Give domain admin rights to domain specific implied roles

Currently this is not working because of our default policy.v3cloudsample.json file. Add a new rule to check that the prior role's domain ID matches the domain ID of the user. Co-Authored-By: David Stanek <dstanek@dstanek.com> Change-Id: Id1f5ccac3c639a44b33780b001e401bab195d8b3 Closes-Bug: #1593813
2016-09-15 11:04:14 -07:00 · 2016-09-15 11:04:14 -07:00 · 47d4d08ecb
parent e10305da58
commit 47d4d08ecb
3 changed files with 86 additions and 10 deletions
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@ -93,13 +93,14 @@
    "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles",
    "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
    "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
+    "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",

-    "identity:get_implied_role": "rule:cloud_admin",
-    "identity:list_implied_roles": "rule:cloud_admin",
-    "identity:create_implied_role": "rule:cloud_admin",
-    "identity:delete_implied_role": "rule:cloud_admin",
+    "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
+    "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
+    "identity:create_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
+    "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
    "identity:list_role_inference_rules": "rule:cloud_admin",
-    "identity:check_implied_role": "rule:cloud_admin",
+    "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",

    "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
    "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants",
--- a/keystone/assignment/controllers.py
+++ b/keystone/assignment/controllers.py
@ -443,6 +443,15 @@ class RoleV3(controller.V3Controller):
 class ImpliedRolesV3(controller.V3Controller):
    """The V3 ImpliedRoles CRD APIs.  There is no Update."""

+    def _check_implies_role(self, request, prep_info,
+                            prior_role_id, implied_role_id=None):
+        ref = {}
+        ref['prior_role'] = self.role_api.get_role(prior_role_id)
+        if implied_role_id:
+            ref['implied_role'] = self.role_api.get_role(implied_role_id)
+
+        self.check_protection(request, prep_info, ref)
+
    def _prior_role_stanza(self, endpoint, prior_role_id, prior_role_name):
        return {
            "id": prior_role_id,
@ -494,7 +503,7 @@ class ImpliedRolesV3(controller.V3Controller):
        response["role_inference"]['implies'] = stanza
        return response

-    @controller.protected()
+    @controller.protected(callback=_check_implies_role)
    def get_implied_role(self, request, prior_role_id, implied_role_id):
        ref = self.role_api.get_implied_role(prior_role_id, implied_role_id)

@ -506,11 +515,11 @@ class ImpliedRolesV3(controller.V3Controller):
            endpoint, prior_id, implied_id)
        return response

-    @controller.protected()
+    @controller.protected(callback=_check_implies_role)
    def check_implied_role(self, request, prior_role_id, implied_role_id):
        self.role_api.get_implied_role(prior_role_id, implied_role_id)

-    @controller.protected()
+    @controller.protected(callback=_check_implies_role)
    def create_implied_role(self, request, prior_role_id, implied_role_id):
        self.role_api.create_implied_role(prior_role_id, implied_role_id)
        return wsgi.render_response(
@ -519,11 +528,11 @@ class ImpliedRolesV3(controller.V3Controller):
                                  implied_role_id),
            status=(201, 'Created'))

-    @controller.protected()
+    @controller.protected(callback=_check_implies_role)
    def delete_implied_role(self, request, prior_role_id, implied_role_id):
        self.role_api.delete_implied_role(prior_role_id, implied_role_id)

-    @controller.protected()
+    @controller.protected(callback=_check_implies_role)
    def list_implied_roles(self, request, prior_role_id):
        ref = self.role_api.list_implied_roles(prior_role_id)
        implied_ids = [r['implied_role_id'] for r in ref]
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -1871,3 +1871,69 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        self._domain_role_management_cases(
            self.domainA['id'], read_status_OK=True,
            expected=exception.ForbiddenAction.code)
+
+
+class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
+    """Test Domain specific Implied Roles via the REST API."""
+
+    def setUp(self):
+        super(IdentityTestImpliedDomainSpecificRoles, self).setUp()
+
+        domain_admin_auth = self.build_authentication_request(
+            user_id=self.domain_admin_user['id'],
+            password=self.domain_admin_user['password'],
+            domain_id=self.domainA['id'])
+        self.admin_token = self.get_requested_token(domain_admin_auth)
+
+        self.appdev_role = unit.new_role_ref(domain_id=self.domainA['id'])
+        self.role_api.create_role(self.appdev_role['id'], self.appdev_role)
+
+        self.appadmin_role = unit.new_role_ref(domain_id=self.domainA['id'])
+        self.role_api.create_role(self.appadmin_role['id'], self.appadmin_role)
+
+    def _create_implied_role(self):
+        self.role_api.create_implied_role(self.appadmin_role['id'],
+                                          self.appdev_role['id'])
+
+    def test_get(self):
+        # A domain admin should be able to get an existing implied role
+        # on the domain for which they are the admin.
+        self._create_implied_role()
+
+        self.get('/roles/%s/implies/%s'
+                 % (self.appadmin_role['id'], self.appdev_role['id']),
+                 token=self.admin_token)
+
+    def test_list(self):
+        # A domain admin should be able to list the implications of an
+        # existing implied role on the domain for which they are the admin.
+        self._create_implied_role()
+
+        self.get('/roles/%s/implies' % (self.appadmin_role['id'], ),
+                 token=self.admin_token)
+
+    def test_check(self):
+        # A domain admin should be able to check an existing implied role
+        # on the domain for which they are the admin.
+        self._create_implied_role()
+
+        self.head('/roles/%s/implies/%s'
+                  % (self.appadmin_role['id'], self.appdev_role['id']),
+                  token=self.admin_token)
+
+    def test_put(self):
+        # A domain admin should be able to create an implied role on the
+        # domain for which they are the admin.
+        self.put('/roles/%s/implies/%s'
+                 % (self.appadmin_role['id'], self.appdev_role['id']),
+                 token=self.admin_token,
+                 expected_status=http_client.CREATED)
+
+    def test_delete(self):
+        # A domain admin should be able to check an existing implied role
+        # on the domain for which they are the admin.
+        self._create_implied_role()
+
+        self.delete('/roles/%s/implies/%s'
+                    % (self.appadmin_role['id'], self.appdev_role['id']),
+                    token=self.admin_token)