Merge pull request #476 from eclarizio/dialog_ordering_security_issue

Deny standalone service template ordering when product setting is enabled (cherry picked from commit 7343ad7) https://bugzilla.redhat.com/show_bug.cgi?id=1632416
ManageIQ · Oct 22, 2018 · 55732b3 · 55732b3
1 parent 9b4e420
commit 55732b3
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 4 deletions.
diff --git a/app/controllers/api/mixins/service_templates.rb b/app/controllers/api/mixins/service_templates.rb
@@ -3,9 +3,8 @@ module Mixins
     module ServiceTemplates
       def order_service_template(id, data, scheduled_time = nil)
         service_template = resource_search(id, :service_templates, ServiceTemplate)
-        raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered" unless service_template.orderable?
-        init_defaults = !request_from_ui? && Settings.product.run_automate_methods_on_service_api_submit
-        request_result = service_template.order(User.current_user, (data || {}), {:submit_workflow => request_from_ui?, :init_defaults => init_defaults}, scheduled_time)
+        raise BadRequestError, "#{service_template_ident(service_template)} cannot be ordered" unless orderable?
+        request_result = service_template.order(User.current_user, (data || {}), order_request_options, scheduled_time)
         errors = request_result[:errors]
         if errors.present?
           raise BadRequestError, "Failed to order #{service_template_ident(service_template)} - #{errors.join(", ")}"
@@ -15,11 +14,26 @@ def order_service_template(id, data, scheduled_time = nil)
 
       private
 
+      def orderable?
+        api_request_allowed? && service_template.orderable?
+      end
+
+      def api_request_allowed?
+        return true if request_from_ui?
+        Settings.product.allow_api_service_ordering
+      end
+
       def request_from_ui?
         return false if request.headers["x-auth-token"].blank?
         token_info.present?
       end
 
+      def order_request_options
+        init_defaults = !request_from_ui? && Settings.product.run_automate_methods_on_service_api_submit
+
+        {:submit_workflow => request_from_ui?, :init_defaults => init_defaults}
+      end
+
       def token_info
         requester_type = params['requester_type'] || 'api'
         Environment.user_token_service.token_mgr(requester_type).token_get_info(request.headers["x-auth-token"])

diff --git a/spec/requests/service_catalogs_spec.rb b/spec/requests/service_catalogs_spec.rb
@@ -375,6 +375,13 @@ def sc_template_url(id, st_id = nil)
       request_headers["x-auth-token"] = test_token
     end
 
+    before do
+      stub_settings_merge(:product => {:allow_api_service_ordering => true})
+      userid = User.first.userid
+      test_token = Api::UserTokenService.new.generate_token(userid, "api")
+      request_headers["x-auth-token"] = test_token
+    end
+
     def init_st(service_template, resource_action)
       service_template.resource_actions = [resource_action]
       dialog1.dialog_tabs << tab1

diff --git a/spec/requests/service_templates_spec.rb b/spec/requests/service_templates_spec.rb
@@ -466,6 +466,14 @@
 
   describe "Service Templates order" do
     let(:service_template) { FactoryGirl.create(:service_template, :with_provision_resource_action_and_dialog, :orderable) }
+    let(:allow_api_service_ordering) { true }
+
+    before do
+      stub_settings_merge(:product => {:allow_api_service_ordering => allow_api_service_ordering})
+      userid = User.first.userid
+      test_token = Api::UserTokenService.new.generate_token(userid, "api")
+      request_headers["x-auth-token"] = test_token
+    end
 
     it "is forbidden without appropriate role" do
       api_basic_authorize
@@ -492,7 +500,7 @@
 
         expected = {
           "results" => [a_hash_including("href"    => a_string_including(api_service_requests_url),
-                                         "options" => a_hash_including("request_options" => a_hash_including("submit_workflow"=>false)))]
+                                         "options" => a_hash_including("request_options" => a_hash_including("submit_workflow"=>true)))]
         }
         expect(response).to have_http_status(:ok)
         expect(response.parsed_body).to include(expected)
@@ -579,10 +587,13 @@
 
     context "with the product setting not allowing automate to run on submit" do
       let(:template_no_display) { FactoryGirl.create(:service_template, :display => false) }
+      let(:allow_api_service_ordering) { false }
+
       context "if the token info is blank" do
         before do
           request_headers["x-auth_token"] = ""
         end
+
         it "rejects the request" do
           api_basic_authorize action_identifier(:service_templates, :order, :resource_actions, :post)
           post(api_service_template_url(nil, template_no_display), :params => { :action => "order" })