From 733ef4f2d8c2a3734c360d1c1dd3a6fcd600cb8c Mon Sep 17 00:00:00 2001 From: Brian Haley Date: Thu, 1 Sep 2022 21:13:44 -0400 Subject: [PATCH] Do not allow a tenant to create a default SG for another one The attempt to list security groups for a project, or any random string, can create a default SG for it. Only allow if privileges support it. Closes-bug: #1988026 Change-Id: Ieef7011f48cd2188d4254ff16d90a6465bbabfe3 (cherry picked from commit 01fc2b9195f999df4d810df4ee63f77ecbc81f7e) --- neutron/db/securitygroups_db.py | 4 ++++ neutron/tests/unit/db/test_securitygroups_db.py | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py index de5019ccc13..79ef88b062a 100644 --- a/neutron/db/securitygroups_db.py +++ b/neutron/db/securitygroups_db.py @@ -915,6 +915,10 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase, :returns: the default security group id for given tenant. """ + # Do not allow a tenant to create a default SG for another one. + # See Bug 1987410. + if tenant_id != context.tenant_id and not context.is_admin: + return if not extensions.is_extension_supported(self, 'security-group'): return default_group_id = self._get_default_sg_id(context, tenant_id) diff --git a/neutron/tests/unit/db/test_securitygroups_db.py b/neutron/tests/unit/db/test_securitygroups_db.py index 98dc5a60bf9..e3e781e52e7 100644 --- a/neutron/tests/unit/db/test_securitygroups_db.py +++ b/neutron/tests/unit/db/test_securitygroups_db.py @@ -617,3 +617,15 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase): self.mixin._ensure_default_security_group(self.ctx, 'tenant_1') create_sg.assert_not_called() get_default_sg_id.assert_not_called() + + def test__ensure_default_security_group_tenant_mismatch(self): + with mock.patch.object( + self.mixin, '_get_default_sg_id') as get_default_sg_id,\ + mock.patch.object( + self.mixin, 'create_security_group') as create_sg: + context = mock.Mock() + context.tenant_id = 'tenant_0' + context.is_admin = False + self.mixin._ensure_default_security_group(context, 'tenant_1') + create_sg.assert_not_called() + get_default_sg_id.assert_not_called()