From 717e3e09556f1fb9a7a420863746fa785eb6c316 Mon Sep 17 00:00:00 2001
From: Brian Haley <haleyb.dev@gmail.com>
Date: Thu, 1 Sep 2022 21:13:44 -0400
Subject: [PATCH] Do not allow a tenant to create a default SG for another one

The attempt to list security groups for a project, or any
random string, can create a default SG for it. Only allow if
privileges support it.

Closes-bug: #1988026

Change-Id: Ieef7011f48cd2188d4254ff16d90a6465bbabfe3
(cherry picked from commit 01fc2b9195f999df4d810df4ee63f77ecbc81f7e)
---
 neutron/db/securitygroups_db.py                 |  4 ++++
 neutron/tests/unit/db/test_securitygroups_db.py | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py
index 5e3c11dd5a5..dc41e363852 100644
--- a/neutron/db/securitygroups_db.py
+++ b/neutron/db/securitygroups_db.py
@@ -931,6 +931,10 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase,
 
         :returns: the default security group id for given tenant.
         """
+        # Do not allow a tenant to create a default SG for another one.
+        # See Bug 1987410.
+        if tenant_id != context.tenant_id and not context.is_admin:
+            return
         if not extensions.is_extension_supported(self, 'security-group'):
             return
         default_group_id = self._get_default_sg_id(context, tenant_id)
diff --git a/neutron/tests/unit/db/test_securitygroups_db.py b/neutron/tests/unit/db/test_securitygroups_db.py
index 399795e18d2..64559321be5 100644
--- a/neutron/tests/unit/db/test_securitygroups_db.py
+++ b/neutron/tests/unit/db/test_securitygroups_db.py
@@ -659,3 +659,15 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase):
             self.mixin._ensure_default_security_group(self.ctx, 'tenant_1')
             create_sg.assert_not_called()
             get_default_sg_id.assert_not_called()
+
+    def test__ensure_default_security_group_tenant_mismatch(self):
+        with mock.patch.object(
+                self.mixin, '_get_default_sg_id') as get_default_sg_id,\
+                mock.patch.object(
+                        self.mixin, 'create_security_group') as create_sg:
+            context = mock.Mock()
+            context.tenant_id = 'tenant_0'
+            context.is_admin = False
+            self.mixin._ensure_default_security_group(context, 'tenant_1')
+            create_sg.assert_not_called()
+            get_default_sg_id.assert_not_called()