mirror of
https://github.com/apache/cloudstack.git
synced 2025-11-04 00:02:37 +01:00
debfb455ea
* Added configuration and Integration test to restrict public template access. * Move settings to domain. * Updated integration test. * Changed Config key's name and description. * Justified the variable names and removed white spaces. * Added configuration and Integration test to restrict public template access. * Move settings to domain. * Changed Config key's name and description. * Justified the variable names and removed white spaces. * Moved configuration to domain scope. * Added integration test to travis. * Updated the configuration's name and description. * Extracted public template check to a separate method. * Fixed rebase issue. * Apply tear down changes. * Update .travis.yml to remove the component test The test needs to be updated to use the new configuration name Co-authored-by: Wei Zhou <weizhou@apache.org>
627 lines
27 KiB
Python
627 lines
27 KiB
Python
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# Import Local Modules
|
|
from nose.plugins.attrib import attr
|
|
from marvin.cloudstackTestCase import cloudstackTestCase, unittest
|
|
from marvin.cloudstackAPI import (listZones,
|
|
deleteTemplate,
|
|
listConfigurations,
|
|
updateConfiguration)
|
|
from marvin.lib.utils import (cleanup_resources)
|
|
from marvin.lib.base import (Account,
|
|
Domain,
|
|
Network,
|
|
NetworkOffering,
|
|
Template,
|
|
ServiceOffering,
|
|
VirtualMachine,
|
|
Snapshot,
|
|
Volume)
|
|
from marvin.lib.common import (get_domain,
|
|
get_zone,
|
|
get_template,
|
|
get_builtin_template_info)
|
|
# Import System modules
|
|
import time
|
|
import logging
|
|
|
|
class TestTemplateAccessAcrossDomains(cloudstackTestCase):
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
cls.testClient = super(TestTemplateAccessAcrossDomains, cls).getClsTestClient()
|
|
cls.apiclient = cls.testClient.getApiClient()
|
|
|
|
cls.services = cls.testClient.getParsedTestDataConfig()
|
|
# Get Zone, Domain and templates
|
|
cls.domain = get_domain(cls.apiclient)
|
|
cls.zone = get_zone(cls.apiclient, cls.testClient.getZoneForTests())
|
|
cls.services['mode'] = cls.zone.networktype
|
|
cls.logger = logging.getLogger("TestRouterResources")
|
|
cls._cleanup = []
|
|
cls.unsupportedHypervisor = False
|
|
cls.hypervisor = cls.testClient.getHypervisorInfo()
|
|
if cls.hypervisor.lower() in ['lxc']:
|
|
cls.unsupportedHypervisor = True
|
|
return
|
|
cls.services["virtual_machine"]["zoneid"] = cls.zone.id
|
|
|
|
# Create new domain1
|
|
cls.domain1 = Domain.create(
|
|
cls.apiclient,
|
|
services=cls.services["acl"]["domain1"],
|
|
parentdomainid=cls.domain.id)
|
|
cls._cleanup.append(cls.domain1)
|
|
|
|
# Create account1
|
|
cls.account1 = Account.create(
|
|
cls.apiclient,
|
|
cls.services["acl"]["accountD1"],
|
|
domainid=cls.domain1.id
|
|
)
|
|
cls._cleanup.append(cls.account1)
|
|
|
|
# Create new sub-domain
|
|
cls.sub_domain = Domain.create(
|
|
cls.apiclient,
|
|
services=cls.services["acl"]["domain11"],
|
|
parentdomainid=cls.domain1.id)
|
|
cls._cleanup.append(cls.sub_domain)
|
|
|
|
# Create account for sub-domain
|
|
cls.sub_account = Account.create(
|
|
cls.apiclient,
|
|
cls.services["acl"]["accountD11"],
|
|
domainid=cls.sub_domain.id
|
|
)
|
|
cls._cleanup.append(cls.sub_account)
|
|
|
|
# Create new domain2
|
|
cls.domain2 = Domain.create(
|
|
cls.apiclient,
|
|
services=cls.services["acl"]["domain2"],
|
|
parentdomainid=cls.domain.id)
|
|
cls._cleanup.append(cls.domain2)
|
|
|
|
# Create account2
|
|
cls.account2 = Account.create(
|
|
cls.apiclient,
|
|
cls.services["acl"]["accountD2"],
|
|
domainid=cls.domain2.id
|
|
)
|
|
cls._cleanup.append(cls.account2)
|
|
|
|
cls.service_offering = ServiceOffering.create(
|
|
cls.apiclient,
|
|
cls.services["service_offering"]
|
|
)
|
|
cls._cleanup.append(cls.service_offering)
|
|
if cls.hypervisor.lower() in ['kvm']:
|
|
# register template under ROOT domain
|
|
cls.root_template = Template.register(cls.apiclient,
|
|
cls.services["test_templates"]["kvm"],
|
|
zoneid=cls.zone.id,
|
|
domainid=cls.domain.id,
|
|
hypervisor=cls.hypervisor.lower())
|
|
cls.root_template.download(cls.apiclient)
|
|
cls._cleanup.append(cls.root_template)
|
|
cls.services["test_templates"]["kvm"]["name"] = cls.account1.name
|
|
cls.template1 = Template.register(cls.apiclient,
|
|
cls.services["test_templates"]["kvm"],
|
|
zoneid=cls.zone.id,
|
|
account=cls.account1.name,
|
|
domainid=cls.domain1.id,
|
|
hypervisor=cls.hypervisor.lower())
|
|
cls.template1.download(cls.apiclient)
|
|
cls._cleanup.append(cls.template1)
|
|
cls.services["test_templates"]["kvm"]["name"] = cls.sub_account.name
|
|
cls.sub_template = Template.register(cls.apiclient,
|
|
cls.services["test_templates"]["kvm"],
|
|
zoneid=cls.zone.id,
|
|
account=cls.sub_account.name,
|
|
domainid=cls.sub_domain.id,
|
|
hypervisor=cls.hypervisor.lower())
|
|
cls.sub_template.download(cls.apiclient)
|
|
cls._cleanup.append(cls.sub_template)
|
|
cls.template2 = Template.register(cls.apiclient,
|
|
cls.services["test_templates"]["kvm"],
|
|
zoneid=cls.zone.id,
|
|
account=cls.account2.name,
|
|
domainid=cls.domain2.id,
|
|
hypervisor=cls.hypervisor.lower())
|
|
cls.template2.download(cls.apiclient)
|
|
cls._cleanup.append(cls.template2)
|
|
else:
|
|
return
|
|
|
|
@classmethod
|
|
def tearDownClass(cls):
|
|
super(TestTemplateAccessAcrossDomains, cls).tearDownClass()
|
|
|
|
def setUp(self):
|
|
self.apiclient = self.testClient.getApiClient()
|
|
self.domain1_config = self.get_restrict_template_configuration(self.domain1.id)
|
|
self.domain2_config = self.get_restrict_template_configuration(self.domain2.id)
|
|
self.sub_domain_config = self.get_restrict_template_configuration(self.sub_domain.id)
|
|
self.cleanup = []
|
|
return
|
|
|
|
def tearDown(self):
|
|
try:
|
|
self.update_restrict_template_configuration(self.domain1.id, self.domain1_config)
|
|
self.update_restrict_template_configuration(self.domain2.id, self.domain2_config)
|
|
self.update_restrict_template_configuration(self.sub_domain.id, self.sub_domain_config)
|
|
super(TestTemplateAccessAcrossDomains, self).tearDown()
|
|
except Exception as e:
|
|
raise Exception("Warning: Exception during cleanup : %s" % e)
|
|
return
|
|
|
|
@attr(tags=["advanced", "basic", "sg"], required_hardware="false")
|
|
def test_01_check_cross_domain_template_access(self):
|
|
"""
|
|
Verify that templates belonging to one domain should not be accessible
|
|
by other domains except for parent and ROOT domains
|
|
|
|
Steps:
|
|
1. Set global setting restrict.public.access.to.templates to true
|
|
2. Make sure template of domain2 should not be accessible by domain1
|
|
3. Make sure template of domain1 should not be accessible by domain2
|
|
4. Make sure parent and ROOT domain can still access above templates
|
|
:return:
|
|
"""
|
|
|
|
# Step 1
|
|
self.update_restrict_template_configuration(self.domain1.id, "true")
|
|
self.update_restrict_template_configuration(self.domain2.id, "true")
|
|
self.validate_uploaded_template(self.apiclient, self.template1.id)
|
|
|
|
# Step 2
|
|
self.validate_template_ownership(self.template2, self.domain1, self.domain2, False)
|
|
|
|
self.validate_uploaded_template(self.apiclient, self.template2.id)
|
|
|
|
# Step 3
|
|
self.validate_template_ownership(self.template1, self.domain2, self.domain1, False)
|
|
|
|
# Make sure root domain can still access all subdomain templates
|
|
# Step 4
|
|
self.validate_template_ownership(self.template1, self.domain, self.domain1, True)
|
|
self.validate_template_ownership(self.template2, self.domain, self.domain2, True)
|
|
|
|
|
|
@attr(tags=["advanced", "basic", "sg"], required_hardware="false")
|
|
def test_02_create_template(self):
|
|
"""
|
|
Verify that templates belonging to one domain can be accessible
|
|
by other domains by default
|
|
|
|
Steps:
|
|
1. Set global setting restrict.public.access.to.templates to false (default behavior)
|
|
2. Make sure template of domain2 can be accessible by domain1
|
|
3. Make sure template of domain1 can be accessible by domain2
|
|
4. Make sure parent and ROOT domain can still access above templates
|
|
5. Deploy virtual machine in domain1 using template from domain2
|
|
6. Make sure that virtual machine can be deployed and is in running state
|
|
:return:
|
|
"""
|
|
|
|
# Step 1
|
|
self.update_restrict_template_configuration(self.domain1.id, "false")
|
|
self.update_restrict_template_configuration(self.domain2.id, "false")
|
|
|
|
# Step 2
|
|
self.validate_template_ownership(self.template2, self.domain1, self.domain2, True)
|
|
|
|
# Step 3
|
|
self.validate_template_ownership(self.template1, self.domain2, self.domain1, True)
|
|
|
|
# Step 4
|
|
# Make sure root domain can still access all subdomain templates
|
|
self.validate_template_ownership(self.template1, self.domain, self.domain1, True)
|
|
self.validate_template_ownership(self.template2, self.domain, self.domain2, True)
|
|
|
|
# Step 5
|
|
# Deploy new virtual machine using template
|
|
self.virtual_machine = VirtualMachine.create(
|
|
self.apiclient,
|
|
self.services["virtual_machine"],
|
|
templateid=self.template2.id,
|
|
accountid=self.account1.name,
|
|
domainid=self.account1.domainid,
|
|
serviceofferingid=self.service_offering.id,
|
|
)
|
|
self.cleanup.append(self.virtual_machine)
|
|
self.debug("creating an instance with template ID: %s" % self.template2.id)
|
|
vm_response = VirtualMachine.list(self.apiclient,
|
|
id=self.virtual_machine.id,
|
|
account=self.account1.name,
|
|
domainid=self.account1.domainid)
|
|
self.assertEqual(
|
|
isinstance(vm_response, list),
|
|
True,
|
|
"Check for list VMs response after VM deployment"
|
|
)
|
|
# Verify VM response to check whether VM deployment was successful
|
|
self.assertNotEqual(
|
|
len(vm_response),
|
|
0,
|
|
"Check VMs available in List VMs response"
|
|
)
|
|
|
|
# Step 6
|
|
vm = vm_response[0]
|
|
self.assertEqual(
|
|
vm.state,
|
|
'Running',
|
|
"Check the state of VM created from Template"
|
|
)
|
|
|
|
@attr(tags=["advanced", "basic", "sg"], required_hardware="false")
|
|
def test_03_check_subdomain_template_access(self):
|
|
"""
|
|
Verify that templates belonging to parent domain can be accessible
|
|
by sub domains
|
|
|
|
Steps:
|
|
1. Set global setting restrict.public.access.to.templates to true
|
|
2. Make sure template of ROOT domain can be accessible by domain1
|
|
3. Make sure template of ROOT domain can be accessible by domain2
|
|
"""
|
|
|
|
# Step 1
|
|
self.update_restrict_template_configuration(self.domain1.id, "true")
|
|
self.update_restrict_template_configuration(self.domain2.id, "true")
|
|
# Make sure child domains can still access parent domain templates
|
|
self.validate_uploaded_template(self.apiclient, self.root_template.id)
|
|
|
|
# Step 2
|
|
self.validate_template_ownership(self.root_template, self.domain1, self.domain, True)
|
|
|
|
# Step 3
|
|
self.validate_template_ownership(self.root_template, self.domain2, self.domain, True)
|
|
|
|
@attr(tags=["advanced", "basic", "sg"], required_hardware="false")
|
|
def test_04_check_non_public_template_access(self):
|
|
"""
|
|
Verify that non public templates belonging to one domain
|
|
should not be accessible by other domains by default
|
|
|
|
Steps:
|
|
1. Set global setting restrict.public.access.to.templates to true
|
|
2. Change the permission level of "ispublic" of template to false
|
|
3. Make sure other domains should not be able to access the template
|
|
4. Make sure that ONLY ROOT domain can access the non public template
|
|
5. Set global setting restrict.public.access.to.templates to false
|
|
6. Repeat the steps 3 and 4
|
|
"""
|
|
|
|
# Step 1
|
|
self.update_restrict_template_configuration(self.domain1.id, "true")
|
|
self.update_restrict_template_configuration(self.domain2.id, "true")
|
|
|
|
# Step 2
|
|
self.template2.updatePermissions(self.apiclient,
|
|
ispublic="False")
|
|
|
|
list_template_response = self.list_templates('all', self.domain2)
|
|
self.assertEqual(
|
|
isinstance(list_template_response, list),
|
|
True,
|
|
"Check list response returns a valid list"
|
|
)
|
|
for template_response in list_template_response:
|
|
if template_response.id == self.template2.id:
|
|
break
|
|
|
|
self.assertIsNotNone(
|
|
template_response,
|
|
"Check template %s failed" % self.template2.id
|
|
)
|
|
self.assertEqual(
|
|
template_response.ispublic,
|
|
int(False),
|
|
"Check ispublic permission of template"
|
|
)
|
|
|
|
# Step 3
|
|
# Other domains should not access non public template
|
|
self.validate_template_ownership(self.template2, self.domain1, self.domain2, False)
|
|
|
|
# Step 4
|
|
# Only ROOT domain can access non public templates of child domain
|
|
self.validate_template_ownership(self.template2, self.domain, self.domain2, True)
|
|
|
|
# Step 5
|
|
self.update_restrict_template_configuration(self.domain1.id, "false")
|
|
self.update_restrict_template_configuration(self.domain2.id, "false")
|
|
|
|
# Step 6
|
|
self.validate_template_ownership(self.template2, self.domain1, self.domain2, False)
|
|
self.validate_template_ownership(self.template2, self.domain, self.domain2, True)
|
|
|
|
@attr(tags=["advanced", "basic", "sg"], required_hardware="false")
|
|
def test_05_check_non_public_template_subdomain_access(self):
|
|
"""
|
|
Verify that non public templates belonging to ROOT domain
|
|
should not be accessible by sub domains by default
|
|
|
|
Steps:
|
|
1. Set global setting restrict.public.access.to.templates to true
|
|
2. Change the permission level of "ispublic" of template to false
|
|
3. Make sure other domains should not be able to access the template
|
|
4. Make sure that ONLY ROOT domain can access the non public template
|
|
5. Set global setting restrict.public.access.to.templates to false
|
|
6. Repeat the steps 3 and 4
|
|
"""
|
|
self.update_restrict_template_configuration(self.domain1.id, "true")
|
|
self.update_restrict_template_configuration(self.domain2.id, "true")
|
|
self.root_template.updatePermissions(self.apiclient,
|
|
ispublic="False")
|
|
|
|
list_template_response = self.list_templates('all', self.domain)
|
|
self.assertEqual(
|
|
isinstance(list_template_response, list),
|
|
True,
|
|
"Check list response returns a valid list"
|
|
)
|
|
for template_response in list_template_response:
|
|
if template_response.id == self.root_template.id:
|
|
break
|
|
|
|
self.assertIsNotNone(
|
|
template_response,
|
|
"Check template %s failed" % self.root_template.id
|
|
)
|
|
self.assertEqual(
|
|
template_response.ispublic,
|
|
int(False),
|
|
"Check ispublic permission of template"
|
|
)
|
|
|
|
# Other domains should not access non public template
|
|
self.validate_template_ownership(self.root_template, self.domain1, self.domain, False)
|
|
# Only ROOT domain can access non public templates of child domain
|
|
self.validate_template_ownership(self.root_template, self.domain2, self.domain, False)
|
|
|
|
self.update_restrict_template_configuration(self.domain1.id, "false")
|
|
self.update_restrict_template_configuration(self.domain2.id, "false")
|
|
self.validate_template_ownership(self.root_template, self.domain1, self.domain2, False)
|
|
self.validate_template_ownership(self.root_template, self.domain2, self.domain2, False)
|
|
|
|
@attr(tags=["advanced", "basic", "sg"], required_hardware="false")
|
|
def test_06_check_sub_public_template_sub_domain_access(self):
|
|
"""
|
|
Verify that non root admin sub-domains can access parents templates
|
|
|
|
Steps:
|
|
1. Set global setting restrict.public.access.to.templates to true
|
|
2. Make sure that sub-domain account can access root templates
|
|
3. Make sure that sub-domain account can access parent templates
|
|
4. Make sure that ROOT domain can access the sub-domain template
|
|
5. Make sure that sibling domain cannot access templates of sub-domain
|
|
"""
|
|
|
|
self.root_template.updatePermissions(self.apiclient,
|
|
ispublic="True")
|
|
# Step 1
|
|
self.update_restrict_template_configuration(self.domain1.id, "true")
|
|
self.update_restrict_template_configuration(self.domain2.id, "true")
|
|
# Make sure child domains can still access parent domain templates
|
|
self.validate_uploaded_template(self.apiclient, self.sub_template.id)
|
|
|
|
# Step 2
|
|
self.validate_template_ownership(self.root_template, self.sub_domain, self.domain, True)
|
|
|
|
# Step 3
|
|
self.validate_template_ownership(self.template1, self.sub_domain, self.domain1, True)
|
|
|
|
# Step 4
|
|
self.validate_template_ownership(self.sub_template, self.domain, self.sub_domain, True)
|
|
|
|
# Step 5
|
|
self.validate_template_ownership(self.sub_template, self.domain2, self.sub_domain, False)
|
|
|
|
@attr(tags=["advanced", "basic", "sg"], required_hardware="false")
|
|
def test_07_check_default_public_template_sub_domain_access(self):
|
|
"""
|
|
Verify that non root admin sub-domains can access parents templates by default
|
|
|
|
Steps:
|
|
1. Set global setting restrict.public.access.to.templates to false
|
|
2. Make sure that sub-domain account can access root templates
|
|
3. Make sure that sub-domain account can access parent templates
|
|
4. Make sure that ROOT domain can access the sub-domain template
|
|
5. Make sure that sibling domain cannot access templates of sub-domain
|
|
"""
|
|
|
|
# Step 1
|
|
self.update_restrict_template_configuration(self.domain1.id, "false")
|
|
self.update_restrict_template_configuration(self.domain2.id, "false")
|
|
# Make sure child domains can still access parent domain templates
|
|
self.validate_uploaded_template(self.apiclient, self.sub_template.id)
|
|
|
|
# Step 2
|
|
self.validate_template_ownership(self.root_template, self.sub_domain, self.domain, True)
|
|
|
|
# Step 3
|
|
self.validate_template_ownership(self.template1, self.sub_domain, self.domain1, True)
|
|
|
|
# Step 4
|
|
self.validate_template_ownership(self.sub_template, self.domain, self.sub_domain, True)
|
|
|
|
# Step 5
|
|
self.validate_template_ownership(self.sub_template, self.domain2, self.sub_domain, True)
|
|
|
|
@attr(tags=["advanced", "basic", "sg"], required_hardware="false")
|
|
def test_08_check_non_public_template_sub_domain_access(self):
|
|
"""
|
|
Verify that non public templates belonging to one domain
|
|
should not be accessible by other domains by default except ROOT domain
|
|
|
|
Steps:
|
|
1. Set global setting restrict.public.access.to.templates to true
|
|
2. Change the permission level of "ispublic" of template1 to false
|
|
3. Make sure other domains should not be able to access the template
|
|
4. Make sure that ONLY ROOT domain can access the non public template
|
|
5. Set global setting restrict.public.access.to.templates to false
|
|
6. Repeat the steps 3 and 4
|
|
"""
|
|
|
|
# Step 1
|
|
self.update_restrict_template_configuration(self.domain1.id, "true")
|
|
self.update_restrict_template_configuration(self.domain2.id, "true")
|
|
|
|
# Step 2
|
|
self.template1.updatePermissions(self.apiclient,
|
|
ispublic="False")
|
|
|
|
list_template_response = self.list_templates('all', self.domain1)
|
|
for template_response in list_template_response:
|
|
if template_response.id == self.template1.id:
|
|
break
|
|
|
|
self.assertEqual(
|
|
isinstance(list_template_response, list),
|
|
True,
|
|
"Check list response returns a valid list"
|
|
)
|
|
self.assertIsNotNone(
|
|
template_response,
|
|
"Check template %s failed" % self.template1.id
|
|
)
|
|
self.assertEqual(
|
|
template_response.ispublic,
|
|
int(False),
|
|
"Check ispublic permission of template"
|
|
)
|
|
|
|
# Step 3
|
|
# Other domains should not access non public template
|
|
self.validate_template_ownership(self.template1, self.domain2, self.domain1, False)
|
|
|
|
# Even child domain should not access non public template
|
|
self.validate_template_ownership(self.template1, self.sub_domain, self.domain1, False)
|
|
|
|
# Step 4
|
|
# Only ROOT domain can access non public templates of child domain
|
|
self.validate_template_ownership(self.template1, self.domain, self.domain1, True)
|
|
|
|
# Step 5
|
|
self.update_restrict_template_configuration(self.domain1.id, "false")
|
|
self.update_restrict_template_configuration(self.domain2.id, "false")
|
|
|
|
# Step 6
|
|
self.validate_template_ownership(self.template1, self.domain2, self.domain1, False)
|
|
self.validate_template_ownership(self.template1, self.sub_domain, self.domain1, False)
|
|
self.validate_template_ownership(self.template1, self.domain, self.domain1, True)
|
|
|
|
def validate_uploaded_template(self, apiclient, template_id, retries=70, interval=5):
|
|
"""Check if template download will finish in 1 minute"""
|
|
while retries > -1:
|
|
time.sleep(interval)
|
|
template_response = Template.list(
|
|
apiclient,
|
|
id=template_id,
|
|
zoneid=self.zone.id,
|
|
templatefilter='self'
|
|
)
|
|
|
|
if isinstance(template_response, list):
|
|
template = template_response[0]
|
|
if not hasattr(template, 'status') or not template or not template.status:
|
|
retries = retries - 1
|
|
continue
|
|
if 'Failed' in template.status:
|
|
raise Exception(
|
|
"Failed to download template: status - %s" %
|
|
template.status)
|
|
|
|
elif template.status == 'Download Complete' and template.isready:
|
|
return
|
|
|
|
elif 'Downloaded' in template.status:
|
|
retries = retries - 1
|
|
continue
|
|
|
|
elif 'Installing' not in template.status:
|
|
if retries >= 0:
|
|
retries = retries - 1
|
|
continue
|
|
raise Exception(
|
|
"Error in downloading template: status - %s" %
|
|
template.status)
|
|
|
|
else:
|
|
retries = retries - 1
|
|
raise Exception("Template download failed exception.")
|
|
|
|
def list_templates(self, templatefilter, domain):
|
|
return Template.list(
|
|
self.apiclient,
|
|
templatefilter=templatefilter,
|
|
zoneid=self.zone.id,
|
|
domainid=domain.id)
|
|
|
|
def validate_template_ownership(self, template, owner, nonowner, include_cross_domain_template):
|
|
"""List the template belonging to domain which created it
|
|
Make sure that other domain can't access it.
|
|
"""
|
|
list_template_response = self.list_templates('all', owner)
|
|
if list_template_response is not None:
|
|
"""If global setting is false then public templates of any domain should
|
|
be accessible by any other domain
|
|
"""
|
|
if include_cross_domain_template:
|
|
for temp in list_template_response:
|
|
if template.name == temp.name:
|
|
return
|
|
|
|
raise Exception("Template %s belonging to domain %s should "
|
|
"be accessible by domain %s"
|
|
% (template.name, nonowner.name, owner.name))
|
|
else:
|
|
"""If global setting is true then public templates of any domain should not
|
|
be accessible by any other domain except for root domain
|
|
"""
|
|
for temp in list_template_response:
|
|
if template.name == temp.name:
|
|
raise Exception("Template %s belonging to domain %s should "
|
|
"not be accessible by domain %s"
|
|
% (template.name, nonowner.name, owner.name))
|
|
|
|
def get_restrict_template_configuration(self, domain_id):
|
|
"""
|
|
Function to get the global setting "restrict.public.access.to.templates" for domain
|
|
"""
|
|
list_configurations_cmd = listConfigurations.listConfigurationsCmd()
|
|
list_configurations_cmd.name = "restrict.public.template.access.to.domain"
|
|
list_configurations_cmd.scopename = "domain"
|
|
list_configurations_cmd.scopeid = domain_id
|
|
response = self.apiclient.listConfigurations(list_configurations_cmd)
|
|
return response[0].value
|
|
|
|
def update_restrict_template_configuration(self, domain_id, value):
|
|
"""
|
|
Function to update the global setting "restrict.public.access.to.templates" for domain
|
|
"""
|
|
update_configuration_cmd = updateConfiguration.updateConfigurationCmd()
|
|
update_configuration_cmd.name = "restrict.public.template.access.to.domain"
|
|
update_configuration_cmd.value = value
|
|
update_configuration_cmd.scopename = "domain"
|
|
update_configuration_cmd.scopeid = domain_id
|
|
return self.apiclient.updateConfiguration(update_configuration_cmd)
|