Validate impersonation in trust redelegation

Forbids trustee to create a trust (with impersonation set to true) from
a redelegated trust (with impersonation set to false).

Change-Id: I53a593a2056c8e8fa0292a806c3b4b48c16ad7fd
Closes-Bug: #1539766
This commit is contained in:
Mikhail Nikolaenko 2016-06-15 15:58:26 +00:00
parent 39a0f0790f
commit 89d513595c
2 changed files with 52 additions and 0 deletions

View File

@ -401,3 +401,47 @@ class TestTrustOperations(test_v3.RestfulTestCase):
resp_body['user']['domain']['name'])
self.assertEqual(self.project['id'], resp_body['project']['id'])
self.assertEqual(self.project['name'], resp_body['project']['name'])
def test_forbidden_trust_impersonation_in_redelegation(self):
"""Test forbiddance of impersonation in trust redelegation.
Check that trustee not allowed to create a trust (with impersonation
set to true) from a redelegated trust (with impersonation set to false)
"""
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
auth_data = self.build_authentication_request(
user_id=self.trustee_user_id,
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
# create third-party user, which will be trustee in trust created from
# redelegated trust
third_party_trustee = unit.create_user(self.identity_api,
domain_id=self.domain_id)
third_party_trustee_id = third_party_trustee['id']
# create trust from redelegated trust
ref = unit.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=third_party_trustee_id,
project_id=self.project_id,
impersonation=True,
role_ids=[self.role_id])
ref['redelegated_trust_id'] = trust['id']
self.admin_request(path='/v3/OS-TRUST/trusts',
body={'trust': ref},
token=resp.headers.get('X-Subject-Token'),
method='POST',
expected_status=http_client.FORBIDDEN)

View File

@ -87,6 +87,14 @@ class Manager(manager.Manager):
raise exception.Forbidden(
_('Some of requested roles are not in redelegated trust'))
# forbid to create a trust (with impersonation set to true) from a
# redelegated trust (with impersonation set to false)
if not redelegated_trust['impersonation'] and trust['impersonation']:
raise exception.Forbidden(
_('Impersonation is not allowed because redelegated trust '
'does not specify impersonation. Redelegated trust id: %s') %
redelegated_trust['id'])
def get_trust_pedigree(self, trust_id):
trust = self.driver.get_trust(trust_id)
trust_chain = [trust]