From f3b69e4b4cb66470a4fcba5b84ba3cfaf1ec7b07 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Wed, 21 Nov 2018 12:57:14 +0000
Subject: [PATCH] Update region policies to use system admin

This change updates the policies for the regions API to include
system administrators and includes appropriate test coverage. A
subsequent set of patches will introduce test coverage for:

 - domains user test coverage
 - project users test coverage

 Related-Bug: 1804292
 Closes-Bug: 1804446

Change-Id: I84dd7fc69a2eab9ab8c2130f26a2fb664d5663a5
---
 keystone/common/policies/region.py            | 44 ++++++++++++++---
 .../tests/unit/protection/v3/test_regions.py  | 49 +++++++++++++++++++
 .../notes/bug-1804446-1a281eadbb044070.yaml   | 29 +++++++++++
 3 files changed, 116 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/bug-1804446-1a281eadbb044070.yaml

diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py
index cfd671ad66..bbebc29c44 100644
--- a/keystone/common/policies/region.py
+++ b/keystone/common/policies/region.py
@@ -10,10 +10,33 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from keystone.common.policies import base
 
+deprecated_create_region = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_region',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_update_region = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_region',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_delete_region = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_region',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+
+DEPRECATED_REASON = (
+    'As of the Stein release, the region API now understands default roles '
+    'and system-scoped tokens, making the API more granular without '
+    'compromising security. The new policies for this API account for these '
+    'changes automatically. Be sure to take these new defaults into '
+    'consideration if you are relying on overrides in your deployment for the '
+    'region API.'
+)
+
 region_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'get_region',
@@ -41,27 +64,36 @@ region_policies = [
                      'method': 'HEAD'}]),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_region',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Create region.',
         operations=[{'path': '/v3/regions',
                      'method': 'POST'},
                     {'path': '/v3/regions/{region_id}',
-                     'method': 'PUT'}]),
+                     'method': 'PUT'}],
+        deprecated_rule=deprecated_create_region,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_region',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Update region.',
         operations=[{'path': '/v3/regions/{region_id}',
-                     'method': 'PATCH'}]),
+                     'method': 'PATCH'}],
+        deprecated_rule=deprecated_update_region,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_region',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Delete region.',
         operations=[{'path': '/v3/regions/{region_id}',
-                     'method': 'DELETE'}])
+                     'method': 'DELETE'}],
+        deprecated_rule=deprecated_delete_region,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
 ]
 
 
diff --git a/keystone/tests/unit/protection/v3/test_regions.py b/keystone/tests/unit/protection/v3/test_regions.py
index 57510851f0..8fbde351a5 100644
--- a/keystone/tests/unit/protection/v3/test_regions.py
+++ b/keystone/tests/unit/protection/v3/test_regions.py
@@ -146,3 +146,52 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
             r = c.post('/v3/auth/tokens', json=auth)
             self.token_id = r.headers['X-Subject-Token']
             self.headers = {'X-Auth-Token': self.token_id}
+
+
+class SystemAdminTests(base_classes.TestCaseWithBootstrap,
+                       common_auth.AuthTestMixin,
+                       _UserRegionTests):
+
+    def setUp(self):
+        super(SystemAdminTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        # Reuse the system administrator account created during
+        # ``keystone-manage bootstrap``
+        self.user_id = self.bootstrapper.admin_user_id
+        auth = self.build_authentication_request(
+            user_id=self.user_id,
+            password=self.bootstrapper.admin_password,
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}
+
+    def test_user_can_create_regions(self):
+        create = {'region': {'description': uuid.uuid4().hex}}
+
+        with self.test_client() as c:
+            c.post('/v3/regions', json=create, headers=self.headers)
+
+    def test_user_can_update_regions(self):
+        region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
+
+        with self.test_client() as c:
+            update = {'region': {'description': uuid.uuid4().hex}}
+            c.patch(
+                '/v3/regions/%s' % region['id'], json=update,
+                headers=self.headers
+            )
+
+    def test_user_can_delete_regions(self):
+        region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
+
+        with self.test_client() as c:
+            c.delete('/v3/regions/%s' % region['id'], headers=self.headers)
diff --git a/releasenotes/notes/bug-1804446-1a281eadbb044070.yaml b/releasenotes/notes/bug-1804446-1a281eadbb044070.yaml
new file mode 100644
index 0000000000..38c1d9e353
--- /dev/null
+++ b/releasenotes/notes/bug-1804446-1a281eadbb044070.yaml
@@ -0,0 +1,29 @@
+---
+features:
+  - |
+    [`bug 1804446 <https://bugs.launchpad.net/keystone/+bug/1804446>`_]
+    The regions API now supports the ``admin``, ``member``, and
+    ``reader`` default roles.
+upgrade:
+  - |
+    [`bug 1804446 <https://bugs.launchpad.net/keystone/+bug/1804446>`_]
+    The regions API uses new default policies that make it more
+    accessible to end users and administrators in a secure way. Please
+    consider these new defaults if your deployment overrides
+    region policies.
+deprecations:
+  - |
+    [`bug 1804446 <https://bugs.launchpad.net/keystone/+bug/1804446>`_]
+    The ``identity:create_region``, ``identity:update_region``, and
+    ``identity:delete_region`` policies now use ``role:admin and
+    system_scope:all`` instead of ``rule:admin_required``.  These new
+    defaults automatically account for system-scope and support a
+    read-only role, making it easier for system administrators to delegate
+    subsets of responsibility without compromising security. Please
+    consider these new defaults if your deployment overrides the region
+    policies.
+security:
+  - |
+    [`bug 1804446 <https://bugs.launchpad.net/keystone/+bug/1804446>`_]
+    The regions API now uses system-scope and default roles to
+    provide better accessibility to users in a secure way.