From 0d0772bc762e60141ed7e09762d31b1255d8b95d Mon Sep 17 00:00:00 2001
From: Jan Kaluža <jkaluza@redhat.com>
Date: Sep 20 2017 10:49:43 +0000
Subject: Merge #75 `Allow configuration of allowed source types.`


---

diff --git a/server/odcs/server/config.py b/server/odcs/server/config.py
index 944858a..fdf6b13 100644
--- a/server/odcs/server/config.py
+++ b/server/odcs/server/config.py
@@ -157,6 +157,10 @@ class Config(object):
             'type': int,
             'default': 2,
             'desc': 'Number of concurrent Pungi processes.'},
+        'allowed_source_types': {
+            'type': list,
+            'default': ["tag", "module"],
+            'desc': 'Allowed source types.'},
         'auth_ldap_server': {
             'type': str,
             'default': '',
diff --git a/server/odcs/server/views.py b/server/odcs/server/views.py
index 793b693..5124b0e 100644
--- a/server/odcs/server/views.py
+++ b/server/odcs/server/views.py
@@ -161,13 +161,19 @@ class ODCSAPI(MethodView):
                 raise ValueError(err)
 
         source_type = source_data["type"]
-        if source_type in PUNGI_SOURCE_TYPE_NAMES:
-            source_type = PUNGI_SOURCE_TYPE_NAMES[source_type]
-        else:
-            err = "Unknown source type %s" % source_type
+        if source_type not in PUNGI_SOURCE_TYPE_NAMES:
+            err = 'Unknown source type "%s"' % source_type
             log.error(err)
             raise ValueError(err)
 
+        if source_type not in conf.allowed_source_types:
+            err = 'Source type "%s" is not allowed by ODCS configuration' % (
+                source_type)
+            log.error(err)
+            raise ValueError(err)
+
+        source_type = PUNGI_SOURCE_TYPE_NAMES[source_type]
+
         source = source_data["source"].split(" ")
         if not source:
             err = "No source provided for %s" % source_type
diff --git a/server/tests/test_views.py b/server/tests/test_views.py
index 39f1b86..5eebe93 100644
--- a/server/tests/test_views.py
+++ b/server/tests/test_views.py
@@ -214,6 +214,25 @@ class TestViews(ViewBaseTest):
 
         self.assertEqual(data['message'], 'No compose with id 100 found')
 
+    def test_submit_build_not_allowed_source_type(self):
+        with self.test_request_context(user='dev'):
+            rv = self.client.post('/odcs/1/composes/', data=json.dumps(
+                {'source': {'type': 'repo', 'source': '/path'}}))
+            data = json.loads(rv.data.decode('utf8'))
+
+        self.assertEqual(
+            data['message'],
+            'Source type "repo" is not allowed by ODCS configuration')
+
+    def test_submit_build_unknown_source_type(self):
+        with self.test_request_context(user='dev'):
+            rv = self.client.post('/odcs/1/composes/', data=json.dumps(
+                {'source': {'type': 'unknown', 'source': '/path'}}))
+            data = json.loads(rv.data.decode('utf8'))
+
+        self.assertEqual(
+            data['message'], 'Unknown source type "unknown"')
+
     def test_query_compose(self):
         resp = self.client.get('/odcs/1/composes/1')
         data = json.loads(resp.data.decode('utf8'))