Bug 1632416
Summary: | Prevent Service Ordering directly from REST-API | |||
---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Tina Fitzgerald <tfitzger> | |
Component: | Appliance | Assignee: | eclarizi | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Parthvi Vala <pvala> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 5.9.0 | CC: | abellott, dmetzger, eclarizi, jprause, obarenbo, pvala, simaishi | |
Target Milestone: | GA | Keywords: | TestOnly, ZStream | |
Target Release: | 5.10.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | 5.10.0.23 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1646435 (view as bug list) | Environment: | ||
Last Closed: | 2019-02-12 16:50:03 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | CFME Core | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1646435 |
Description
Tina Fitzgerald
2018-09-24 18:08:27 UTC
Just to add a bit more info: How to add the product setting: Go to the Configuration screen Go to the Advanced tab Find the section that is labeled ':product:' and is at the outermost level of indentation. If it doesn't exist, create it. One level of indentation in, add ':deny_api_service_ordering: true' without the quotes. Now, if you order a service through the UI, it should work, but if you try to order directly via the API (via curl or something similar) then it should fail. New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/5517c4032119f73908ed325a0331a35d849c6896 commit 5517c4032119f73908ed325a0331a35d849c6896 Author: Erik Clarizio <eclarizi> AuthorDate: Thu Sep 27 14:07:06 2018 -0400 Commit: Erik Clarizio <eclarizi> CommitDate: Thu Sep 27 14:07:06 2018 -0400 Add product setting default for allowing API service ordering https://bugzilla.redhat.com/show_bug.cgi?id=1632416 config/settings.yml | 1 + 1 file changed, 1 insertion(+) New commits detected on ManageIQ/manageiq-api/master: https://github.com/ManageIQ/manageiq-api/commit/b46e4c0780d92216710d7690f90043032706bbfa commit b46e4c0780d92216710d7690f90043032706bbfa Author: Erik Clarizio <eclarizio> AuthorDate: Mon Sep 24 12:50:07 2018 -0400 Commit: Erik Clarizio <eclarizio> CommitDate: Mon Sep 24 12:50:07 2018 -0400 Only allow non-UI service ordering when the product setting is enabled https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 13 +- spec/requests/service_catalogs_spec.rb | 4 + spec/requests/service_templates_spec.rb | 6 + 3 files changed, 22 insertions(+), 1 deletion(-) https://github.com/ManageIQ/manageiq-api/commit/86d0986d623b9f4b0f7b54ab95e04105c6891c09 commit 86d0986d623b9f4b0f7b54ab95e04105c6891c09 Author: Erik Clarizio <eclarizio> AuthorDate: Fri Sep 28 13:58:05 2018 -0400 Commit: Erik Clarizio <eclarizio> CommitDate: Fri Sep 28 13:58:05 2018 -0400 Validate ui request via auth token instead of auth strategy https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 31 +- spec/requests/service_catalogs_spec.rb | 5 +- spec/requests/service_templates_spec.rb | 11 +- 3 files changed, 29 insertions(+), 18 deletions(-) New commit detected on ManageIQ/manageiq/hammer: https://github.com/ManageIQ/manageiq/commit/b310e6f18f068213165a6b568c91c451720e3600 commit b310e6f18f068213165a6b568c91c451720e3600 Author: Brandon Dunne <brandondunne> AuthorDate: Fri Oct 19 15:08:17 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Fri Oct 19 15:08:17 2018 -0400 Merge pull request #18029 from eclarizio/BZ1632416-Addendum Add product setting default for allowing API service ordering (cherry picked from commit e65f4d354f2f15a07f2417692b6c5ce0f5182916) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 config/settings.yml | 1 + 1 file changed, 1 insertion(+) New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/55732b3d20dece9cf4743fa0cd850af5c0c11e82 commit 55732b3d20dece9cf4743fa0cd850af5c0c11e82 Author: Brandon Dunne <brandondunne> AuthorDate: Mon Oct 22 11:49:56 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Mon Oct 22 11:49:56 2018 -0400 Merge pull request #476 from eclarizio/dialog_ordering_security_issue Deny standalone service template ordering when product setting is enabled (cherry picked from commit 7343ad7cad22f24639a23ff3a9d6c5182d64172d) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 20 +- spec/requests/service_catalogs_spec.rb | 7 + spec/requests/service_templates_spec.rb | 13 +- 3 files changed, 36 insertions(+), 4 deletions(-) New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/c96df66b4c40a2bf837f8e93e9d9e08a07a73318 commit c96df66b4c40a2bf837f8e93e9d9e08a07a73318 Author: Brandon Dunne <brandondunne> AuthorDate: Mon Oct 22 20:37:20 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Mon Oct 22 20:37:20 2018 -0400 Merge pull request #498 from AparnaKarve/fix_order_service_template provide `service_template` to `orderable?` method (cherry picked from commit 41b245d34c08e9fe8b6c72f04ea697baeffc0e2c) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 4 +- 1 file changed, 2 insertions(+), 2 deletions(-) New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/8475b1b2b099e9905231f7b0e39de84bfa752305 commit 8475b1b2b099e9905231f7b0e39de84bfa752305 Author: Brandon Dunne <brandondunne> AuthorDate: Wed Oct 31 15:00:05 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Wed Oct 31 15:00:05 2018 -0400 Merge pull request #504 from eclarizio/dialog_ordering_security_issue_addendum Ensure ServiceTemplate ordering passes through the submit_workflow flag (cherry picked from commit bed1032d1e1fe54926e6717f116ff89cf5b55414) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 3 +- spec/requests/service_templates_spec.rb | 19 + 2 files changed, 21 insertions(+), 1 deletion(-) New commit detected on ManageIQ/manageiq-api/hammer: https://github.com/ManageIQ/manageiq-api/commit/8475b1b2b099e9905231f7b0e39de84bfa752305 commit 8475b1b2b099e9905231f7b0e39de84bfa752305 Author: Brandon Dunne <brandondunne> AuthorDate: Wed Oct 31 15:00:05 2018 -0400 Commit: Brandon Dunne <brandondunne> CommitDate: Wed Oct 31 15:00:05 2018 -0400 Merge pull request #504 from eclarizio/dialog_ordering_security_issue_addendum Ensure ServiceTemplate ordering passes through the submit_workflow flag (cherry picked from commit bed1032d1e1fe54926e6717f116ff89cf5b55414) https://bugzilla.redhat.com/show_bug.cgi?id=1632416 app/controllers/api/mixins/service_templates.rb | 3 +- spec/requests/service_templates_spec.rb | 19 + 2 files changed, 21 insertions(+), 1 deletion(-) FIXED. Verified on 5.10.0.24.20181113213923_03b81fd. Steps taken to verify: 1. Go to `Configuration` and select `Advanced` tab. 2. Under the outermost `:product:`, set `:allow_api_service_ordering:` to `false` 3. Create a dialog, catalog and catalog item. 4. Send a request to order the service. Request: POST /api/service_catalogs/:id/service_templates/:id Query: { "action" : "order" } Response: { "error": { "kind": "bad_request", "message": "Service Template id:1 name:'catalog_item_1' cannot be ordered", "klass": "Api::BadRequestError" } } |