Merge "Move delete_trust enforcement to default policies"
This commit is contained in:
commit
30a3f9f4e6
@ -46,6 +46,18 @@ TRUST_ID_PARAMETER_RELATION = _build_parameter_relation(
|
|||||||
parameter_name='trust_id')
|
parameter_name='trust_id')
|
||||||
|
|
||||||
|
|
||||||
|
def _build_trust_target_enforcement():
|
||||||
|
target = {}
|
||||||
|
# NOTE(cmurphy) unlike other APIs, in the event the trust doesn't exist or
|
||||||
|
# has 0 remaining uses, we actually do expect it to return a 404 and not a
|
||||||
|
# 403, so don't catch NotFound here (lp#1840288)
|
||||||
|
target['trust'] = PROVIDERS.trust_api.get_trust(
|
||||||
|
flask.request.view_args.get('trust_id')
|
||||||
|
)
|
||||||
|
|
||||||
|
return target
|
||||||
|
|
||||||
|
|
||||||
def _trustor_trustee_only(trust):
|
def _trustor_trustee_only(trust):
|
||||||
user_id = flask.request.environ.get(context.REQUEST_CONTEXT_ENV).user_id
|
user_id = flask.request.environ.get(context.REQUEST_CONTEXT_ENV).user_id
|
||||||
if user_id not in [trust.get('trustee_user_id'),
|
if user_id not in [trust.get('trustee_user_id'),
|
||||||
@ -263,18 +275,32 @@ class TrustResource(ks_flask.ResourceBase):
|
|||||||
return self.wrap_member(return_trust), http_client.CREATED
|
return self.wrap_member(return_trust), http_client.CREATED
|
||||||
|
|
||||||
def delete(self, trust_id):
|
def delete(self, trust_id):
|
||||||
ENFORCER.enforce_call(action='identity:delete_trust')
|
ENFORCER.enforce_call(action='identity:delete_trust',
|
||||||
|
build_target=_build_trust_target_enforcement)
|
||||||
self._check_unrestricted()
|
self._check_unrestricted()
|
||||||
|
|
||||||
trust = PROVIDERS.trust_api.get_trust(trust_id)
|
# NOTE(cmurphy) As of Train, the default policies enforce the
|
||||||
|
# identity:delete_trust rule. However, in case the
|
||||||
# TODO(morgan): convert this check to an oslo_policy checkstr that
|
# identity:delete_trust rule has been locally overridden by the
|
||||||
# can be referenced/enforced on.
|
# default that would have been produced by the sample config, we need
|
||||||
if (self.oslo_context.user_id != trust.get('trustor_user_id') and
|
# to enforce it again and warn that the behavior is changing.
|
||||||
not self.oslo_context.is_admin):
|
rules = policy._ENFORCER._enforcer.rules.get('identity:delete_trust')
|
||||||
action = _('Only admin or trustor can delete a trust')
|
# rule check_str is ""
|
||||||
raise exception.ForbiddenAction(action=action)
|
if isinstance(rules, op_checks.TrueCheck):
|
||||||
|
LOG.warning(
|
||||||
|
"The policy check string for rule \"identity:delete_trust\" "
|
||||||
|
"has been overridden to \"always true\". In the next release, "
|
||||||
|
"this will cause the" "\"identity:delete_trust\" action to "
|
||||||
|
"be fully permissive as hardcoded enforcement will be "
|
||||||
|
"removed. To correct this issue, either stop overriding the "
|
||||||
|
"\"identity:delete_trust\" rule in config to accept the "
|
||||||
|
"defaults, or explicitly set a rule that is not empty."
|
||||||
|
)
|
||||||
|
trust = PROVIDERS.trust_api.get_trust(trust_id)
|
||||||
|
if (self.oslo_context.user_id != trust.get('trustor_user_id') and
|
||||||
|
not self.oslo_context.is_admin):
|
||||||
|
action = _('Only admin or trustor can delete a trust')
|
||||||
|
raise exception.ForbiddenAction(action=action)
|
||||||
PROVIDERS.trust_api.delete_trust(trust_id,
|
PROVIDERS.trust_api.delete_trust(trust_id,
|
||||||
initiator=self.audit_initiator)
|
initiator=self.audit_initiator)
|
||||||
return '', http_client.NO_CONTENT
|
return '', http_client.NO_CONTENT
|
||||||
|
@ -34,20 +34,25 @@ class Checks(upgradecheck.UpgradeCommands):
|
|||||||
enforcer = policy.Enforcer(CONF)
|
enforcer = policy.Enforcer(CONF)
|
||||||
ENFORCER.register_rules(enforcer)
|
ENFORCER.register_rules(enforcer)
|
||||||
enforcer.load_rules()
|
enforcer.load_rules()
|
||||||
rule = enforcer.rules.get('identity:list_trusts')
|
rules = ['identity:list_trusts', 'identity:delete_trust']
|
||||||
if isinstance(rule, _checks.TrueCheck):
|
failed_rules = []
|
||||||
|
for rule in rules:
|
||||||
|
current_rule = enforcer.rules.get(rule)
|
||||||
|
if isinstance(current_rule, _checks.TrueCheck):
|
||||||
|
failed_rules.append(rule)
|
||||||
|
if any(failed_rules):
|
||||||
return upgradecheck.Result(
|
return upgradecheck.Result(
|
||||||
upgradecheck.Code.FAILURE,
|
upgradecheck.Code.FAILURE,
|
||||||
"Policy check string for \"identity:list_trusts\" is "
|
"Policy check string for rules \"%s\" are overridden to "
|
||||||
"overridden to \"\", \"@\", or []. In the next release, "
|
"\"\", \"@\", or []. In the next release, this will cause "
|
||||||
"this will cause the \"identity:list_trusts\" action to be "
|
"these rules to be fully permissive as hardcoded enforcement "
|
||||||
"fully permissive as hardcoded enforcement will be removed. "
|
"will be removed. To correct this issue, either stop "
|
||||||
"To correct this issue, either stop overriding this rule in "
|
"overriding these rules in config to accept the defaults, or "
|
||||||
"config to accept the defaults, or explicitly set a rule that "
|
"explicitly set check strings that are not empty." %
|
||||||
"is not empty."
|
"\", \"".join(failed_rules)
|
||||||
)
|
)
|
||||||
return upgradecheck.Result(
|
return upgradecheck.Result(
|
||||||
upgradecheck.Code.SUCCESS, "\"identity:list_trusts\" policy is safe")
|
upgradecheck.Code.SUCCESS, 'Trust policies are safe.')
|
||||||
|
|
||||||
_upgrade_checks = (
|
_upgrade_checks = (
|
||||||
("Check trust policies are not empty",
|
("Check trust policies are not empty",
|
||||||
|
@ -75,7 +75,7 @@ trust_policies = [
|
|||||||
'method': 'HEAD'}]),
|
'method': 'HEAD'}]),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'delete_trust',
|
name=base.IDENTITY % 'delete_trust',
|
||||||
check_str='',
|
check_str=RULE_TRUSTOR,
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Revoke trust.',
|
description='Revoke trust.',
|
||||||
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
|
operations=[{'path': '/v3/OS-TRUST/trusts/{trust_id}',
|
||||||
|
@ -109,6 +109,7 @@ class TrustTests(base_classes.TestCaseWithBootstrap,
|
|||||||
with open(self.policy_file_name, 'w') as f:
|
with open(self.policy_file_name, 'w') as f:
|
||||||
overridden_policies = {
|
overridden_policies = {
|
||||||
'identity:list_trusts': '',
|
'identity:list_trusts': '',
|
||||||
|
'identity:delete_trust': '',
|
||||||
}
|
}
|
||||||
f.write(jsonutils.dumps(overridden_policies))
|
f.write(jsonutils.dumps(overridden_policies))
|
||||||
|
|
||||||
@ -258,6 +259,19 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin):
|
|||||||
)
|
)
|
||||||
self.assertEqual(1, len(r.json['trusts']))
|
self.assertEqual(1, len(r.json['trusts']))
|
||||||
|
|
||||||
|
def test_admin_cannot_delete_trust_for_user_overridden_defaults(self):
|
||||||
|
# only the is_admin admin can do this
|
||||||
|
self._override_policy_old_defaults()
|
||||||
|
ref = PROVIDERS.trust_api.create_trust(
|
||||||
|
self.trust_id, **self.trust_data)
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.delete(
|
||||||
|
'/v3/OS-TRUST/trusts/%s' % ref['id'],
|
||||||
|
headers=self.headers,
|
||||||
|
expected_status_code=http_client.FORBIDDEN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class ProjectUserTests(TrustTests):
|
class ProjectUserTests(TrustTests):
|
||||||
"""Tests for all project users."""
|
"""Tests for all project users."""
|
||||||
@ -573,7 +587,7 @@ class ProjectUserTests(TrustTests):
|
|||||||
expected_status_code=http_client.FORBIDDEN
|
expected_status_code=http_client.FORBIDDEN
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_user_cannot_list_trusts_for_other_trustee_overridden_default(self):
|
def test_user_cannot_list_trusts_for_trustee_overridden_default(self):
|
||||||
self._override_policy_old_defaults()
|
self._override_policy_old_defaults()
|
||||||
PROVIDERS.trust_api.create_trust(
|
PROVIDERS.trust_api.create_trust(
|
||||||
self.trust_id, **self.trust_data)
|
self.trust_id, **self.trust_data)
|
||||||
@ -597,3 +611,38 @@ class ProjectUserTests(TrustTests):
|
|||||||
headers=self.trustee_headers,
|
headers=self.trustee_headers,
|
||||||
expected_status_code=http_client.FORBIDDEN
|
expected_status_code=http_client.FORBIDDEN
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_trustor_can_delete_trust_overridden_default(self):
|
||||||
|
self._override_policy_old_defaults()
|
||||||
|
ref = PROVIDERS.trust_api.create_trust(
|
||||||
|
self.trust_id, **self.trust_data)
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.delete(
|
||||||
|
'/v3/OS-TRUST/trusts/%s' % ref['id'],
|
||||||
|
headers=self.trustor_headers
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_trustee_cannot_delete_trust_overridden_default(self):
|
||||||
|
self._override_policy_old_defaults()
|
||||||
|
ref = PROVIDERS.trust_api.create_trust(
|
||||||
|
self.trust_id, **self.trust_data)
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.delete(
|
||||||
|
'/v3/OS-TRUST/trusts/%s' % ref['id'],
|
||||||
|
headers=self.trustee_headers,
|
||||||
|
expected_status_code=http_client.FORBIDDEN
|
||||||
|
)
|
||||||
|
|
||||||
|
def test_user_cannot_delete_trust_for_other_user_overridden_default(self):
|
||||||
|
self._override_policy_old_defaults()
|
||||||
|
ref = PROVIDERS.trust_api.create_trust(
|
||||||
|
self.trust_id, **self.trust_data)
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.delete(
|
||||||
|
'/v3/OS-TRUST/trusts/%s' % ref['id'],
|
||||||
|
headers=self.other_headers,
|
||||||
|
expected_status_code=http_client.FORBIDDEN
|
||||||
|
)
|
||||||
|
@ -1865,14 +1865,16 @@ class CliStatusTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||||||
def test_check_safe_trust_policies(self):
|
def test_check_safe_trust_policies(self):
|
||||||
with open(self.policy_file_name, 'w') as f:
|
with open(self.policy_file_name, 'w') as f:
|
||||||
overridden_policies = {
|
overridden_policies = {
|
||||||
'identity:list_trusts': ''
|
'identity:list_trusts': '',
|
||||||
|
'identity:delete_trust': ''
|
||||||
}
|
}
|
||||||
f.write(jsonutils.dumps(overridden_policies))
|
f.write(jsonutils.dumps(overridden_policies))
|
||||||
result = self.checks.check_trust_policies_are_not_empty()
|
result = self.checks.check_trust_policies_are_not_empty()
|
||||||
self.assertEqual(upgradecheck.Code.FAILURE, result.code)
|
self.assertEqual(upgradecheck.Code.FAILURE, result.code)
|
||||||
with open(self.policy_file_name, 'w') as f:
|
with open(self.policy_file_name, 'w') as f:
|
||||||
overridden_policies = {
|
overridden_policies = {
|
||||||
'identity:list_trusts': 'rule:admin_required'
|
'identity:list_trusts': 'rule:admin_required',
|
||||||
|
'identity:delete_trust': 'rule:admin_required'
|
||||||
}
|
}
|
||||||
f.write(jsonutils.dumps(overridden_policies))
|
f.write(jsonutils.dumps(overridden_policies))
|
||||||
result = self.checks.check_trust_policies_are_not_empty()
|
result = self.checks.check_trust_policies_are_not_empty()
|
||||||
|
Loading…
Reference in New Issue
Block a user