Juan Hernandez has uploaded a new change for review.
Change subject: cli: Check returned object identity
......................................................................
cli: Check returned object identity
Currently when the CLI retrieves an object from the server by alias,
name or id it trusts the that the returned object is what was requests,
but this isn't always true. For example, when the "--filter" option is
used the CLI will send the "Filter: true" header, and when doing this
the server will ignore the "search" parameter and return instead all the
objects that the user has permission for. This can havs a very negative
and serious impact when removing objects, as the result is that the
wrong object is removed:
* The user types the command to remove an object:
# ovirt-shell --filter
[oVirt shell (connected)]# remove vm myjunkvm
* The CLI sends a request to the server to retrieve the object:
GET /ovirt-engine/api/vms?search=name%3Dmyjunkvm
Filter: true
* The server ignores the "search" parameter and insted it returns the
objects that the user has permissions for:
<vms>
<vm id="bdd951b7-999b-4a5b-a6c3-048e8acbeda0">
<name>mypreciousvm</name>
...
</vms>
* The server uses the returned "id" to perform the delete operation:
DELETE /ovirt-engine/api/vms/bdd951b7-999b-4a5b-a6c3-048e8acbeda0
The result is that "mypreciousvm" is removed instead of "myjunkvm".
To avoid this issue this patch adds a check right after retrieving the
object. If the identifier of the retrieved object (name, alias or id)
doesn't match the requested one then the CLI will discard it.
Change-Id: Ib3cd770f6e84f814a54b8510954797230d4cf797
Signed-off-by: Juan Hernandez <[email protected]>
---
M src/ovirtcli/command/command.py
1 file changed, 36 insertions(+), 6 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine-cli refs/changes/73/34373/1
diff --git a/src/ovirtcli/command/command.py b/src/ovirtcli/command/command.py
index 5c972a9..38b9a8a 100644
--- a/src/ovirtcli/command/command.py
+++ b/src/ovirtcli/command/command.py
@@ -377,25 +377,55 @@
if 'alias' in kwargs:
del kwargs['alias']
if kwargs:
- return coll.get(alias=alias, **kwargs)
+ obj = coll.get(alias=alias, **kwargs)
else:
- return coll.get(alias=alias)
+ obj = coll.get(alias=alias)
+ if obj is not None:
+ obj = self.__none_if_wrong_id(
+ obj=obj,
+ expected_id=alias,
+ actual_id=obj.get_alias()
+ )
+ return obj
def __get_by_name(self, coll, name, kwargs):
if 'name' in kwargs:
del kwargs['name']
if kwargs:
- return coll.get(name=name, **kwargs)
+ obj = coll.get(name=name, **kwargs)
else:
- return coll.get(name=name)
+ obj = coll.get(name=name)
+ if obj is not None:
+ obj = self.__none_if_wrong_id(
+ obj=obj,
+ expected_id=name,
+ actual_id=obj.get_name()
+ )
+ return obj
def __get_by_id(self, coll, id, kwargs):
if 'id' in kwargs:
del kwargs['id']
if kwargs:
- return coll.get(id=id, **kwargs)
+ obj = coll.get(id=id, **kwargs)
else:
- return coll.get(id=id)
+ obj = coll.get(id=id)
+ if obj is not None:
+ obj = self.__none_if_wrong_id(
+ obj=obj,
+ expected_id=id,
+ actual_id=obj.get_id()
+ )
+ return obj
+
+ def __none_if_wrong_id(self, obj, expected_id, actual_id):
+ # In some situations the engine may return objects that don't match
+ # the requested identity. For example, when using the "Filter: True"
+ # header the engine will ignore the "search" parameter and will return
+ # the objects that the user has permissions for. Because of this we
+ # need to double check that the returned object has the requested
+ # identity, and replace it with None if it doesn't.
+ return obj if actual_id == expected_id else None
def __produce_identifier(self, candidate):
if type(candidate) == str:
--
To view, visit http://gerrit.ovirt.org/34373
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib3cd770f6e84f814a54b8510954797230d4cf797
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine-cli
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
