Skip to content

Commit

Permalink
Validate ui request via auth token instead of auth strategy
Browse files Browse the repository at this point in the history 
https://bugzilla.redhat.com/show_bug.cgi?id=1632416
  • Loading branch information
@eclarizio
eclarizio committed Oct 18, 2018
1 parent e72f675 commit 3045610
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 11 deletions.
18 changes: 7 additions & 11 deletions app/controllers/api/mixins/service_templates.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,6 @@ def order_service_template(id, data, scheduled_time = nil)

private

def request_from_ui?
return false if request.headers["x-auth-token"].blank?
token_info.present?
end

def token_info
requester_type = params['requester_type'] || 'api'
Environment.user_token_service.token_mgr(requester_type).token_get_info(request.headers["x-auth-token"])
end

def service_template_ident(st)
"Service Template id:#{st.id} name:'#{st.name}'"
end
Expand All @@ -37,7 +27,13 @@ def api_request_allowed?
end

def request_from_ui?
!request.authorization.try(:downcase).try(:starts_with?, "basic")
return false if request.headers["x-auth-token"].blank?
!token_info.empty?
end

def token_info
requester_type = params['requester_type'] || 'api'
Environment.user_token_service.token_mgr(requester_type).token_get_info(request.headers["x-auth-token"])
end
end
end
Expand Down
3 changes: 3 additions & 0 deletions spec/requests/service_catalogs_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -377,6 +377,9 @@ def sc_template_url(id, st_id = nil)

before do
stub_settings_merge(:product => double(:allow_api_service_ordering => true))
userid = User.first.userid
test_token = Api::UserTokenService.new.generate_token(userid, "api")
request_headers["x-auth-token"] = test_token
end

def init_st(service_template, resource_action)
Expand Down
6 changes: 6 additions & 0 deletions spec/requests/service_templates_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -471,6 +471,9 @@

before do
stub_settings_merge(:product => product_settings)
userid = User.first.userid
test_token = Api::UserTokenService.new.generate_token(userid, "api")
request_headers["x-auth-token"] = test_token
end

it "is forbidden without appropriate role" do
Expand Down Expand Up @@ -585,10 +588,13 @@

context "with the product setting not allowing automate to run on submit" do
let(:template_no_display) { FactoryGirl.create(:service_template, :display => false) }
let(:allow_api_service_ordering) { false }

context "if the token info is blank" do
before do
request_headers["x-auth_token"] = ""
end

it "rejects the request" do
api_basic_authorize action_identifier(:service_templates, :order, :resource_actions, :post)
post(api_service_template_url(nil, template_no_display), :params => { :action => "order" })
Expand Down

0 comments on commit 3045610

Please sign in to comment.