Skip to content

Commit

Permalink
[api] secure new download on demand urls
Browse files Browse the repository at this point in the history 
Handle them like OBS interconnect definitions, only admin is allowed to define them.
  • Loading branch information
@adrianschroeter
adrianschroeter committed Aug 17, 2015
1 parent 488a8fe commit 3cf853a
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 14 deletions.
8 changes: 5 additions & 3 deletions src/api/app/controllers/source_controller.rb
View file
Expand Up @@ -498,10 +498,12 @@ def update_project_meta
prj = nil
end

# remote url project must be edited by the admin
# projects using remote resources must be edited by the admin
unless User.current.is_admin?
if rdata.has_key? 'remoteurl' or rdata.has_key? 'remoteproject'
raise ChangeProjectNoPermission.new 'admin rights are required to change remoteurl or remoteproject'
# either OBS interconnect or repository "download on demand" feature used
if rdata.has_key? 'remoteurl' or rdata.has_key? 'remoteproject' or
(rdata['repository'] and rdata['repository'].any?{|r| r.first == 'download'})
raise ChangeProjectNoPermission.new 'admin rights are required to change projects using remote resources'
end
end

Expand Down
25 changes: 16 additions & 9 deletions src/api/test/functional/source_controller_test.rb
View file
Expand Up @@ -289,22 +289,29 @@ def test_put_project_meta_with_invalid_permissions
# Change description
xml = @response.body
new_desc = 'Changed description'
doc = REXML::Document.new(xml)
d = doc.elements['//description']
doc = ActiveXML::Node.new(xml)
d = doc.find_first('description')
d.text = new_desc

# Write changed data back
put url_for(:controller => :source, :action => :update_project_meta, :project => 'kde4'), doc.to_s
put url_for(:controller => :source, :action => :update_project_meta, :project => 'kde4'), doc.dump_xml
assert_response 403

# admin only tag
d = doc.elements['/project']
d = d.add_element 'remoteurl'
d.text = 'http://localhost:5352'
### admin only tag
# remote instance connection
login_fred
put url_for(:controller => :source, :action => :update_project_meta, :project => 'kde4'), doc.to_s
d = doc.add_element 'remoteurl'
d.text = 'http://localhost:5352'
put url_for(:controller => :source, :action => :update_project_meta, :project => 'kde4'), doc.dump_xml
assert_response 403
assert_match(/admin rights are required to change projects using remote resources/, @response.body)
# DoD remote repository
doc = ActiveXML::Node.new(xml)
r = doc.add_element 'repository', { name: "download_on_demand" }
r.add_element 'download', { arch: "i586", url: "http://somewhere", repotype: "rpmmd" }
put url_for(:controller => :source, :action => :update_project_meta, :project => 'kde4'), doc.dump_xml
assert_response 403
assert_match(/admin rights are required to change remoteurl/, @response.body)
assert_match(/admin rights are required to change projects using remote resources/, @response.body)

# invalid xml
raw_put url_for(:controller => :source, :action => :update_project_meta, :project => 'NewProject'), '<asd/>'
Expand Down
3 changes: 1 addition & 2 deletions src/api/test/unit/code_quality_test.rb
View file
Expand Up @@ -85,7 +85,6 @@ def setup
'MaintenanceHelper#instantiate_container' => 160.21,
'Owner::_extract_from_container' => 84.07,
'PersonController#internal_register' => 112.01,
'Package#add_channels' => 90.24,
'Package#find_changed_issues' => 93.74,
'Project#update_one_repository_without_path' => 118.34,
'PublicController#binary_packages' => 126.16,
Expand All @@ -94,7 +93,7 @@ def setup
'SearchController#find_attribute' => 97.33,
'SearchController#search' => 84.06,
'SourceController#project_command_copy' => 140.04,
'SourceController#update_project_meta' => 110.32,
'SourceController#update_project_meta' => 113.94,
'UserLdapStrategy::find_with_ldap' => 119.04,
'UserLdapStrategy::render_grouplist_ldap' => 100.3,
'Webui::DriverUpdateController#save' => 97.16,
Expand Down

0 comments on commit 3cf853a

Please sign in to comment.