Increase protection testing for application credentials
This commit updates the application credential protection tests to ensure users can't craft paths that bypass application credential ownership checks. Depends-On: https://review.opendev.org/c/openstack/keystone/+/760972 Change-Id: I7729190d42a6a7199553c5fc058e1b93eecb2068 Related-Bug: 1901207
This commit is contained in:
parent
a6d4ceaf57
commit
faa9b13891
@ -460,7 +460,9 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
|
|||||||
user_id=user_id,
|
user_id=user_id,
|
||||||
application_credential_id=data_utils.rand_uuid_hex())
|
application_credential_id=data_utils.rand_uuid_hex())
|
||||||
|
|
||||||
# user cannot retrieve another user's app cred
|
# user cannot retrieve another user's app cred by using the victim's
|
||||||
|
# user ID in the request or by trying to bypass the user ownership
|
||||||
|
# check by crafting a path the the attacker's user ID
|
||||||
user_id = self.test_user_id
|
user_id = self.test_user_id
|
||||||
client = self.test_user_client.application_credentials_client
|
client = self.test_user_client.application_credentials_client
|
||||||
app_cred = client.create_application_credential(
|
app_cred = client.create_application_credential(
|
||||||
@ -468,6 +470,11 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
|
|||||||
self.addCleanup(
|
self.addCleanup(
|
||||||
client.delete_application_credential,
|
client.delete_application_credential,
|
||||||
user_id=user_id, application_credential_id=app_cred['id'])
|
user_id=user_id, application_credential_id=app_cred['id'])
|
||||||
|
self.do_request(
|
||||||
|
'show_application_credential',
|
||||||
|
expected_status=exceptions.Forbidden,
|
||||||
|
user_id=self.persona.credentials.user_id,
|
||||||
|
application_credential_id=app_cred['id'])
|
||||||
self.do_request(
|
self.do_request(
|
||||||
'show_application_credential',
|
'show_application_credential',
|
||||||
expected_status=exceptions.Forbidden,
|
expected_status=exceptions.Forbidden,
|
||||||
@ -520,7 +527,9 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
|
|||||||
user_id=user_id,
|
user_id=user_id,
|
||||||
application_credential_id=data_utils.rand_uuid_hex())
|
application_credential_id=data_utils.rand_uuid_hex())
|
||||||
|
|
||||||
# user cannot delete another user's app cred
|
# user cannot delete another user's app cred by using the victim's
|
||||||
|
# user ID in the request or by trying to bypass the user ownership
|
||||||
|
# check by crafting a path the the attacker's user ID
|
||||||
user_id = self.test_user_id
|
user_id = self.test_user_id
|
||||||
client = self.test_user_client.application_credentials_client
|
client = self.test_user_client.application_credentials_client
|
||||||
app_cred = client.create_application_credential(
|
app_cred = client.create_application_credential(
|
||||||
@ -528,6 +537,11 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
|
|||||||
self.addCleanup(
|
self.addCleanup(
|
||||||
client.delete_application_credential,
|
client.delete_application_credential,
|
||||||
user_id=user_id, application_credential_id=app_cred['id'])
|
user_id=user_id, application_credential_id=app_cred['id'])
|
||||||
|
self.do_request(
|
||||||
|
'delete_application_credential',
|
||||||
|
expected_status=exceptions.Forbidden,
|
||||||
|
user_id=self.persona.credentials.user_id,
|
||||||
|
application_credential_id=app_cred['id'])
|
||||||
self.do_request(
|
self.do_request(
|
||||||
'delete_application_credential',
|
'delete_application_credential',
|
||||||
expected_status=exceptions.Forbidden,
|
expected_status=exceptions.Forbidden,
|
||||||
|
Loading…
Reference in New Issue
Block a user