Remove 'local_register_only' and add 'allow_registration'.

The existing implementation of 'local_register_only' had a security hole. Moreover, I'm not sure that it's possible to implement the intent of 'local_register_only' in Rails/EM safely. We would need to grab the socket for the current request and call getpeername() on it. We attempt to provide similar functionality to 'local_register_only' by allowing users to disable registration and provide seed users to be created at startup. The seed users can then be used to register additional users. Test plan: - New unit tests pass - Ran CC locally with/without allow_registration set and verified the correct behaviour with vmc. - BVTs pass locally - BVTs pass on my deployment Change-Id: Ib1c96304f7a7364b913a8a09f7178f85857cd46d
cloudfoundry-attic · Nov 18, 2011 · 455c335 · 455c335
1 parent 6e5d668
commit 455c335
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 6 deletions.
diff --git a/cloud_controller/app/controllers/users_controller.rb b/cloud_controller/app/controllers/users_controller.rb
@@ -76,7 +76,8 @@ def grab_event_user
 
   def enforce_registration_policy
     return if user && user.admin?
-    if AppConfig[:local_register_only] && remote_request?
+    unless AppConfig[:allow_registration]
+      CloudController.logger.info("User registration is disabled but someone from #{request.remote_ip} is attempting to register the email '#{body_params[:email]}'.")
       raise CloudError.new(CloudError::FORBIDDEN)
     end
   end

diff --git a/cloud_controller/config/appconfig.rb b/cloud_controller/config/appconfig.rb
@@ -34,7 +34,6 @@
              :support_address => 'http://support.cloudfoundry.com',
              :rails_environment => 'development',
              :local_route  => '127.0.0.1',
-             :local_register_only => true,
              :allow_external_app_uris => false,
              :staging => { :max_concurrent_stagers => 10,
                            :max_staging_runtime => 60 },
@@ -226,3 +225,8 @@
     end
   end
 end
+
+unless AppConfig.has_key?(:allow_registration)
+  $stderr.puts "Allow registration not set, defaulting to true"
+  AppConfig[:allow_registration] = true
+end
diff --git a/cloud_controller/config/cloud_controller.yml b/cloud_controller/config/cloud_controller.yml
@@ -10,8 +10,8 @@ support_address: http://support.cloudfoundry.com
 # value of nil, should work in most cases.
 local_route: 127.0.0.1
 
-# Specifies if new users can register only from the host that is running the cloud controller
-local_register_only: false
+# Specifies if new users are allowed to register via VMC
+allow_registration: true
 
 # Allow applications to register URIs that are outside your domain.
 # Legacy (FIXME REMOVE)

diff --git a/cloud_controller/spec/controllers/users_controller_spec.rb b/cloud_controller/spec/controllers/users_controller_spec.rb
@@ -55,6 +55,44 @@
     end
   end
 
+  describe '#create' do
+    it 'should return 403 if the user is not an admin and registration is disabled' do
+      AppConfig[:allow_registration] = false
+      post_with_body :create do
+        { :email    => 'foo@bar.com',
+          :password => 'testpass',
+        }
+      end
+      response.status.should == 403
+    end
+
+    it 'should create users if the user is an admin and registration is disabled' do
+      AppConfig[:allow_registration] = false
+      User.find_by_email('foo@bar.com').should be_nil
+      @admin.admin?.should be_true
+      @admin_headers.each {|key, value| request.env[key] = value}
+      post_with_body :create do
+        { :email    => 'foo@bar.com',
+          :password => 'testpass',
+        }
+      end
+      response.status.should == 204
+      User.find_by_email('foo@bar.com').should_not be_nil
+    end
+
+    it 'should create users if the user is not an admin and registration is allowed' do
+      AppConfig[:allow_registration] = true
+      User.find_by_email('foo@bar.com').should be_nil
+      post_with_body :create do
+        { :email    => 'foo@bar.com',
+          :password => 'testpass',
+        }
+      end
+      response.status.should == 204
+      User.find_by_email('foo@bar.com').should_not be_nil
+    end
+  end
+
   describe "#list" do
     it 'should return 200 as an admin' do
       @admin.admin?.should be_true
@@ -101,4 +139,10 @@
       User.find_by_email(@user.email).should_not be_nil
     end
   end
+
+  def post_with_body(*args, &blk)
+    body = yield
+    request.env['RAW_POST_DATA'] = Yajl::Encoder.encode(body)
+    post(*args)
+  end
 end
diff --git a/dev_setup/cookbooks/cloud_controller/templates/default/cloud_controller.yml.erb b/dev_setup/cookbooks/cloud_controller/templates/default/cloud_controller.yml.erb
@@ -10,8 +10,8 @@ support_address: http://support.cloudfoundry.com
 # value of nil, should work in most cases.
 local_route: <%= node[:cloud_controller][:local_route] %>
 
-# Specifies if new users can register only from the host that is running the cloud controller
-local_register_only: false
+# Specifies if new users are allowed to register via VMC
+allow_registration: true
 
 # Allow applications to register URIs that are outside your domain.
 # Legacy (FIXME REMOVE)