Merge "Introduce a new test for "cve_2022_3100""
diff --git a/barbican_tempest_plugin/services/key_manager/json/secret_client.py b/barbican_tempest_plugin/services/key_manager/json/secret_client.py
index 5eb97b5..414a5d4 100644
--- a/barbican_tempest_plugin/services/key_manager/json/secret_client.py
+++ b/barbican_tempest_plugin/services/key_manager/json/secret_client.py
@@ -15,6 +15,7 @@
import json
+import urllib.parse
from tempest import config
from tempest.lib.common.utils import data_utils
@@ -73,12 +74,21 @@
self.expected_success(200, resp.status)
return self._parse_resp(body)
- def get_secret_payload(self, secret_id):
+ def get_secret_payload(self, secret_id, **kwargs):
+ """GET /v1/secrets/{secret_id}/payload
+
+ Retrieve the payload.If kwargs are provided they are added
+ to the request as query string parameters.
+ """
content_headers = {
"Accept": "application/octet-stream"
}
- resp, body = self.get("v1/secrets/%s/payload" % secret_id,
- headers=content_headers)
+ uri = "v1/secrets/{}/payload".format(secret_id)
+ if kwargs:
+ uri += '?'
+ uri += urllib.parse.urlencode(kwargs)
+
+ resp, body = self.get(uri, headers=content_headers)
self.expected_success(200, resp.status)
return self._parse_resp(body)
diff --git a/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py b/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py
new file mode 100644
index 0000000..84c35e2
--- /dev/null
+++ b/barbican_tempest_plugin/tests/api/test_cve_2022_3100.py
@@ -0,0 +1,42 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+from barbican_tempest_plugin.tests.rbac.v1 import base
+from oslo_log import log as logging
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+
+
+CONF = config.CONF
+LOG = logging.getLogger(__name__)
+
+
+class CVE20223100Test(base.BarbicanV1RbacBase):
+
+ @decorators.idempotent_id('459159ef-9670-4c59-8528-09466185c84e')
+ def test_cve_2022_3100(self):
+ # create a secret that belongs to Project B
+ secret_id = self.create_test_secret(
+ self.other_secret_client,
+ data_utils.rand_name('secret-under-test'),
+ 'DONT_CVE_ME_PLZ')
+
+ # attempt to retrieve secret payload with user from Project A
+ # using CVE exploit (e.g. by adding the query string
+ # ?target.secret.read=read to the request)
+ query = {'target.secret.read': 'read'}
+ self.assertRaises(
+ exceptions.Forbidden,
+ self.secret_client.get_secret_payload,
+ secret_id,
+ **query)