Browse Source

Merge "Make system members the same as system readers for credentials"

changes/99/645199/1 15.0.0.0rc1
Zuul 3 years ago
committed by Gerrit Code Review
parent
commit
1f1522703c
  1. 6
      keystone/common/policies/credential.py
  2. 13
      keystone/tests/unit/protection/v3/test_credentials.py

6
keystone/common/policies/credential.py

@ -19,10 +19,6 @@ SYSTEM_READER_OR_CRED_OWNER = (
'(role:reader and system_scope:all) '
'or user_id:%(target.credential.user_id)s'
)
SYSTEM_MEMBER_OR_CRED_OWNER = (
'(role:member and system_scope:all) '
'or user_id:%(target.credential.user_id)s'
)
SYSTEM_ADMIN_OR_CRED_OWNER = (
'(role:admin and system_scope:all) '
'or user_id:%(target.credential.user_id)s'
@ -93,7 +89,7 @@ credential_policies = [
),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_credential',
check_str=SYSTEM_MEMBER_OR_CRED_OWNER,
check_str=SYSTEM_ADMIN_OR_CRED_OWNER,
scope_types=['system', 'project'],
description='Update credential.',
operations=[{'path': '/v3/credentials/{credential_id}',

13
keystone/tests/unit/protection/v3/test_credentials.py

@ -768,7 +768,7 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
expected_status_code=http_client.FORBIDDEN
)
def test_user_can_update_credentials_for_others(self):
def test_user_cannot_update_credentials_for_others(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user_password = user['password']
user = PROVIDERS.identity_api.create_user(user)
@ -803,16 +803,19 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
with self.test_client() as c:
update = {'credential': {'blob': uuid.uuid4().hex}}
path = '/v3/credentials/%s' % credential_id
c.patch(path, json=update, headers=self.headers)
c.patch(
path, json=update, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_update_non_existant_credential_not_found(self):
def test_user_cannot_update_non_existant_credential_forbidden(self):
with self.test_client() as c:
update = {'credential': {'blob': uuid.uuid4().hex}}
c.patch(
'/v3/credentials/%s' % uuid.uuid4().hex, json=update,
headers=self.headers,
expected_status_code=http_client.NOT_FOUND
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_delete_credentials_for_others(self):
@ -1131,7 +1134,7 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
'identity:get_credential': cp.SYSTEM_READER_OR_CRED_OWNER,
'identity:list_credentials': cp.SYSTEM_READER_OR_CRED_OWNER,
'identity:create_credential': cp.SYSTEM_ADMIN_OR_CRED_OWNER,
'identity:update_credential': cp.SYSTEM_MEMBER_OR_CRED_OWNER,
'identity:update_credential': cp.SYSTEM_ADMIN_OR_CRED_OWNER,
'identity:delete_credential': cp.SYSTEM_ADMIN_OR_CRED_OWNER
}
f.write(jsonutils.dumps(overridden_policies))

Loading…
Cancel
Save