From 513680616f0d69970b366105141c39c85855a8ad Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Fri, 3 Oct 2025 12:51:59 +0200
Subject: [PATCH] [S-RBAC] Fix policies for l3_conntrack_helpers

Policies for those API actions should not rely on the "PROJECT_READER"
or "PROJECT_MEMBER" rules as this resource don't have project_id
attribute and instead belongs to the project of the parent resource
(which is l3_router).
This patch updates those rules to:

base.ADMIN_OR_PARENT_OWNER_MEMBER
base.ADMIN_OR_PARENT_OWNER_READER

Closes-bug: #2126759

Change-Id: Id67346262a3dbe4717273073b5f8c6a385d2180d
Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
(cherry picked from commit 0edbfe26d01ad0dfe1a3875527ac1f8c2f47f56f)
---
 neutron/conf/policies/l3_conntrack_helper.py     | 16 ++++------------
 .../conf/policies/test_l3_conntrack_helper.py    |  4 ++--
 2 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/neutron/conf/policies/l3_conntrack_helper.py b/neutron/conf/policies/l3_conntrack_helper.py
index c55a8988509..58e2c8df5af 100644
--- a/neutron/conf/policies/l3_conntrack_helper.py
+++ b/neutron/conf/policies/l3_conntrack_helper.py
@@ -30,9 +30,7 @@ RESOURCE_PATH = ('/routers/{router_id}'
 rules = [
     policy.DocumentedRuleDefault(
         name='create_router_conntrack_helper',
-        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.PARENT_OWNER_MEMBER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_MEMBER,
         scope_types=['project'],
         description='Create a router conntrack helper',
         operations=[
@@ -49,9 +47,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='get_router_conntrack_helper',
-        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_READER,
-            base.PARENT_OWNER_READER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a router conntrack helper',
         operations=[
@@ -72,9 +68,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='update_router_conntrack_helper',
-        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.PARENT_OWNER_MEMBER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_MEMBER,
         scope_types=['project'],
         description='Update a router conntrack helper',
         operations=[
@@ -91,9 +85,7 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name='delete_router_conntrack_helper',
-        check_str=neutron_policy.policy_or(
-            base.ADMIN_OR_PROJECT_MEMBER,
-            base.PARENT_OWNER_MEMBER),
+        check_str=base.ADMIN_OR_PARENT_OWNER_MEMBER,
         scope_types=['project'],
         description='Delete a router conntrack helper',
         operations=[
diff --git a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py
index d69f67942a7..1be3c008f8f 100644
--- a/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py
+++ b/neutron/tests/unit/conf/policies/test_l3_conntrack_helper.py
@@ -28,17 +28,17 @@ class L3ConntrackHelperAPITestCase(base.PolicyBaseTestCase):
         super().setUp()
         self.router = {
             'id': uuidutils.generate_uuid(),
+            'tenant_id': self.project_id,
             'project_id': self.project_id}
         self.alt_router = {
             'id': uuidutils.generate_uuid(),
+            'tenant_id': self.alt_project_id,
             'project_id': self.alt_project_id}
 
         self.target = {
-            'project_id': self.project_id,
             'router_id': self.router['id'],
             'ext_parent_router_id': self.router['id']}
         self.alt_target = {
-            'project_id': self.alt_project_id,
             'router_id': self.alt_router['id'],
             'ext_parent_router_id': self.alt_router['id']}