Add domain check in domain-specific role implication

Forbids implication between domain-specific roles from different domains Change-Id: I9d3b9747df04b425f8c708bb3436569f2baf47c8 Co-Authored-By: Steve Martinelli <s.martinelli@gmail.com> Co-Authored-By: Mikhail Nikolaenko <mnikolaenko@mirantis.com> Closes-Bug: #1590583
2016-09-21 16:59:47 -07:00 · 2016-09-21 16:59:47 -07:00 · e88097f4c0
commit e88097f4c0
parent 5db3b5165a
2 changed files with 31 additions and 1 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -94,10 +94,11 @@
    "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
    "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
    "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
+    "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",

    "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
    "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
-    "identity:create_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
+    "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
    "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
    "identity:list_role_inference_rules": "rule:cloud_admin",
    "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -1937,3 +1937,32 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
        self.delete('/roles/%s/implies/%s'
                    % (self.appadmin_role['id'], self.appdev_role['id']),
                    token=self.admin_token)
+
+    def test_forbidden_role_implication_from_different_domain(self):
+        domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
+        self.resource_api.create_domain(domain2['id'], domain2)
+
+        role2 = unit.new_role_ref(domain_id=domain2['id'])
+        implied = self.role_api.create_role(role2['id'], role2)
+
+        self.put('/roles/%s/implies/%s'
+                 % (self.appdev_role['id'], implied['id']),
+                 token=self.admin_token,
+                 expected_status=http_client.FORBIDDEN)
+
+    def test_allowed_role_implication_different_domains_as_cloud_admin(self):
+        self.auth = self.build_authentication_request(
+            user_id=self.cloud_admin_user['id'],
+            password=self.cloud_admin_user['password'],
+            project_id=self.admin_project['id'])
+
+        domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
+        self.resource_api.create_domain(domain2['id'], domain2)
+
+        role2 = unit.new_role_ref(domain_id=domain2['id'])
+        implied = self.role_api.create_role(role2['id'], role2)
+
+        self.put('/roles/%s/implies/%s'
+                 % (self.appdev_role['id'], implied['id']),
+                 auth=self.auth,
+                 expected_status=http_client.CREATED)