/2") + req.body = res.body + req.method = 'PUT' + res = req.get_response(self.api) + self.assertEqual(res.status_int, 200) + res_body = json.loads(res.body) + self.assertFalse('location' in res_body['image']) + + # Check POST + req = webob.Request.blank("/images") + headers = {'x-image-meta-location': 'http://localhost', + 'x-image-meta-disk-format': 'vhd', + 'x-image-meta-container-format': 'ovf', + 'x-image-meta-name': 'fake image #3'} + for k, v in headers.iteritems(): + req.headers[k] = v + req.method = 'POST' + res = req.get_response(self.api) + self.assertEqual(res.status_int, 201) + res_body = json.loads(res.body) + self.assertFalse('location' in res_body['image']) + def test_image_is_checksummed(self): """Test that the image contents are checksummed properly""" fixture_headers = {'x-image-meta-store': 'file', @@ -2258,8 +2277,6 @@ def test_image_is_checksummed(self): self.assertEquals(res.status_int, httplib.CREATED) res_body = json.loads(res.body)['image'] - self.assertEquals(res_body['location'], - 'file:///tmp/glance-tests/3') self.assertEquals(image_checksum, res_body['checksum'], "Mismatched checksum. Expected %s, got %s" % (image_checksum, res_body['checksum'])) diff --git a/glance/tests/unit/test_clients.py b/glance/tests/unit/test_clients.py index 00ff2b45f9..b8151b8974 100644 --- a/glance/tests/unit/test_clients.py +++ b/glance/tests/unit/test_clients.py @@ -652,7 +652,6 @@ def test_get_image_details(self): 'container_format': 'ovf', 'status': 'active', 'size': 19, - 'location': "file:///tmp/glance-tests/2", 'properties': {}} images = self.client.get_images_detailed() @@ -962,7 +961,6 @@ def test_get_image(self): 'container_format': 'ami', 'status': 'active', 'size': 13, - 'location': "swift://user:passwd@acct/container/obj.tar.0", 'properties': {'type': 'kernel'}} data = self.client.get_image(1) @@ -986,7 +984,6 @@ def test_add_image_basic(self): 'disk_format': 'vmdk', 'container_format': 'ovf', 'size': 19, - 'location': "file:///tmp/glance-tests/acct/3.gz.0", } new_image = self.client.add_image(fixture) @@ -1019,6 +1016,7 @@ def test_add_image_with_properties(self): # Test ID auto-assigned properly self.assertEquals(3, new_image['id']) + del fixture['location'] for k, v in fixture.items(): self.assertEquals(v, new_image[k])