validate collection type

ManageIQ · Apr 5, 2017 · 619e277 · 619e277
1 parent ec696a2
commit 619e277
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 19 deletions.
diff --git a/app/controllers/api/vms_controller.rb b/app/controllers/api/vms_controller.rb
@@ -8,7 +8,8 @@ class VmsController < BaseController
     include Subcollections::Software
     include Subcollections::Snapshots
 
-    VALID_EDIT_ATTRS = %w(custom_1 description children parent).freeze
+    VALID_EDIT_ATTRS = %w(description child_resources parent_resource).freeze
+    RELATIONSHIP_COLLECTIONS = [:vms, :templates].freeze
 
     def start_resource(type, id = nil, _data = nil)
       raise BadRequestError, "Must specify an id for starting a #{type} resource" unless id
@@ -230,7 +231,7 @@ def request_console_resource(type, id = nil, data = nil)
       #   protocol = data["protocol"] || "mks"
       # However, there are different entitlements for the different protocol as per miq_product_feature,
       # so we may go for different action, i.e. request_console_vnc
-      #protocol = "mks"
+      # protocol = "mks"
       protocol = data["protocol"] || "vnc"
 
       api_action(type, id) do |klass|
@@ -246,27 +247,33 @@ def request_console_resource(type, id = nil, data = nil)
     private
 
     def validate_edit_data(data)
-      invalid_keys = data.keys - VALID_EDIT_ATTRS
+      invalid_keys = data.keys - VALID_EDIT_ATTRS - valid_custom_attrs
       raise BadRequestError, "Cannot edit values #{invalid_keys.join(', ')}" if invalid_keys.present?
-      data.dup.except('parent', 'children')
+      data.except('parent_resource', 'child_resources')
     end
 
     def build_parent_children(data)
-      children = if data.key?('children')
-                   data['children'].collect do |child|
-                     child_collection, child_id = parse_href(child['href'])
-                     resource_search(child_id, child_collection, collection_class(child_collection))
+      children = if data.key?('child_resources')
+                   data['child_resources'].collect do |child|
+                     fetch_relationship(child['href'])
                    end
-                 else
-                   []
                  end
 
-      parent = if data.key?('parent')
-                 parent_collection, parent_id = parse_href(data.fetch('parent', 'href'))
-                 resource_search(parent_id, parent_collection, collection_class(parent_collection))
+      parent = if data.key?('parent_resource')
+                 fetch_relationship(data['parent_resource']['href'])
                end
 
-      [parent, children]
+      [parent, Array(children)]
+    end
+
+    def fetch_relationship(href)
+      collection, id = parse_href(href)
+      raise "Invalid relationship type #{collection}" unless RELATIONSHIP_COLLECTIONS.include?(collection)
+      resource_search(id, collection, collection_class(collection))
+    end
+
+    def valid_custom_attrs
+      Vm.virtual_attribute_names.select { |name| name =~ /custom_\d/ }
     end
 
     def vm_ident(vm)

diff --git a/spec/requests/api/vms_spec.rb b/spec/requests/api/vms_spec.rb
@@ -50,11 +50,12 @@ def update_raw_power_state(state, *vms)
         { 'href' => vms_url(vm.id) }
       end
 
-      run_post(vms_url(vm.id), :action      => 'edit',
-                               :description => 'bar',
-                               :children    => children,
-                               :custom_1    => 'foobar',
-                               :parent      => vms_url(vm_openstack2.id))
+      run_post(vms_url(vm.id), :action          => 'edit',
+                               :description     => 'bar',
+                               :child_resources => children,
+                               :custom_1        => 'foobar',
+                               :custom_9        => 'fizzbuzz',
+                               :parent_resource => { :href => vms_url(vm_openstack2.id) })
 
       expected = {
         'description' => 'bar'
@@ -64,6 +65,7 @@ def update_raw_power_state(state, *vms)
       expect(vm.reload.children).to match_array(new_vms)
       expect(vm.parent).to eq(vm_openstack2)
       expect(vm.custom_1).to eq('foobar')
+      expect(vm.custom_9).to eq('fizzbuzz')
     end
 
     it 'only allows edit of custom_1, description, parent, and children' do
@@ -95,6 +97,21 @@ def update_raw_power_state(state, *vms)
       expect(response).to have_http_status(:ok)
       expect(response.parsed_body).to include(expected)
     end
+
+    it 'requires a valid child/parent relationship ' do
+      api_basic_authorize collection_action_identifier(:vms, :edit)
+
+      run_post(vms_url(vm.id), :action => 'edit', :parent_resource => { :href => users_url(10) })
+
+      expected = {
+        'error' => a_hash_including(
+          'kind'    => 'bad_request',
+          'message' => 'Cannot edit VM - Invalid relationship type users'
+        )
+      }
+      expect(response).to have_http_status(:bad_request)
+      expect(response.parsed_body).to include(expected)
+    end
   end
 
   context "Vm accounts subcollection" do