deny topology changes to iso instances via api

2026-01-13 11:00:03 -03:30 · 2018-07-06 10:58:33 -04:00 · 2018-07-06 10:58:33 -04:00 · aeca21ab5b
commit aeca21ab5b
parent b445e66ffa
3 changed files with 27 additions and 1 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -189,6 +189,11 @@ class InstanceGroupMembershipMixin(object):
                ig_obj.save()
        return response

+    def is_valid_relation(self, parent, sub, created=False):
+        if sub.is_isolated():
+            return {'error': _('Isolated instances may not be added or removed from instances groups via the API.')}
+        return None
+
    def unattach(self, request, *args, **kwargs):
        response = super(InstanceGroupMembershipMixin, self).unattach(request, *args, **kwargs)
        sub_id, res = self.attach_validate(request)
--- a/awx/main/models/ha.py
+++ b/awx/main/models/ha.py
@ -120,6 +120,8 @@ class Instance(BaseModel):
    def is_controller(self):
        return Instance.objects.filter(rampart_groups__controller__instances=self).exists()

+    def is_isolated(self):
+        return self.rampart_groups.filter(controller__isnull=False).exists()

    def refresh_capacity(self):
        cpu = get_cpu_capacity()
--- a/awx/main/tests/functional/api/test_instance_group.py
+++ b/awx/main/tests/functional/api/test_instance_group.py
@ -2,6 +2,7 @@ import pytest

 from awx.api.versioning import reverse
 from awx.main.models import (
+    Instance,
    InstanceGroup,
    ProjectUpdate,
 )
@ -14,6 +15,12 @@ def tower_instance_group():
    return ig


+@pytest.fixture
+def instance():
+    instance = Instance.objects.create(hostname='iso')
+    return instance
+
+
@pytest.fixture
 def instance_group(job_factory):
    ig = InstanceGroup(name="east")
@ -22,9 +29,11 @@ def instance_group(job_factory):


@pytest.fixture
-def isolated_instance_group(instance_group):
+def isolated_instance_group(instance_group, instance):
    ig = InstanceGroup(name="iso", controller=instance_group)
    ig.save()
+    ig.instances.set([instance])
+    ig.save()
    return ig


@ -113,3 +122,13 @@ def test_prevent_delete_iso_and_control_groups(delete, isolated_instance_group,
    controller_url = reverse("api:instance_group_detail", kwargs={'pk': isolated_instance_group.controller.pk})
    delete(iso_url, None, admin, expect=403)
    delete(controller_url, None, admin, expect=403)
+
+
+@pytest.mark.django_db
+def test_prevent_isolated_instance_in_non_isolated_instance_group(post, admin, instance, instance_group, isolated_instance_group):
+    url = reverse("api:instance_group_instance_list", kwargs={'pk': instance_group.pk})
+
+    assert True is instance.is_isolated()
+    resp = post(url, {'associate': True, 'id': instance.id}, admin, expect=400)
+    assert u"Isolated instances may not be added or removed from instances groups via the API." == resp.data['error']
+