Increase protection testing for application credentials

This commit updates the application credential protection tests to ensure users can't craft paths that bypass application credential ownership checks. Depends-On: https://review.opendev.org/c/openstack/keystone/+/760972 Change-Id: I7729190d42a6a7199553c5fc058e1b93eecb2068 Related-Bug: 1901207
2020-12-03 18:03:39 +00:00 · 2020-12-03 18:03:39 +00:00 · faa9b13891
parent a6d4ceaf57
commit faa9b13891
1 changed files with 16 additions and 2 deletions
--- a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
@ -460,7 +460,9 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
            user_id=user_id,
            application_credential_id=data_utils.rand_uuid_hex())

-        # user cannot retrieve another user's app cred
+        # user cannot retrieve another user's app cred by using the victim's
+        # user ID in the request or by trying to bypass the user ownership
+        # check by crafting a path the the attacker's user ID
        user_id = self.test_user_id
        client = self.test_user_client.application_credentials_client
        app_cred = client.create_application_credential(
@ -468,6 +470,11 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
        self.addCleanup(
            client.delete_application_credential,
            user_id=user_id, application_credential_id=app_cred['id'])
+        self.do_request(
+            'show_application_credential',
+            expected_status=exceptions.Forbidden,
+            user_id=self.persona.credentials.user_id,
+            application_credential_id=app_cred['id'])
        self.do_request(
            'show_application_credential',
            expected_status=exceptions.Forbidden,
@ -520,7 +527,9 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
            user_id=user_id,
            application_credential_id=data_utils.rand_uuid_hex())

-        # user cannot delete another user's app cred
+        # user cannot delete another user's app cred by using the victim's
+        # user ID in the request or by trying to bypass the user ownership
+        # check by crafting a path the the attacker's user ID
        user_id = self.test_user_id
        client = self.test_user_client.application_credentials_client
        app_cred = client.create_application_credential(
@ -528,6 +537,11 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
        self.addCleanup(
            client.delete_application_credential,
            user_id=user_id, application_credential_id=app_cred['id'])
+        self.do_request(
+            'delete_application_credential',
+            expected_status=exceptions.Forbidden,
+            user_id=self.persona.credentials.user_id,
+            application_credential_id=app_cred['id'])
        self.do_request(
            'delete_application_credential',
            expected_status=exceptions.Forbidden,