From 7d02541047cd08787255695c4befcf4ab70a6002 Mon Sep 17 00:00:00 2001
From: Wyllys Ingersoll <wyllys.ingersoll@evault.com>
Date: Tue, 10 Dec 2013 14:20:52 -0500
Subject: secrets.get should verify that the request is for a single secret

Added sanity checking to the requested URI path to make sure it is a
properly formed secret UUID value.

Change-Id: Ie6598303e502cd19458e0beef24d7fd032f9f14a
Closes-Bug: #1259654
---
 barbicanclient/secrets.py                  | 17 ++++++++++++++++-
 barbicanclient/test/test_client.py         |  6 ++++--
 barbicanclient/test/test_client_secrets.py |  4 ++++
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/barbicanclient/secrets.py b/barbicanclient/secrets.py
index a1e9b12..f8c0643 100644
--- a/barbicanclient/secrets.py
+++ b/barbicanclient/secrets.py
@@ -13,6 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import logging
+import urlparse
+import re
 
 from barbicanclient import base
 from barbicanclient.openstack.common.timeutils import parse_isotime
@@ -35,7 +37,10 @@ class Secret(object):
         self.status = secret_dict.get('status')
         self.content_types = secret_dict.get('content_types')
 
-        self.created = parse_isotime(secret_dict.get('created'))
+        if secret_dict.get('created') is not None:
+            self.created = parse_isotime(secret_dict['created'])
+        else:
+            self.created = None
         if secret_dict.get('expiration') is not None:
             self.expiration = parse_isotime(secret_dict['expiration'])
         else:
@@ -123,6 +128,16 @@ class SecretManager(base.BaseEntityManager):
         """
         if not secret_ref:
             raise ValueError('secret_ref is required.')
+        try:
+            url = urlparse.urlparse(secret_ref)
+            parts = url.path.rstrip('/').split('/')
+            reuuid = re.compile(r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-'
+                                '[0-9a-f]{4}-[0-9a-f]{12}', re.I)
+            if not reuuid.findall(parts[-1]):
+                raise ValueError('secret uuid format error.')
+        except:
+            raise ValueError('secret incorrectly specified.')
+
         resp = self.api.get(secret_ref)
         return Secret(resp)
 
diff --git a/barbicanclient/test/test_client.py b/barbicanclient/test/test_client.py
index 8905264..623c2cd 100644
--- a/barbicanclient/test/test_client.py
+++ b/barbicanclient/test/test_client.py
@@ -117,7 +117,8 @@ class WhenTestingClientWithSession(unittest.TestCase):
         self.entity = 'dummy-entity'
         base = self.endpoint + self.tenant_id + "/"
         self.entity_base = base + self.entity + "/"
-        self.entity_href = self.entity_base + '1234'
+        self.entity_href = self.entity_base + \
+            'abcd1234-eabc-5678-9abc-abcdef012345'
 
         self.entity_name = 'name'
         self.entity_dict = {'name': self.entity_name}
@@ -198,7 +199,8 @@ class BaseEntityResource(unittest.TestCase):
         self.entity = entity
         base = self.endpoint + self.tenant_id + "/"
         self.entity_base = base + self.entity + "/"
-        self.entity_href = self.entity_base + '1234'
+        self.entity_href = self.entity_base + \
+            'abcd1234-eabc-5678-9abc-abcdef012345'
 
         self.api = mock.MagicMock()
         self.api.base_url = base[:-1]
diff --git a/barbicanclient/test/test_client_secrets.py b/barbicanclient/test/test_client_secrets.py
index 2645314..1d2c28c 100644
--- a/barbicanclient/test/test_client_secrets.py
+++ b/barbicanclient/test/test_client_secrets.py
@@ -162,6 +162,10 @@ class WhenTestingSecrets(test_client.BaseEntityResource):
         self.assertEqual(10, params['limit'])
         self.assertEqual(5, params['offset'])
 
+    def test_should_fail_get_invalid_secret(self):
+        with self.assertRaises(ValueError):
+            self.manager.get('12345')
+
     def test_should_fail_get_no_href(self):
         with self.assertRaises(ValueError):
             self.manager.get(None)
-- 
cgit v1.2.1