From f377351ac89f674b3893e2a5f82bbe31186350ce Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Wed, 21 Nov 2018 15:15:11 +0000
Subject: [PATCH] Update service policies for system admin

The service policies were not taking the default roles work we did
last release into account. This commit changes the default policies
to rely on the ``admin`` role to create and delete services.
Subsequent patches will incorporate:

 - domain user test coverage
 - project user test coverage

Change-Id: I58bbe6848c9e8e63656a6c706c84d1747c72a71e
Related-Bug: 1804462
Closes-Bug: 1804463
---
 keystone/common/policies/service.py           | 33 +++++++++--
 .../tests/unit/protection/v3/test_services.py | 57 +++++++++++++++++++
 .../notes/bug-1804463-74537652166cf656.yaml   | 31 ++++++++++
 3 files changed, 115 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/bug-1804463-74537652166cf656.yaml

diff --git a/keystone/common/policies/service.py b/keystone/common/policies/service.py
index a0610ae449..ef433e6043 100644
--- a/keystone/common/policies/service.py
+++ b/keystone/common/policies/service.py
@@ -23,6 +23,18 @@ deprecated_list_service = policy.DeprecatedRule(
     name=base.IDENTITY % 'list_services',
     check_str=base.RULE_ADMIN_REQUIRED
 )
+deprecated_update_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'update_service',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_create_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_service',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
+deprecated_delete_service = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_service',
+    check_str=base.RULE_ADMIN_REQUIRED
+)
 
 DEPRECATED_REASON = """
 As of the Stein release, the service API now understands default roles and
@@ -55,25 +67,34 @@ service_policies = [
         deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'create_service',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Create service.',
         operations=[{'path': '/v3/services',
-                     'method': 'POST'}]),
+                     'method': 'POST'}],
+        deprecated_rule=deprecated_create_service,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'update_service',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Update service.',
         operations=[{'path': '/v3/services/{service_id}',
-                     'method': 'PATCH'}]),
+                     'method': 'PATCH'}],
+        deprecated_rule=deprecated_update_service,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN),
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'delete_service',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
         scope_types=['system'],
         description='Delete service.',
         operations=[{'path': '/v3/services/{service_id}',
-                     'method': 'DELETE'}])
+                     'method': 'DELETE'}],
+        deprecated_rule=deprecated_delete_service,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.STEIN)
 ]
 
 
diff --git a/keystone/tests/unit/protection/v3/test_services.py b/keystone/tests/unit/protection/v3/test_services.py
index 502c163eaf..4b5d60e797 100644
--- a/keystone/tests/unit/protection/v3/test_services.py
+++ b/keystone/tests/unit/protection/v3/test_services.py
@@ -161,3 +161,60 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
             r = c.post('/v3/auth/tokens', json=auth)
             self.token_id = r.headers['X-Subject-Token']
             self.headers = {'X-Auth-Token': self.token_id}
+
+
+class SystemAdminTests(base_classes.TestCaseWithBootstrap,
+                       common_auth.AuthTestMixin,
+                       _SystemUserServiceTests):
+
+    def setUp(self):
+        super(SystemAdminTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        # Reuse the system administrator account created during
+        # ``keystone-manage bootstrap``
+        self.user_id = self.bootstrapper.admin_user_id
+        auth = self.build_authentication_request(
+            user_id=self.user_id,
+            password=self.bootstrapper.admin_password,
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}
+
+    def test_user_can_create_services(self):
+        create = {
+            'service': {
+                'type': uuid.uuid4().hex,
+                'name': uuid.uuid4().hex,
+            }
+        }
+
+        with self.test_client() as c:
+            c.post('/v3/services', json=create, headers=self.headers)
+
+    def test_user_can_update_services(self):
+        service = unit.new_service_ref()
+        service = PROVIDERS.catalog_api.create_service(service['id'], service)
+
+        update = {'service': {'description': uuid.uuid4().hex}}
+
+        with self.test_client() as c:
+            c.patch(
+                '/v3/services/%s' % service['id'], json=update,
+                headers=self.headers
+            )
+
+    def test_user_can_delete_services(self):
+        service = unit.new_service_ref()
+        service = PROVIDERS.catalog_api.create_service(service['id'], service)
+
+        with self.test_client() as c:
+            c.delete('/v3/services/%s' % service['id'], headers=self.headers)
diff --git a/releasenotes/notes/bug-1804463-74537652166cf656.yaml b/releasenotes/notes/bug-1804463-74537652166cf656.yaml
new file mode 100644
index 0000000000..8bf4dabdef
--- /dev/null
+++ b/releasenotes/notes/bug-1804463-74537652166cf656.yaml
@@ -0,0 +1,31 @@
+---
+features:
+  - |
+    [`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
+    The services API now supports the ``admin``, ``member``, and
+    ``reader`` default roles.
+upgrade:
+  - |
+    [`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
+    The services API uses new default policies that make it more
+    accessible to end users and administrators in a secure way. Please
+    consider these new defaults if your deployment overrides
+    service policies.
+deprecations:
+  - |
+    [`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
+    The service policies have been deprecated. The ``identity:get_service`` and
+    ``identity:list_services`` policies now use ``(role:reader and
+    system_scope:all)`` instead of ``rule:admin_required``. The
+    ``identity:create_service``, ``identity:update_service``, and
+    ``identity:delete_service`` policies now use ``(role:admin and
+    system_scope:all)`` instead of ``rule:admin_required``. These new defaults
+    automatically account for system-scope and support a read-only role, making
+    it easier for system administrators to delegate subsets of responsibility
+    without compromising security. Please consider these new defaults if your
+    deployment overrides service policies.
+security:
+  - |
+    [`bug 1804463 <https://bugs.launchpad.net/keystone/+bug/1804463>`_]
+    The services API now uses system-scope and default roles to
+    provide better accessibility to users in a secure way.