trustee unable to perform role based operations on trust
There was a typo in a conditional that checked the trustor twice, instead of trustee and trustor. The typo was preventing a trustee from being able to list or get or check roles that were delegated. Also, removed the spurious check of is_admin from said conditional (_is_trustor_trustee_admin), and renamed it to _is_trustor_trustee. An additional check, to see if a trust existed, was removed since it was repeated unnecessarily. Added a test to cover the gap that was discovered in the bug report. SecurityImpact Change-Id: Id61e71cb3ea7c6bc51783af067fbbbe4c9bffafe Closes-Bug: 1261104
This commit is contained in:
Steve Martinelli
Dolph Mathews
parent
35242b04eb
commit
4e996ec097
|
|
@ -2260,3 +2260,40 @@ class TestTrustAuth(TestAuthInfo):
|
||||||
self.get('/OS-TRUST/trusts?trustor_user_id=%s' %
|
self.get('/OS-TRUST/trusts?trustor_user_id=%s' %
|
||||||
self.user_id, expected_status=401,
|
self.user_id, expected_status=401,
|
||||||
token=trust_token)
|
token=trust_token)
|
||||||
|
|
||||||
|
def test_trustee_can_do_role_ops(self):
|
||||||
|
ref = self.new_trust_ref(
|
||||||
|
trustor_user_id=self.user_id,
|
||||||
|
trustee_user_id=self.trustee_user_id,
|
||||||
|
project_id=self.project_id,
|
||||||
|
impersonation=True,
|
||||||
|
role_ids=[self.role_id])
|
||||||
|
del ref['id']
|
||||||
|
|
||||||
|
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
|
||||||
|
trust = self.assertValidTrustResponse(r)
|
||||||
|
|
||||||
|
auth_data = self.build_authentication_request(
|
||||||
|
user_id=self.trustee_user['id'],
|
||||||
|
password=self.trustee_user['password'])
|
||||||
|
|
||||||
|
r = self.get(
|
||||||
|
'/OS-TRUST/trusts/%(trust_id)s/roles' % {
|
||||||
|
'trust_id': trust['id']},
|
||||||
|
auth=auth_data)
|
||||||
|
self.assertValidRoleListResponse(r, self.role)
|
||||||
|
|
||||||
|
self.head(
|
||||||
|
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
|
||||||
|
'trust_id': trust['id'],
|
||||||
|
'role_id': self.role['id']},
|
||||||
|
auth=auth_data,
|
||||||
|
expected_status=204)
|
||||||
|
|
||||||
|
r = self.get(
|
||||||
|
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
|
||||||
|
'trust_id': trust['id'],
|
||||||
|
'role_id': self.role['id']},
|
||||||
|
auth=auth_data,
|
||||||
|
expected_status=200)
|
||||||
|
self.assertValidRoleResponse(r, self.role)
|
||||||
|
|
|
||||||
|
|
@ -34,10 +34,9 @@ def _trustor_only(context, trust, user_id):
|
||||||
raise exception.Forbidden()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
|
|
||||||
def _admin_trustor_trustee_only(context, trust, user_id):
|
def _trustor_trustee_only(trust, user_id):
|
||||||
if (user_id != trust.get('trustor_user_id') and
|
if (user_id != trust.get('trustee_user_id') and
|
||||||
user_id != trust.get('trustor_user_id') and
|
user_id != trust.get('trustor_user_id')):
|
||||||
context['is_admin']):
|
|
||||||
raise exception.Forbidden()
|
raise exception.Forbidden()
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -80,12 +79,7 @@ class TrustV3(controller.V3Controller):
|
||||||
trust = self.trust_api.get_trust(trust_id)
|
trust = self.trust_api.get_trust(trust_id)
|
||||||
if not trust:
|
if not trust:
|
||||||
raise exception.TrustNotFound(trust_id)
|
raise exception.TrustNotFound(trust_id)
|
||||||
_admin_trustor_trustee_only(context, trust, user_id)
|
_trustor_trustee_only(trust, user_id)
|
||||||
if not trust:
|
|
||||||
raise exception.TrustNotFound(trust_id=trust_id)
|
|
||||||
if (user_id != trust['trustor_user_id'] and
|
|
||||||
user_id != trust['trustee_user_id']):
|
|
||||||
raise exception.Forbidden()
|
|
||||||
self._fill_in_roles(context, trust,
|
self._fill_in_roles(context, trust,
|
||||||
self.assignment_api.list_roles())
|
self.assignment_api.list_roles())
|
||||||
return TrustV3.wrap_member(context, trust)
|
return TrustV3.wrap_member(context, trust)
|
||||||
|
|
@ -231,7 +225,7 @@ class TrustV3(controller.V3Controller):
|
||||||
if not trust:
|
if not trust:
|
||||||
raise exception.TrustNotFound(trust_id)
|
raise exception.TrustNotFound(trust_id)
|
||||||
user_id = self._get_user_id(context)
|
user_id = self._get_user_id(context)
|
||||||
_admin_trustor_trustee_only(context, trust, user_id)
|
_trustor_trustee_only(trust, user_id)
|
||||||
return {'roles': trust['roles'],
|
return {'roles': trust['roles'],
|
||||||
'links': trust['roles_links']}
|
'links': trust['roles_links']}
|
||||||
|
|
||||||
|
|
@ -242,7 +236,7 @@ class TrustV3(controller.V3Controller):
|
||||||
if not trust:
|
if not trust:
|
||||||
raise exception.TrustNotFound(trust_id)
|
raise exception.TrustNotFound(trust_id)
|
||||||
user_id = self._get_user_id(context)
|
user_id = self._get_user_id(context)
|
||||||
_admin_trustor_trustee_only(context, trust, user_id)
|
_trustor_trustee_only(trust, user_id)
|
||||||
matching_roles = [x for x in trust['roles']
|
matching_roles = [x for x in trust['roles']
|
||||||
if x['id'] == role_id]
|
if x['id'] == role_id]
|
||||||
if not matching_roles:
|
if not matching_roles:
|
||||||
|
|
@ -256,7 +250,7 @@ class TrustV3(controller.V3Controller):
|
||||||
raise exception.TrustNotFound(trust_id)
|
raise exception.TrustNotFound(trust_id)
|
||||||
|
|
||||||
user_id = self._get_user_id(context)
|
user_id = self._get_user_id(context)
|
||||||
_admin_trustor_trustee_only(context, trust, user_id)
|
_trustor_trustee_only(trust, user_id)
|
||||||
matching_roles = [x for x in trust['roles']
|
matching_roles = [x for x in trust['roles']
|
||||||
if x['id'] == role_id]
|
if x['id'] == role_id]
|
||||||
if not matching_roles:
|
if not matching_roles:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue