From 993a344559f293a225fe5dd59525e580249c652f Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Thu, 12 Sep 2019 22:02:52 +0200
Subject: [PATCH] List SG rules which belongs to tenant's SG

In case when user's security group contains rules created e.g.
by admin, and such rules has got admin's tenant as tenant_id,
owner of security group should be able to see those rules.
Some time ago this was addressed for request:

GET /v2.0/security-groups/<sec_group_id>

But it is also required to behave in same way for

GET /v2.0/security-group-rules

So this patch fixes this behaviour for listing of security
group rules.
To achieve that this patch also adds new policy rule:
ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
ports.

Conflicts:
    neutron/conf/policies/security_group.py

Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
Closes-Bug: #1824248
(cherry picked from commit b898d2e3c08b50e576ee849fbe8614c66f360c62)
---
 etc/policy.json                                    |  4 +++-
 neutron/db/securitygroups_db.py                    | 14 ++++++++++++--
 neutron/policy.py                                  |  3 ++-
 neutron/tests/etc/policy.json                      |  4 +++-
 ...-for-security-group-owner-6635dd3e4c6ab5ee.yaml |  6 ++++++
 5 files changed, 26 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/show-all-security-group-rules-for-security-group-owner-6635dd3e4c6ab5ee.yaml

diff --git a/etc/policy.json b/etc/policy.json
index cd96f1972f7..4e803c15f03 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -14,6 +14,8 @@
     "external": "field:networks:router:external=True",
     "default": "rule:admin_or_owner",
     "admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
+    "admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s",
+    "admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner",
 
     "create_subnet": "rule:admin_or_network_owner",
     "create_subnet:segment_id": "rule:admin_only",
@@ -244,7 +246,7 @@
 
     "create_security_group_rule": "rule:admin_or_owner",
     "get_security_group_rules": "rule:admin_or_owner",
-    "get_security_group_rule": "rule:admin_or_owner",
+    "get_security_group_rule": "rule:admin_owner_or_sg_owner",
     "delete_security_group_rule": "rule:admin_or_owner",
 
     "get_loggable_resources": "rule:admin_only",
diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
index 79971e9289f..95a9c82f3fc 100644
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -672,8 +672,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
         pager = base_obj.Pager(
             sorts=sorts, marker=marker, limit=limit, page_reverse=page_reverse)
 
+        # NOTE(slaweq): use admin context here to be able to get all rules
+        # which fits filters' criteria. Later in policy engine rules will be
+        # filtered and only those which are allowed according to policy will
+        # be returned
         rule_objs = sg_obj.SecurityGroupRule.get_objects(
-            context, _pager=pager, validate_filters=False, **filters
+            context_lib.get_admin_context(), _pager=pager,
+            validate_filters=False, **filters
         )
         return [
             self._make_security_group_rule_dict(obj.db_obj, fields)
@@ -688,7 +693,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
 
     @db_api.retry_if_session_inactive()
     def get_security_group_rule(self, context, id, fields=None):
-        security_group_rule = self._get_security_group_rule(context, id)
+        # NOTE(slaweq): use admin context here to be able to get all rules
+        # which fits filters' criteria. Later in policy engine rules will be
+        # filtered and only those which are allowed according to policy will
+        # be returned
+        security_group_rule = self._get_security_group_rule(
+            context_lib.get_admin_context(), id)
         return self._make_security_group_rule_dict(
             security_group_rule.db_obj, fields)
 
diff --git a/neutron/policy.py b/neutron/policy.py
index 38ece99ffdf..b5df8de05cb 100644
--- a/neutron/policy.py
+++ b/neutron/policy.py
@@ -43,7 +43,8 @@ ADVSVC_CTX_POLICY = 'context_is_advsvc'
 
 # Identify the attribute used by a resource to reference another resource
 _RESOURCE_FOREIGN_KEYS = {
-    net_apidef.COLLECTION_NAME: 'network_id'
+    net_apidef.COLLECTION_NAME: 'network_id',
+    'security_groups': 'security_group_id'
 }
 
 
diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
index cd96f1972f7..4e803c15f03 100644
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -14,6 +14,8 @@
     "external": "field:networks:router:external=True",
     "default": "rule:admin_or_owner",
     "admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
+    "admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s",
+    "admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner",
 
     "create_subnet": "rule:admin_or_network_owner",
     "create_subnet:segment_id": "rule:admin_only",
@@ -244,7 +246,7 @@
 
     "create_security_group_rule": "rule:admin_or_owner",
     "get_security_group_rules": "rule:admin_or_owner",
-    "get_security_group_rule": "rule:admin_or_owner",
+    "get_security_group_rule": "rule:admin_owner_or_sg_owner",
     "delete_security_group_rule": "rule:admin_or_owner",
 
     "get_loggable_resources": "rule:admin_only",
diff --git a/releasenotes/notes/show-all-security-group-rules-for-security-group-owner-6635dd3e4c6ab5ee.yaml b/releasenotes/notes/show-all-security-group-rules-for-security-group-owner-6635dd3e4c6ab5ee.yaml
new file mode 100644
index 00000000000..647d0e69af1
--- /dev/null
+++ b/releasenotes/notes/show-all-security-group-rules-for-security-group-owner-6635dd3e4c6ab5ee.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Owners of security groups now see all security group rules which belong to
+    the security group, even if the rule was created by the admin user.
+    Fixes bug `1824248 <https://bugs.launchpad.net/neutron/+bug/1824248>`_.