fix: default vpc must be shared globally

1. For default vpc, prohibit private operation. 2. For default vpc, prohibit public operation without scope 'system'.
yunionio · Jul 18, 2020 · fa67bd8 · fa67bd8
1 parent 9b1ea9f
commit fa67bd8
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/pkg/compute/models/vpcs.go b/pkg/compute/models/vpcs.go
@@ -1196,6 +1196,9 @@ func (manager *SVpcManager) ListItemExportKeys(ctx context.Context,
 }
 
 func (vpc *SVpc) PerformPublic(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input apis.PerformPublicDomainInput) (jsonutils.JSONObject, error) {
+	if rbacutils.String2ScopeDefault(input.Scope, rbacutils.ScopeSystem) != rbacutils.ScopeSystem {
+		return nil, httperrors.NewForbiddenError("For default vpc, only system level sharing can be set")
+	}
 	_, err := vpc.SEnabledStatusInfrasResourceBase.PerformPublic(ctx, userCred, query, input)
 	if err != nil {
 		return nil, errors.Wrap(err, "SEnabledStatusInfrasResourceBase.PerformPublic")
@@ -1214,6 +1217,9 @@ func (vpc *SVpc) PerformPublic(ctx context.Context, userCred mcclient.TokenCrede
 }
 
 func (vpc *SVpc) PerformPrivate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input apis.PerformPrivateInput) (jsonutils.JSONObject, error) {
+	if vpc.Id == "default" {
+		return nil, httperrors.NewForbiddenError("Prohibit making default vpc private")
+	}
 	// perform private for all emulated wires
 	emptyNets := true
 	wires := vpc.GetWires()