Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deny standalone service template ordering when product setting is enabled #476

Merged
merged 2 commits into from Oct 22, 2018
Merged
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

@@ -3,9 +3,8 @@ module Mixins
module ServiceTemplates
def order_service_template(id, data, scheduled_time = nil)
service_template = resource_search(id, :service_templates, ServiceTemplate)
raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered" unless service_template.orderable?
init_defaults = !request_from_ui? && Settings.product.run_automate_methods_on_service_api_submit
request_result = service_template.order(User.current_user, (data || {}), {:submit_workflow => request_from_ui?, :init_defaults => init_defaults}, scheduled_time)
raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered" unless orderable?
request_result = service_template.order(User.current_user, (data || {}), order_request_options, scheduled_time)
errors = request_result[:errors]
if errors.present?
raise BadRequestError, "Failed to order #{service_template_ident(service_template)} - #{errors.join(", ")}"
@@ -15,11 +14,26 @@ def order_service_template(id, data, scheduled_time = nil)

private

def orderable?
api_request_allowed? && service_template.orderable?
end

def api_request_allowed?
return true if request_from_ui?
Settings.product.allow_api_service_ordering
end

def request_from_ui?
return false if request.headers["x-auth-token"].blank?
token_info.present?
end

def order_request_options
init_defaults = !request_from_ui? && Settings.product.run_automate_methods_on_service_api_submit

{:submit_workflow => request_from_ui?, :init_defaults => init_defaults}
end

def token_info
requester_type = params['requester_type'] || 'api'
Environment.user_token_service.token_mgr(requester_type).token_get_info(request.headers["x-auth-token"])
@@ -375,6 +375,13 @@ def sc_template_url(id, st_id = nil)
request_headers["x-auth-token"] = test_token
end

before do
stub_settings_merge(:product => {:allow_api_service_ordering => true})
userid = User.first.userid
test_token = Api::UserTokenService.new.generate_token(userid, "api")
request_headers["x-auth-token"] = test_token
end

def init_st(service_template, resource_action)
service_template.resource_actions = [resource_action]
dialog1.dialog_tabs << tab1
@@ -466,6 +466,14 @@

describe "Service Templates order" do
let(:service_template) { FactoryGirl.create(:service_template, :with_provision_resource_action_and_dialog, :orderable) }
let(:allow_api_service_ordering) { true }

before do
stub_settings_merge(:product => {:allow_api_service_ordering => allow_api_service_ordering})
userid = User.first.userid
test_token = Api::UserTokenService.new.generate_token(userid, "api")
request_headers["x-auth-token"] = test_token
end

it "is forbidden without appropriate role" do
api_basic_authorize
@@ -492,7 +500,7 @@

expected = {
"results" => [a_hash_including("href" => a_string_including(api_service_requests_url),
"options" => a_hash_including("request_options" => a_hash_including("submit_workflow"=>false)))]
"options" => a_hash_including("request_options" => a_hash_including("submit_workflow"=>true)))]
}
expect(response).to have_http_status(:ok)
expect(response.parsed_body).to include(expected)
@@ -579,10 +587,13 @@

context "with the product setting not allowing automate to run on submit" do
let(:template_no_display) { FactoryGirl.create(:service_template, :display => false) }
let(:allow_api_service_ordering) { false }

context "if the token info is blank" do
before do
request_headers["x-auth_token"] = ""
end

it "rejects the request" do
api_basic_authorize action_identifier(:service_templates, :order, :resource_actions, :post)
post(api_service_template_url(nil, template_no_display), :params => { :action => "order" })
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.