From 6523062b62852709b5d49e01bc27fcb61cc3b525 Mon Sep 17 00:00:00 2001
From: Scott Schneider <sschneider@puppetlabs.com>
Date: Tue, 30 Jun 2015 10:57:49 -0700
Subject: [PATCH] Allow for only a [configurable] tag set

---
 lib/vmpooler/api/v1.rb       |  4 ++++
 spec/vmpooler/api/v1_spec.rb | 17 +++++++++++++++++
 vmpooler.yaml.example        |  6 ++++++
 3 files changed, 27 insertions(+)

diff --git a/lib/vmpooler/api/v1.rb b/lib/vmpooler/api/v1.rb
index 8fdc590..e24c03c 100644
--- a/lib/vmpooler/api/v1.rb
+++ b/lib/vmpooler/api/v1.rb
@@ -476,6 +476,10 @@ module Vmpooler
               unless arg.is_a?(Hash)
                 failure = true
               end
+
+              if config['allowed_tags']
+                failure = true if not (arg.keys - config['allowed_tags']).empty?
+              end
             else
               failure = true
           end
diff --git a/spec/vmpooler/api/v1_spec.rb b/spec/vmpooler/api/v1_spec.rb
index 7c17b82..7ef1b5e 100644
--- a/spec/vmpooler/api/v1_spec.rb
+++ b/spec/vmpooler/api/v1_spec.rb
@@ -341,6 +341,23 @@ describe Vmpooler::API::V1 do
           expect(last_response.status).to eq(400)
         end
 
+      context '(allowed_tags configured)' do
+        let(:config) { {
+          config: {
+            'allowed_tags' => ['created_by', 'project', 'url']
+          }
+        } }
+
+        it 'fails if specified tag is not in allowed_tags array' do
+          put "#{prefix}/vm/testhost", '{"tags":{"created_by":"rspec","tested_by":"rspec"}}'
+
+          expect(last_response).to_not be_ok
+          expect(last_response.header['Content-Type']).to eq('application/json')
+          expect(last_response.body).to eq(JSON.pretty_generate({'ok' => false}))
+          expect(last_response.status).to eq(400)
+        end
+      end
+
       context '(tagfilter configured)' do
         let(:config) { {
           tagfilter: { 'url' => '(.*)\/' },
diff --git a/vmpooler.yaml.example b/vmpooler.yaml.example
index dda99cc..114a7c4 100644
--- a/vmpooler.yaml.example
+++ b/vmpooler.yaml.example
@@ -156,6 +156,9 @@
 #     Same as vm_lifetime, but applied if a valid authentication token is
 #     included during the request.
 #
+#   - allowed_tags
+#     If set, restricts tags to those specified in this array.
+#
 #   - domain
 #     If set, returns a top-level 'domain' JSON key in POST requests
 
@@ -169,6 +172,9 @@
   vm_checktime: 15
   vm_lifetime: 12
   vm_lifetime_auth: 24
+  allowed_tags:
+    - 'created_by'
+    - 'project'
   domain: 'company.com'
 
 # :pools: