Browse Source

Merge "Move get_role_for_trust enforcement to policies"

changes/22/678322/10
Zuul 1 week ago
parent
commit
09b6a629ff

+ 36
- 2
keystone/api/trusts.py View File

@@ -392,11 +392,45 @@ class RolesForTrustListResource(flask_restful.Resource):
392 392
 # URL additions and does not have a collection key/member_key, we use
393 393
 # the flask-restful Resource, not the keystone ResourceBase
394 394
 class RoleForTrustResource(flask_restful.Resource):
395
+
396
+    @property
397
+    def oslo_context(self):
398
+        return flask.request.environ.get(context.REQUEST_CONTEXT_ENV, None)
399
+
395 400
     def get(self, trust_id, role_id):
396 401
         """Get a role that has been assigned to a trust."""
397
-        ENFORCER.enforce_call(action='identity:get_role_for_trust')
402
+        ENFORCER.enforce_call(action='identity:get_role_for_trust',
403
+                              build_target=_build_trust_target_enforcement)
404
+
405
+        if self.oslo_context.is_admin:
406
+            # policies are not loaded for the is_admin context, so need to
407
+            # block access here
408
+            raise exception.ForbiddenAction(
409
+                action=_('Requested user has no relation to this trust'))
410
+
398 411
         trust = PROVIDERS.trust_api.get_trust(trust_id)
399
-        _trustor_trustee_only(trust)
412
+
413
+        # NOTE(cmurphy) As of Train, the default policies enforce the
414
+        # identity:get_role_for_trust rule. However, in case the
415
+        # identity:get_role_for_trust rule has been locally overridden by the
416
+        # default that would have been produced by the sample config, we need
417
+        # to enforce it again and warn that the behavior is changing.
418
+        rules = policy._ENFORCER._enforcer.rules.get(
419
+            'identity:get_role_for_trust')
420
+        # rule check_str is ""
421
+        if isinstance(rules, op_checks.TrueCheck):
422
+            LOG.warning(
423
+                "The policy check string for rule "
424
+                "\"identity:get_role_for_trust\" has been overridden to "
425
+                "\"always true\". In the next release, this will cause the "
426
+                "\"identity:get_role_for_trust\" action to be fully "
427
+                "permissive as hardcoded enforcement will be removed. To "
428
+                "correct this issue, either stop overriding the "
429
+                "\"identity:get_role_for_trust\" rule in config to accept the "
430
+                "defaults, or explicitly set a rule that is not empty."
431
+            )
432
+            _trustor_trustee_only(trust)
433
+
400 434
         if not any(role['id'] == role_id for role in trust['roles']):
401 435
             raise exception.RoleNotFound(role_id=role_id)
402 436
 

+ 1
- 0
keystone/cmd/status.py View File

@@ -39,6 +39,7 @@ class Checks(upgradecheck.UpgradeCommands):
39 39
             'identity:delete_trust',
40 40
             'identity:get_trust',
41 41
             'identity:list_roles_for_trust'
42
+            'identity:get_role_for_trust'
42 43
         ]
43 44
         failed_rules = []
44 45
         for rule in rules:

+ 1
- 1
keystone/common/policies/trust.py View File

@@ -66,7 +66,7 @@ trust_policies = [
66 66
                      'method': 'HEAD'}]),
67 67
     policy.DocumentedRuleDefault(
68 68
         name=base.IDENTITY % 'get_role_for_trust',
69
-        check_str='',
69
+        check_str=RULE_TRUSTOR + ' or ' + RULE_TRUSTEE,
70 70
         scope_types=['project'],
71 71
         description='Check if trust delegates a particular role.',
72 72
         operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}',

+ 51
- 0
keystone/tests/unit/protection/v3/test_trusts.py View File

@@ -112,6 +112,7 @@ class TrustTests(base_classes.TestCaseWithBootstrap,
112 112
                 'identity:delete_trust': '',
113 113
                 'identity:get_trust': '',
114 114
                 'identity:list_roles_for_trust': '',
115
+                'identity:get_role_for_trust': '',
115 116
             }
116 117
             f.write(jsonutils.dumps(overridden_policies))
117 118
 
@@ -298,6 +299,19 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin):
298 299
                 expected_status_code=http_client.FORBIDDEN
299 300
             )
300 301
 
302
+    def test_admin_cannot_get_trust_role_for_other_user_overridden_defaults(self):
303
+        self._override_policy_old_defaults()
304
+        PROVIDERS.trust_api.create_trust(
305
+            self.trust_id, **self.trust_data)
306
+
307
+        with self.test_client() as c:
308
+            c.get(
309
+                ('/v3/OS-TRUST/trusts/%s/roles/%s' %
310
+                 (self.trust_id, self.bootstrapper.member_role_id)),
311
+                headers=self.headers,
312
+                expected_status_code=http_client.FORBIDDEN
313
+            )
314
+
301 315
 
302 316
 class ProjectUserTests(TrustTests):
303 317
     """Tests for all project users."""
@@ -733,3 +747,40 @@ class ProjectUserTests(TrustTests):
733 747
                 headers=self.other_headers,
734 748
                 expected_status_code=http_client.FORBIDDEN
735 749
             )
750
+
751
+    def test_trustor_can_get_trust_role_overridden_default(self):
752
+        self._override_policy_old_defaults()
753
+        PROVIDERS.trust_api.create_trust(
754
+            self.trust_id, **self.trust_data)
755
+
756
+        with self.test_client() as c:
757
+            c.head(
758
+                ('/v3/OS-TRUST/trusts/%s/roles/%s' %
759
+                 (self.trust_id, self.bootstrapper.member_role_id)),
760
+                headers=self.trustor_headers
761
+            )
762
+
763
+    def test_trustee_can_get_trust_role_overridden_default(self):
764
+        self._override_policy_old_defaults()
765
+        PROVIDERS.trust_api.create_trust(
766
+            self.trust_id, **self.trust_data)
767
+
768
+        with self.test_client() as c:
769
+            c.head(
770
+                ('/v3/OS-TRUST/trusts/%s/roles/%s' %
771
+                 (self.trust_id, self.bootstrapper.member_role_id)),
772
+                headers=self.trustee_headers
773
+            )
774
+
775
+    def test_user_cannot_get_trust_role_other_user_overridden_default(self):
776
+        self._override_policy_old_defaults()
777
+        PROVIDERS.trust_api.create_trust(
778
+            self.trust_id, **self.trust_data)
779
+
780
+        with self.test_client() as c:
781
+            c.head(
782
+                ('/v3/OS-TRUST/trusts/%s/roles/%s' %
783
+                 (self.trust_id, self.bootstrapper.member_role_id)),
784
+                headers=self.other_headers,
785
+                expected_status_code=http_client.FORBIDDEN
786
+            )

+ 4
- 2
keystone/tests/unit/test_cli.py View File

@@ -1868,7 +1868,8 @@ class CliStatusTestCase(unit.SQLDriverOverrides, unit.TestCase):
1868 1868
                 'identity:list_trusts': '',
1869 1869
                 'identity:delete_trust': '',
1870 1870
                 'identity:get_trust': '',
1871
-                'identity:list_roles_for_trust': ''
1871
+                'identity:list_roles_for_trust': '',
1872
+                'identity:get_role_for_trust': ''
1872 1873
             }
1873 1874
             f.write(jsonutils.dumps(overridden_policies))
1874 1875
         result = self.checks.check_trust_policies_are_not_empty()
@@ -1878,7 +1879,8 @@ class CliStatusTestCase(unit.SQLDriverOverrides, unit.TestCase):
1878 1879
                 'identity:list_trusts': 'rule:admin_required',
1879 1880
                 'identity:delete_trust': 'rule:admin_required',
1880 1881
                 'identity:get_trust': 'rule:admin_required',
1881
-                'identity:list_roles_for_trust': 'rule:admin_required'
1882
+                'identity:list_roles_for_trust': 'rule:admin_required',
1883
+                'identity:get_role_for_trust': 'rule:admin_required'
1882 1884
             }
1883 1885
             f.write(jsonutils.dumps(overridden_policies))
1884 1886
         result = self.checks.check_trust_policies_are_not_empty()

Loading…
Cancel
Save