Check image actions against the owning user

2025-03-31 00:15:24 +02:00 · 2025-03-31 00:15:24 +02:00 · 3744c343d4
commit 3744c343d4
parent 1128d73bee
3 changed files with 18 additions and 4 deletions
--- a/src/openec2/actions/deregister_image.py
+++ b/src/openec2/actions/deregister_image.py
@ -13,13 +13,17 @@ def deregister_image(
    params: QueryParams,
    config: OpenEC2Config,
    db: DatabaseDep,
-    _: User,
+    user: User,
 ):
    image_id = params["ImageId"]
    ami = db.exec(select(AMI).where(AMI.id == image_id)).one()
    if ami is None:
        raise HTTPException(status_code=404, detail="Unknown AMI")

+    # Check if the requester can deregister the image.
+    if ami.owner_id != user.id:
+        raise HTTPException(status_code=403)
+
    # Mark the image as deregistered
    ami.deregistered = True
    db.add(ami)
--- a/src/openec2/actions/import_image.py
+++ b/src/openec2/actions/import_image.py
@ -4,10 +4,11 @@ from urllib.parse import urlparse
 import uuid
 import shutil

+from fastapi import HTTPException
 from fastapi.datastructures import QueryParams
 import requests

-from openec2.config import OpenEC2Config
+from openec2.config import OpenEC2Config, ConfigSingleton
 from openec2.db import DatabaseDep
 from openec2.db.user import User
 from openec2.db.image import AMI
@ -17,7 +18,7 @@ def import_image(
    params: QueryParams,
    config: OpenEC2Config,
    db: DatabaseDep,
-    _: User,
+    user: User,
 ):
    first_disk_image_url = params["DiskContainer.1.Url"]
    url = urlparse(first_disk_image_url)
@ -35,6 +36,11 @@ def import_image(
                    for chunk in r.iter_content(8196):
                        f.write(chunk)
        case "file":
+            if not ConfigSingleton.of().config.debug:
+                raise HTTPException(
+                    status_code=400,
+                    detail="Unsupported scheme",
+                )
            shutil.copy(
                url.path,
                str(dst),
@ -47,7 +53,8 @@ def import_image(
            id=ami_id,
            description=None,
            originalFilename=filename,
-        )
+            owner_id=user.id,
+        ),
    )
    db.commit()
    return ami_id
--- a/src/openec2/db/image.py
+++ b/src/openec2/db/image.py
@ -13,3 +13,6 @@ class AMI(SQLModel, table=True):

    # Was the image registered
    deregistered: bool = Field(default=False)
+
+    # Owner of the image who created it
+    owner_id: int = Field(foreign_key="user.id")