Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / keystone-tempest-plugin / faa9b1389186a9a81f91f67ac78df9c0b0343b3c^! / .
commitfaa9b1389186a9a81f91f67ac78df9c0b0343b3c[log] [tgz]
authorLance Bragstad <lbragstad@gmail.com>Thu Dec 03 18:03:39 2020 +0000
committerLance Bragstad <lbragstad@gmail.com>Thu Feb 11 16:03:10 2021 +0000
treecf21571dece21288f2f328b83d9bf31e6c6a3f53
parenta6d4ceaf57f3a86be8318b4e84111d71104c28f5 [diff]
Increase protection testing for application credentials

This commit updates the application credential protection tests to
ensure users can't craft paths that bypass application credential
ownership checks.

Depends-On: https://review.opendev.org/c/openstack/keystone/+/760972
Change-Id: I7729190d42a6a7199553c5fc058e1b93eecb2068
Related-Bug: 1901207

diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
index 13fe16a..3ca1680 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py

@@ -460,7 +460,9 @@
             user_id=user_id,
             application_credential_id=data_utils.rand_uuid_hex())
 
-        # user cannot retrieve another user's app cred
+        # user cannot retrieve another user's app cred by using the victim's
+        # user ID in the request or by trying to bypass the user ownership
+        # check by crafting a path the the attacker's user ID
         user_id = self.test_user_id
         client = self.test_user_client.application_credentials_client
         app_cred = client.create_application_credential(
@@ -471,6 +473,11 @@
         self.do_request(
             'show_application_credential',
             expected_status=exceptions.Forbidden,
+            user_id=self.persona.credentials.user_id,
+            application_credential_id=app_cred['id'])
+        self.do_request(
+            'show_application_credential',
+            expected_status=exceptions.Forbidden,
             user_id=user_id, application_credential_id=app_cred['id'])
 
         # retrieving non-existent app cred for another user should return 403
@@ -520,7 +527,9 @@
             user_id=user_id,
             application_credential_id=data_utils.rand_uuid_hex())
 
-        # user cannot delete another user's app cred
+        # user cannot delete another user's app cred by using the victim's
+        # user ID in the request or by trying to bypass the user ownership
+        # check by crafting a path the the attacker's user ID
         user_id = self.test_user_id
         client = self.test_user_client.application_credentials_client
         app_cred = client.create_application_credential(
@@ -531,6 +540,11 @@
         self.do_request(
             'delete_application_credential',
             expected_status=exceptions.Forbidden,
+            user_id=self.persona.credentials.user_id,
+            application_credential_id=app_cred['id'])
+        self.do_request(
+            'delete_application_credential',
+            expected_status=exceptions.Forbidden,
             user_id=user_id, application_credential_id=app_cred['id'])
 
         # deleting non-existent app cred for another user should return 403