From 56e48127938be2d67b984d00b155833532233713 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Thu, 21 Mar 2019 18:54:06 +0000
Subject: [PATCH] Test domain and project users against group system assignment
 API

This commit ensures that domain and project users are not able to
operate on system role assignments for groups in anyway since they
lack the proper authorization to do so.

Subsequent patches will:

 - remove obsolete policies from policy.v3cloudsample.json

Change-Id: I696e5d161fae7efbc208355372bf7bf09f96849f
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 6e118bad3d49bc1da7137a406fb8cb2e3da931ca)
---
 .../protection/v3/test_system_assignments.py  | 62 +++++++++++++++++++
 .../notes/bug-1750669-dfce859550126f03.yaml   | 24 +++----
 2 files changed, 75 insertions(+), 11 deletions(-)

diff --git a/keystone/tests/unit/protection/v3/test_system_assignments.py b/keystone/tests/unit/protection/v3/test_system_assignments.py
index 5f27431f3e..72adc1d675 100644
--- a/keystone/tests/unit/protection/v3/test_system_assignments.py
+++ b/keystone/tests/unit/protection/v3/test_system_assignments.py
@@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object):
                 expected_status_code=http_client.FORBIDDEN
             )
 
+    def test_user_cannot_list_group_system_role_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_check_group_system_role_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_grant_group_system_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        with self.test_client() as c:
+            c.put(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_revoke_group_system_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
 
 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
                         common_auth.AuthTestMixin,
diff --git a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml
index a5aed56ce1..6405f86f3d 100644
--- a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml
+++ b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml
@@ -19,18 +19,20 @@ deprecations:
     [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
     [`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
     The system assignment policies have been deprecated. The
-    ``identity:list_system_grants_for_user`` and
-    ``identity:check_system_grant_for_user`` policies now use
+    ``identity:list_system_grants_for_user``,
+    ``identity:check_system_grant_for_user``,
+    ``identity:list_system_grants_for_group``, and
+    ``identity:check_system_grant_for_group`` policies now use
     ``role:reader and system_scope:all`` instead of
-    ``rule:admin_required``. The
-    ``identity:create_system_grant_for_user`` and
-    ``identity:revoke_system_grant_for_user`` policies now use
-    ``role:admin and system_scope:all`` instead of
-    ``rule:admin_required``. These new defaults automatically include
-    support for a read-only role and allow for more granular access to
-    the system assignment API, making it easier for administrators to
-    delegate authorization, safely. Please consider these new defaults
-    if your deployment overrides the system assignment APIs.
+    ``rule:admin_required``. The ``identity:create_system_grant_for_user``,
+    ``identity:revoke_system_grant_for_user``,
+    ``identity:create_system_grant_for_group``, and
+    ``identity:revoke_system_grant_for_group`` policies now use ``role:admin
+    and system_scope:all`` instead of ``rule:admin_required``. These new
+    defaults automatically include support for a read-only role and allow for
+    more granular access to the system assignment API, making it easier for
+    administrators to delegate authorization, safely. Please consider these new
+    defaults if your deployment overrides the system assignment APIs.
 security:
   - |
     [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]