Merge "Add domain check in domain-specific role implication"
This commit is contained in:
commit
8a6d08b106
@ -94,10 +94,11 @@
|
||||
"domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
|
||||
"admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
|
||||
"implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
|
||||
|
||||
"identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
||||
"identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
||||
"identity:create_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
||||
"identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
|
||||
"identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
||||
"identity:list_role_inference_rules": "rule:cloud_admin",
|
||||
"identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
|
||||
|
@ -1937,3 +1937,32 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
|
||||
self.delete('/roles/%s/implies/%s'
|
||||
% (self.appadmin_role['id'], self.appdev_role['id']),
|
||||
token=self.admin_token)
|
||||
|
||||
def test_forbidden_role_implication_from_different_domain(self):
|
||||
domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
|
||||
self.resource_api.create_domain(domain2['id'], domain2)
|
||||
|
||||
role2 = unit.new_role_ref(domain_id=domain2['id'])
|
||||
implied = self.role_api.create_role(role2['id'], role2)
|
||||
|
||||
self.put('/roles/%s/implies/%s'
|
||||
% (self.appdev_role['id'], implied['id']),
|
||||
token=self.admin_token,
|
||||
expected_status=http_client.FORBIDDEN)
|
||||
|
||||
def test_allowed_role_implication_different_domains_as_cloud_admin(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.cloud_admin_user['id'],
|
||||
password=self.cloud_admin_user['password'],
|
||||
project_id=self.admin_project['id'])
|
||||
|
||||
domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
|
||||
self.resource_api.create_domain(domain2['id'], domain2)
|
||||
|
||||
role2 = unit.new_role_ref(domain_id=domain2['id'])
|
||||
implied = self.role_api.create_role(role2['id'], role2)
|
||||
|
||||
self.put('/roles/%s/implies/%s'
|
||||
% (self.appdev_role['id'], implied['id']),
|
||||
auth=self.auth,
|
||||
expected_status=http_client.CREATED)
|
||||
|
Loading…
Reference in New Issue
Block a user