From 89d513595c0a2c828a36ec721ccfdfdd77e6bfb0 Mon Sep 17 00:00:00 2001 From: Mikhail Nikolaenko Date: Wed, 15 Jun 2016 15:58:26 +0000 Subject: [PATCH] Validate impersonation in trust redelegation Forbids trustee to create a trust (with impersonation set to true) from a redelegated trust (with impersonation set to false). Change-Id: I53a593a2056c8e8fa0292a806c3b4b48c16ad7fd Closes-Bug: #1539766 --- keystone/tests/unit/test_v3_trust.py | 44 ++++++++++++++++++++++++++++ keystone/trust/core.py | 8 +++++ 2 files changed, 52 insertions(+) diff --git a/keystone/tests/unit/test_v3_trust.py b/keystone/tests/unit/test_v3_trust.py index d60ce36d3a..f10bdd1e55 100644 --- a/keystone/tests/unit/test_v3_trust.py +++ b/keystone/tests/unit/test_v3_trust.py @@ -401,3 +401,47 @@ class TestTrustOperations(test_v3.RestfulTestCase): resp_body['user']['domain']['name']) self.assertEqual(self.project['id'], resp_body['project']['id']) self.assertEqual(self.project['name'], resp_body['project']['name']) + + def test_forbidden_trust_impersonation_in_redelegation(self): + """Test forbiddance of impersonation in trust redelegation. + + Check that trustee not allowed to create a trust (with impersonation + set to true) from a redelegated trust (with impersonation set to false) + """ + # create trust + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + impersonation=False, + role_ids=[self.role_id], + allow_redelegation=True) + resp = self.post('/OS-TRUST/trusts', body={'trust': ref}) + + trust = self.assertValidTrustResponse(resp) + + auth_data = self.build_authentication_request( + user_id=self.trustee_user_id, + password=self.trustee_user['password'], + trust_id=trust['id']) + resp = self.v3_create_token(auth_data) + + # create third-party user, which will be trustee in trust created from + # redelegated trust + third_party_trustee = unit.create_user(self.identity_api, + domain_id=self.domain_id) + third_party_trustee_id = third_party_trustee['id'] + + # create trust from redelegated trust + ref = unit.new_trust_ref( + trustor_user_id=self.trustee_user_id, + trustee_user_id=third_party_trustee_id, + project_id=self.project_id, + impersonation=True, + role_ids=[self.role_id]) + ref['redelegated_trust_id'] = trust['id'] + self.admin_request(path='/v3/OS-TRUST/trusts', + body={'trust': ref}, + token=resp.headers.get('X-Subject-Token'), + method='POST', + expected_status=http_client.FORBIDDEN) diff --git a/keystone/trust/core.py b/keystone/trust/core.py index 43069deb69..e7dc0ffa81 100644 --- a/keystone/trust/core.py +++ b/keystone/trust/core.py @@ -87,6 +87,14 @@ class Manager(manager.Manager): raise exception.Forbidden( _('Some of requested roles are not in redelegated trust')) + # forbid to create a trust (with impersonation set to true) from a + # redelegated trust (with impersonation set to false) + if not redelegated_trust['impersonation'] and trust['impersonation']: + raise exception.Forbidden( + _('Impersonation is not allowed because redelegated trust ' + 'does not specify impersonation. Redelegated trust id: %s') % + redelegated_trust['id']) + def get_trust_pedigree(self, trust_id): trust = self.driver.get_trust(trust_id) trust_chain = [trust]