Check image actions against the owning user

This commit is contained in:
PapaTutuWawa 2025-03-31 00:15:24 +02:00
parent 1128d73bee
commit 3744c343d4
3 changed files with 18 additions and 4 deletions

View File

@ -13,13 +13,17 @@ def deregister_image(
params: QueryParams,
config: OpenEC2Config,
db: DatabaseDep,
_: User,
user: User,
):
image_id = params["ImageId"]
ami = db.exec(select(AMI).where(AMI.id == image_id)).one()
if ami is None:
raise HTTPException(status_code=404, detail="Unknown AMI")
# Check if the requester can deregister the image.
if ami.owner_id != user.id:
raise HTTPException(status_code=403)
# Mark the image as deregistered
ami.deregistered = True
db.add(ami)

View File

@ -4,10 +4,11 @@ from urllib.parse import urlparse
import uuid
import shutil
from fastapi import HTTPException
from fastapi.datastructures import QueryParams
import requests
from openec2.config import OpenEC2Config
from openec2.config import OpenEC2Config, ConfigSingleton
from openec2.db import DatabaseDep
from openec2.db.user import User
from openec2.db.image import AMI
@ -17,7 +18,7 @@ def import_image(
params: QueryParams,
config: OpenEC2Config,
db: DatabaseDep,
_: User,
user: User,
):
first_disk_image_url = params["DiskContainer.1.Url"]
url = urlparse(first_disk_image_url)
@ -35,6 +36,11 @@ def import_image(
for chunk in r.iter_content(8196):
f.write(chunk)
case "file":
if not ConfigSingleton.of().config.debug:
raise HTTPException(
status_code=400,
detail="Unsupported scheme",
)
shutil.copy(
url.path,
str(dst),
@ -47,7 +53,8 @@ def import_image(
id=ami_id,
description=None,
originalFilename=filename,
)
owner_id=user.id,
),
)
db.commit()
return ami_id

View File

@ -13,3 +13,6 @@ class AMI(SQLModel, table=True):
# Was the image registered
deregistered: bool = Field(default=False)
# Owner of the image who created it
owner_id: int = Field(foreign_key="user.id")