Enforce flavor access during instance boot

The code in the servers API did not pass the context when retrieving flavor details. That means it would use an admin context instead, bypassing all flavor access control checks. This patch includes the fix, and the corresponding unit test, for both the v2 and v3 APIs. Closes-bug: #1212179 Change-Id: I681ae9965e19767df22fa74c3315e4e03a459d3b
openstack · Aug 20, 2013 · 4054cc4 · 4054cc4
1 parent 2ca2088
commit 4054cc4
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 6 deletions.
diff --git a/nova/api/openstack/compute/plugins/v3/servers.py b/nova/api/openstack/compute/plugins/v3/servers.py
@@ -908,7 +908,7 @@ def create(self, req, body):
 
         try:
             inst_type = flavors.get_flavor_by_flavor_id(
-                    flavor_id, read_deleted="no")
+                    flavor_id, ctxt=context, read_deleted="no")
 
             (instances, resv_id) = self.compute_api.create(context,
                             inst_type,

diff --git a/nova/api/openstack/compute/servers.py b/nova/api/openstack/compute/servers.py
@@ -920,7 +920,8 @@ def create(self, req, body):
 
         try:
             _get_inst_type = flavors.get_flavor_by_flavor_id
-            inst_type = _get_inst_type(flavor_id, read_deleted="no")
+            inst_type = _get_inst_type(flavor_id, ctxt=context,
+                                       read_deleted="no")
 
             (instances, resv_id) = self.compute_api.create(context,
                             inst_type,

diff --git a/nova/tests/api/openstack/compute/plugins/v3/test_servers.py b/nova/tests/api/openstack/compute/plugins/v3/test_servers.py
@@ -1800,15 +1800,33 @@ def _check_admin_pass_missing(self, server_dict):
         """utility function - check server_dict for absence of admin_pass."""
         self.assertTrue("admin_pass" not in server_dict)
 
-    def _test_create_instance(self):
+    def _test_create_instance(self, flavor=2):
         image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77'
         self.body['server']['image_ref'] = image_uuid
-        self.body['server']['flavor_ref'] = 2
+        self.body['server']['flavor_ref'] = flavor
         self.req.body = jsonutils.dumps(self.body)
         server = self.controller.create(self.req, self.body).obj['server']
         self._check_admin_pass_len(server)
         self.assertEqual(FAKE_UUID, server['id'])
 
+    def test_create_instance_private_flavor(self):
+        values = {
+            'name': 'fake_name',
+            'memory_mb': 512,
+            'vcpus': 1,
+            'root_gb': 10,
+            'ephemeral_gb': 10,
+            'flavorid': '1324',
+            'swap': 0,
+            'rxtx_factor': 0.5,
+            'vcpu_weight': 1,
+            'disabled': False,
+            'is_public': False,
+        }
+        db.flavor_create(context.get_admin_context(), values)
+        self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance,
+                          flavor=1324)
+
     def test_create_server_bad_image_href(self):
         image_href = 1
         self.body['server']['min_count'] = 1

diff --git a/nova/tests/api/openstack/compute/test_servers.py b/nova/tests/api/openstack/compute/test_servers.py
@@ -1735,15 +1735,33 @@ def _check_admin_pass_missing(self, server_dict):
         """utility function - check server_dict for absence of adminPass."""
         self.assertTrue("adminPass" not in server_dict)
 
-    def _test_create_instance(self):
+    def _test_create_instance(self, flavor=2):
         image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77'
         self.body['server']['imageRef'] = image_uuid
-        self.body['server']['flavorRef'] = 2
+        self.body['server']['flavorRef'] = flavor
         self.req.body = jsonutils.dumps(self.body)
         server = self.controller.create(self.req, self.body).obj['server']
         self._check_admin_pass_len(server)
         self.assertEqual(FAKE_UUID, server['id'])
 
+    def test_create_instance_private_flavor(self):
+        values = {
+            'name': 'fake_name',
+            'memory_mb': 512,
+            'vcpus': 1,
+            'root_gb': 10,
+            'ephemeral_gb': 10,
+            'flavorid': '1324',
+            'swap': 0,
+            'rxtx_factor': 0.5,
+            'vcpu_weight': 1,
+            'disabled': False,
+            'is_public': False,
+        }
+        db.flavor_create(context.get_admin_context(), values)
+        self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance,
+                          flavor=1324)
+
     def test_create_server_bad_image_href(self):
         image_href = 1
         self.body['server']['imageRef'] = image_href,