From e88097f4c0245439d15df490f4b097f2e9def9c9 Mon Sep 17 00:00:00 2001 From: Sean Perry Date: Wed, 21 Sep 2016 16:59:47 -0700 Subject: [PATCH] Add domain check in domain-specific role implication Forbids implication between domain-specific roles from different domains Change-Id: I9d3b9747df04b425f8c708bb3436569f2baf47c8 Co-Authored-By: Steve Martinelli Co-Authored-By: Mikhail Nikolaenko Closes-Bug: #1590583 --- etc/policy.v3cloudsample.json | 3 ++- keystone/tests/unit/test_v3_protection.py | 29 +++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index f7759f0b88..b8eef0b072 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -94,10 +94,11 @@ "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s", "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s", "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s", + "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)", "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - "identity:create_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", + "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)", "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", "identity:list_role_inference_rules": "rule:cloud_admin", "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index 27794e7ff1..501cd88d5d 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -1937,3 +1937,32 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample): self.delete('/roles/%s/implies/%s' % (self.appadmin_role['id'], self.appdev_role['id']), token=self.admin_token) + + def test_forbidden_role_implication_from_different_domain(self): + domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex) + self.resource_api.create_domain(domain2['id'], domain2) + + role2 = unit.new_role_ref(domain_id=domain2['id']) + implied = self.role_api.create_role(role2['id'], role2) + + self.put('/roles/%s/implies/%s' + % (self.appdev_role['id'], implied['id']), + token=self.admin_token, + expected_status=http_client.FORBIDDEN) + + def test_allowed_role_implication_different_domains_as_cloud_admin(self): + self.auth = self.build_authentication_request( + user_id=self.cloud_admin_user['id'], + password=self.cloud_admin_user['password'], + project_id=self.admin_project['id']) + + domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex) + self.resource_api.create_domain(domain2['id'], domain2) + + role2 = unit.new_role_ref(domain_id=domain2['id']) + implied = self.role_api.create_role(role2['id'], role2) + + self.put('/roles/%s/implies/%s' + % (self.appdev_role['id'], implied['id']), + auth=self.auth, + expected_status=http_client.CREATED)