fix(urls): terminate url regex with $ so that there is no cascading attempts at URLs (#1103)

helgi · web-flow · commit 9f6cb94de0bf · 2016-10-04T14:38:52.000-07:00
When using -a=foo for an app (see deis/workflow-cli#22) the app name will be sent as =foo but since =foo does not match the URL app name regex it will simply keep trying to match to the next URL in the hierarchy that can take POST which happens to match to app create URL Anchoring all URLs to match to the end via $ prevents those cascading behaviours
diff --git a/rootfs/api/tests/test_app.py b/rootfs/api/tests/test_app.py
@@ -663,6 +663,33 @@ def test_gather_app_settings(self, mock_requests):
         assert isinstance(s['deploy_timeout'], int)
         assert isinstance(s['pod_termination_grace_period_seconds'], int)
 
+    def test_app_name_bad_regex(self, mock_requests):
+        """
+        Create a normal app and then try to do a build on it but include
+        extra chars (equal for example) in the name and make sure no new
+        apps are created and that the operation errors out
+        """
+        # create app
+        app_id = self.create_app()
+
+        # verify that there is only 1 app and it is the one expected
+        response = self.client.get("/v2/apps")
+        self.assertEqual(response.status_code, 200, response)
+        self.assertEqual(response.data['count'], 1, response.data)
+        self.assertEqual(response.data['results'][0]['id'], app_id, response.data)
+
+        # deploy to an app that doesn't exist should fail with 404
+        url = "/v2/apps/{}/builds".format('={}'.format(app_id))
+        body = {'image': 'autotest/example'}
+        response = self.client.post(url, body)
+        self.assertEqual(response.status_code, 404, response)
+
+        # verify again that there is only 1 app
+        response = self.client.get("/v2/apps")
+        self.assertEqual(response.status_code, 200, response)
+        self.assertEqual(response.data['count'], 1, response.data)
+
+
 FAKE_LOG_DATA = bytes("""
 2013-08-15 12:41:25 [33454] [INFO] Starting gunicorn 17.5
 2013-08-15 12:41:25 [33454] [INFO] Listening at: http://0.0.0.0:5000 (33454)
diff --git a/rootfs/api/tests/test_hooks.py b/rootfs/api/tests/test_hooks.py
@@ -127,7 +127,7 @@ def test_build_hook(self, mock_requests):
         app_id = self.create_app()
 
         build = {'username': 'autotest', 'app': app_id}
-        url = '/v2/hooks/builds'.format(**locals())
+        url = '/v2/hooks/build'.format(**locals())
         body = {'receive_user': 'autotest',
                 'receive_repo': app_id,
                 'image': '{app_id}:v2'.format(**locals())}
@@ -146,7 +146,7 @@ def test_build_hook_slug_url(self, mock_requests):
         """Test creating a slug_url build via an API Hook"""
         app_id = self.create_app()
         build = {'username': 'autotest', 'app': app_id}
-        url = '/v2/hooks/builds'.format(**locals())
+        url = '/v2/hooks/build'.format(**locals())
         body = {'receive_user': 'autotest',
                 'receive_repo': app_id,
                 'image': 'http://example.com/slugs/foo-12345354.tar.gz'}
@@ -168,7 +168,7 @@ def test_build_hook_procfile(self, mock_requests):
         app_id = self.create_app()
 
         build = {'username': 'autotest', 'app': app_id}
-        url = '/v2/hooks/builds'.format(**locals())
+        url = '/v2/hooks/build'.format(**locals())
         PROCFILE = {'web': 'node server.js', 'worker': 'node worker.js'}
         SHA = 'ecdff91c57a0b9ab82e89634df87e293d259a3aa'
         body = {'receive_user': 'autotest',
@@ -213,7 +213,7 @@ def test_build_hook_dockerfile(self, mock_requests):
         """Test creating a Dockerfile build via an API Hook"""
         app_id = self.create_app()
         build = {'username': 'autotest', 'app': app_id}
-        url = '/v2/hooks/builds'.format(**locals())
+        url = '/v2/hooks/build'.format(**locals())
         SHA = 'ecdff91c57a0b9ab82e89634df87e293d259a3aa'
         DOCKERFILE = """FROM busybox
         CMD /bin/true"""
@@ -296,7 +296,7 @@ def test_admin_can_hook(self, mock_requests):
                 'image': '{app_id}:v2'.format(**locals()),
                 'sha': 'ecdff91c57a0b9ab82e89634df87e293d259a3aa',
                 'dockerfile': DOCKERFILE}
-        url = '/v2/hooks/builds'
+        url = '/v2/hooks/build'
         response = self.client.post(url, body,
                                     HTTP_X_DEIS_BUILDER_AUTH=settings.BUILDER_KEY)
         self.assertEqual(response.status_code, 200, response.data)
diff --git a/rootfs/api/tests/test_perm.py b/rootfs/api/tests/test_perm.py
@@ -174,7 +174,7 @@ def test_create(self):
         self.assertEqual(len(response.data['results']), 1)
         # check that user 2 can't see any of the app's builds, configs,
         # containers, limits, or releases
-        for model in ['builds', 'config', 'containers', 'releases']:
+        for model in ['builds', 'config', 'pods', 'releases']:
             response = self.client.get("/v2/apps/{}/{}/".format(app_id, model))
             msg = "Failed: status '%s', and data '%s'" % (response.status_code, response.data)
             self.assertEqual(response.status_code, 403, msg=msg)
diff --git a/rootfs/api/urls.py b/rootfs/api/urls.py
@@ -17,109 +17,109 @@
 urlpatterns = [
     url(r'^', include(router.urls)),
     # application release components
-    url(r"^apps/(?P<id>{})/config/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/config/?$".format(settings.APP_URL_REGEX),
         views.ConfigViewSet.as_view({'get': 'retrieve', 'post': 'create'})),
-    url(r"^apps/(?P<id>{})/builds/(?P<uuid>[-_\w]+)/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/builds/(?P<uuid>[-_\w]+)/?$".format(settings.APP_URL_REGEX),
         views.BuildViewSet.as_view({'get': 'retrieve'})),
-    url(r"^apps/(?P<id>{})/builds/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/builds/?$".format(settings.APP_URL_REGEX),
         views.BuildViewSet.as_view({'get': 'list', 'post': 'create'})),
-    url(r"^apps/(?P<id>{})/releases/v(?P<version>[0-9]+)/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/releases/v(?P<version>[0-9]+)/?$".format(settings.APP_URL_REGEX),
         views.ReleaseViewSet.as_view({'get': 'retrieve'})),
-    url(r"^apps/(?P<id>{})/releases/rollback/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/releases/rollback/?$".format(settings.APP_URL_REGEX),
         views.ReleaseViewSet.as_view({'post': 'rollback'})),
-    url(r"^apps/(?P<id>{})/releases/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/releases/?$".format(settings.APP_URL_REGEX),
         views.ReleaseViewSet.as_view({'get': 'list'})),
     # restart pods
-    url(r"^apps/(?P<id>{})/pods/restart/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/pods/restart/?$".format(settings.APP_URL_REGEX),
         views.PodViewSet.as_view({'post': 'restart'})),
-    url(r"^apps/(?P<id>{})/pods/(?P<type>[-_\w.]+)/restart/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/pods/(?P<type>[-_\w.]+)/restart/?$".format(settings.APP_URL_REGEX),
         views.PodViewSet.as_view({'post': 'restart'})),
-    url(r"^apps/(?P<id>{})/pods/(?P<type>[-_\w]+)/(?P<name>[-_\w]+)/restart/?".format(
+    url(r"^apps/(?P<id>{})/pods/(?P<type>[-_\w]+)/(?P<name>[-_\w]+)/restart/?$".format(
         settings.APP_URL_REGEX),
         views.PodViewSet.as_view({'post': 'restart'})),
     # list pods
-    url(r"^apps/(?P<id>{})/pods/(?P<type>[-_\w]+)/(?P<name>[-_\w]+)/?".format(
+    url(r"^apps/(?P<id>{})/pods/(?P<type>[-_\w]+)/(?P<name>[-_\w]+)/?$".format(
         settings.APP_URL_REGEX),
         views.PodViewSet.as_view({'get': 'list'})),
-    url(r"^apps/(?P<id>{})/pods/(?P<type>[-_\w.]+)/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/pods/(?P<type>[-_\w.]+)/?$".format(settings.APP_URL_REGEX),
         views.PodViewSet.as_view({'get': 'list'})),
-    url(r"^apps/(?P<id>{})/pods/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/pods/?$".format(settings.APP_URL_REGEX),
         views.PodViewSet.as_view({'get': 'list'})),
     # application domains
-    url(r"^apps/(?P<id>{})/domains/(?P<domain>\**\.?[-\._\w]+)/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/domains/(?P<domain>\**\.?[-\._\w]+)/?$".format(settings.APP_URL_REGEX),
         views.DomainViewSet.as_view({'delete': 'destroy'})),
-    url(r"^apps/(?P<id>{})/domains/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/domains/?$".format(settings.APP_URL_REGEX),
         views.DomainViewSet.as_view({'post': 'create', 'get': 'list'})),
     # application actions
-    url(r"^apps/(?P<id>{})/scale/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/scale/?$".format(settings.APP_URL_REGEX),
         views.AppViewSet.as_view({'post': 'scale'})),
-    url(r"^apps/(?P<id>{})/logs/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/logs/?$".format(settings.APP_URL_REGEX),
         views.AppViewSet.as_view({'get': 'logs'})),
-    url(r"^apps/(?P<id>{})/run/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/run/?$".format(settings.APP_URL_REGEX),
         views.AppViewSet.as_view({'post': 'run'})),
     # application settings
-    url(r"^apps/(?P<id>{})/settings/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/settings/?$".format(settings.APP_URL_REGEX),
         views.AppSettingsViewSet.as_view({'get': 'retrieve', 'post': 'create'})),
     # application ip whitelist
-    url(r"^apps/(?P<id>{})/whitelist/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/whitelist/?$".format(settings.APP_URL_REGEX),
         views.WhitelistViewSet.as_view({'post': 'create', 'get': 'list', 'delete': 'delete'})),
     # application TLS settings
-    url(r"^apps/(?P<id>{})/tls/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/tls/?$".format(settings.APP_URL_REGEX),
         views.TLSViewSet.as_view({'get': 'retrieve', 'post': 'create'})),
     # apps sharing
-    url(r"^apps/(?P<id>{})/perms/(?P<username>[-_\w]+)/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/perms/(?P<username>[-_\w]+)/?$".format(settings.APP_URL_REGEX),
         views.AppPermsViewSet.as_view({'delete': 'destroy'})),
-    url(r"^apps/(?P<id>{})/perms/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/perms/?$".format(settings.APP_URL_REGEX),
         views.AppPermsViewSet.as_view({'get': 'list', 'post': 'create'})),
     # apps base endpoint
-    url(r"^apps/(?P<id>{})/?".format(settings.APP_URL_REGEX),
+    url(r"^apps/(?P<id>{})/?$".format(settings.APP_URL_REGEX),
         views.AppViewSet.as_view({'get': 'retrieve', 'post': 'update', 'delete': 'destroy'})),
-    url(r'^apps/?',
+    url(r'^apps/?$',
         views.AppViewSet.as_view({'get': 'list', 'post': 'create'})),
     # key
-    url(r'^keys/(?P<id>.+)/?',
+    url(r'^keys/(?P<id>.+)/?$',
         views.KeyViewSet.as_view({'get': 'retrieve', 'delete': 'destroy'})),
-    url(r'^keys/?',
+    url(r'^keys/?$',
         views.KeyViewSet.as_view({'get': 'list', 'post': 'create'})),
     # hooks
-    url(r'^hooks/keys/(?P<id>{})/(?P<username>[-_\w]+)?'.format(settings.APP_URL_REGEX),
+    url(r'^hooks/keys/(?P<id>{})/(?P<username>[-_\w]+)?$'.format(settings.APP_URL_REGEX),
         views.KeyHookViewSet.as_view({'get': 'users'})),
-    url(r'^hooks/keys/(?P<id>{})/?'.format(settings.APP_URL_REGEX),
+    url(r'^hooks/keys/(?P<id>{})/?$'.format(settings.APP_URL_REGEX),
         views.KeyHookViewSet.as_view({'get': 'app'})),
-    url(r'^hooks/key/(?P<fingerprint>.+)/?',
+    url(r'^hooks/key/(?P<fingerprint>.+)/?$',
         views.KeyHookViewSet.as_view({'get': 'public_key'})),
-    url(r'^hooks/build/?',
+    url(r'^hooks/build/?$',
         views.BuildHookViewSet.as_view({'post': 'create'})),
-    url(r'^hooks/config/?',
+    url(r'^hooks/config/?$',
         views.ConfigHookViewSet.as_view({'post': 'create'})),
     # authn / authz
-    url(r'^auth/register/?',
+    url(r'^auth/register/?$',
         views.UserRegistrationViewSet.as_view({'post': 'create'})),
-    url(r'^auth/cancel/?',
+    url(r'^auth/cancel/?$',
         views.UserManagementViewSet.as_view({'delete': 'destroy'})),
-    url(r'^auth/passwd/?',
+    url(r'^auth/passwd/?$',
         views.UserManagementViewSet.as_view({'post': 'passwd'})),
-    url(r'^auth/whoami/?',
+    url(r'^auth/whoami/?$',
         views.UserManagementViewSet.as_view({'get': 'list'})),
-    url(r'^auth/login/',
+    url(r'^auth/login/$',
         views_obtain_auth_token),
-    url(r'^auth/tokens/',
+    url(r'^auth/tokens/$',
         views.TokenManagementViewSet.as_view({'post': 'regenerate'})),
     # admin sharing
-    url(r'^admin/perms/(?P<username>[-_\w]+)/?',
+    url(r'^admin/perms/(?P<username>[-_\w]+)/?$',
         views.AdminPermsViewSet.as_view({'delete': 'destroy'})),
-    url(r'^admin/perms/?',
+    url(r'^admin/perms/?$',
         views.AdminPermsViewSet.as_view({'get': 'list', 'post': 'create'})),
     # certificates
-    url(r'^certs/(?P<name>[-_*.\w]+)/domain/(?P<domain>\**\.?[-\._\w]+)?',
+    url(r'^certs/(?P<name>[-_*.\w]+)/domain/(?P<domain>\**\.?[-\._\w]+)?$',
         views.CertificateViewSet.as_view({'delete': 'detach', 'post': 'attach'})),
-    url(r'^certs/(?P<name>[-_*.\w]+)/?',
+    url(r'^certs/(?P<name>[-_*.\w]+)/?$',
         views.CertificateViewSet.as_view({
             'get': 'retrieve',
             'delete': 'destroy'
         })),
-    url(r'^certs/?',
+    url(r'^certs/?$',
         views.CertificateViewSet.as_view({'get': 'list', 'post': 'create'})),
     # list users
-    url(r'^users/?', views.UserView.as_view({'get': 'list'})),
+    url(r'^users/?$', views.UserView.as_view({'get': 'list'})),
 ]
