From b76f377781051fa75117ac7101b1a68be3575390 Mon Sep 17 00:00:00 2001
From: Lingxian Kong <anlin.kong@gmail.com>
Date: Fri, 20 Dec 2019 13:45:16 +1300
Subject: [PATCH] Fix getting alarms

The normal users can get all other projects alarms because no project_id
filter when querying the db.

Change-Id: I024ff3ec0e5c21f2f6cef9fa453cfb1497921947
---
 aodh/api/controllers/v2/alarms.py              |  1 +
 .../functional/api/v2/test_alarm_scenarios.py  | 18 +++++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/aodh/api/controllers/v2/alarms.py b/aodh/api/controllers/v2/alarms.py
index dcc4f8d1c..bd781ccac 100644
--- a/aodh/api/controllers/v2/alarms.py
+++ b/aodh/api/controllers/v2/alarms.py
@@ -891,6 +891,7 @@ class AlarmsController(rest.RestController):
                 q.append(
                     base.Query(field='project_id', op='eq', value=project_id)
                 )
+                keys.add('project_id')
             else:
                 request_project = v2_utils.get_query_value(q, 'project_id')
                 if not is_admin and request_project != project_id:
diff --git a/aodh/tests/functional/api/v2/test_alarm_scenarios.py b/aodh/tests/functional/api/v2/test_alarm_scenarios.py
index 79206771f..081c97fbf 100644
--- a/aodh/tests/functional/api/v2/test_alarm_scenarios.py
+++ b/aodh/tests/functional/api/v2/test_alarm_scenarios.py
@@ -149,8 +149,13 @@ class TestAlarmsBase(v2.FunctionalTest):
             self.assertEqual(json[key], getattr(alarm, storage_key))
 
     def _get_alarm(self, id, auth_headers=None):
-        data = self.get_json('/alarms',
-                             headers=auth_headers or self.auth_headers)
+        headers = auth_headers or self.auth_headers
+        url_path = "/alarms"
+        if headers.get('X-Roles') == 'admin':
+            url_path = '/alarms?q.field=all_projects&q.op=eq&q.value=true'
+
+        data = self.get_json(url_path, headers=headers)
+
         match = [a for a in data if a['alarm_id'] == id]
         self.assertEqual(1, len(match), 'alarm %s not found' % id)
         return match[0]
@@ -283,6 +288,13 @@ class TestAlarms(TestAlarmsBase):
         self.assertIn(faultstring,
                       response.json['error_message']['faultstring'])
 
+    def test_list_alarms_other_project(self):
+        auth_headers = {'X-User-Id': uuidutils.generate_uuid(),
+                        'X-Project-Id': uuidutils.generate_uuid()}
+        data = self.get_json('/alarms', headers=auth_headers)
+
+        self.assertEqual(0, len(data))
+
     def test_get_not_existing_alarm(self):
         resp = self.get_json('/alarms/alarm-id-3',
                              headers=self.auth_headers,
@@ -2049,7 +2061,7 @@ class TestAlarmsQuotas(TestAlarmsBase):
 
         self.auth_headers["X-roles"] = "admin"
         alarms = self.get_json('/alarms', headers=self.auth_headers)
-        self.assertEqual(2, len(alarms))
+        self.assertEqual(1, len(alarms))
 
 
 class TestAlarmsRuleThreshold(TestAlarmsBase):