diff options
| author | Colleen Murphy <colleen.murphy@suse.de> | 2019-08-09 21:37:23 -0700 |
|---|---|---|
| committer | Colleen Murphy <colleen.murphy@suse.de> | 2019-08-16 15:10:44 -0700 |
| commit | 5086709ae2d673716653cd8812247ea5a1cb5e69 (patch) | |
| tree | 6e9b0f6627623fb668f3eddeffa909dfe1058817 /keystone/api | |
| parent | 6dc9b685959d390cecf087fda4ab09a46807927f (diff) | |
| download | keystone-5086709ae2d673716653cd8812247ea5a1cb5e69.tar.gz | |
Add protection tests for trusts API
Currently, the majority of access control enforcement for the trusts API
is not done in policy, but hardcoded in the controller logic. The
default policy check strings for these routes are empty. Before we can
enable system scope and default roles through the trusts policy, we need
to replicate the existing access control in policy. To do that, we
should test how it currently works. This patch adds those tests.
The trusts API is mostly only useable by the trustor or trustee. Mostly,
admins can't perform trust actions on behalf of the trustor or trustee.
The exception is for the delete action, but only when the is_admin
context is set. This change also fixes a minor regression where the
is_admin admin could not perform this action due to the auth_context not
being populated.
Change-Id: I6a5eca8240aa905e02fbf9bec335996c3a4f1c79
Partial-bug: #1818846
Partial-bug: #1818850
Diffstat (limited to 'keystone/api')
| -rw-r--r-- | keystone/api/trusts.py | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/keystone/api/trusts.py b/keystone/api/trusts.py index 1573e209d..9ac171800 100644 --- a/keystone/api/trusts.py +++ b/keystone/api/trusts.py @@ -85,6 +85,8 @@ class TrustResource(ks_flask.ResourceBase): json_home_parameter_rel_func = _build_parameter_relation def _check_unrestricted(self): + if self.oslo_context.is_admin: + return token = self.auth_context['token'] if 'application_credential' in token.methods: if not token.application_credential['unrestricted']: |