diff options
author | Brian Haley <haleyb.dev@gmail.com> | 2022-09-01 21:13:44 -0400 |
---|---|---|
committer | Brian Haley <haleyb.dev@gmail.com> | 2022-09-21 14:52:51 +0000 |
commit | cbeee87fa44cd200d4997e02042098460167dce1 (patch) | |
tree | cbb50c995d61da4a7d389603981a4e400812ed90 | |
parent | fdacb80cc93a8b811c5a013a533d542aedfd4a48 (diff) | |
download | neutron-cbeee87fa44cd200d4997e02042098460167dce1.tar.gz |
Do not allow a tenant to create a default SG for another one
The attempt to list security groups for a project, or any
random string, can create a default SG for it. Only allow if
privileges support it.
Closes-bug: #1988026
Change-Id: Ieef7011f48cd2188d4254ff16d90a6465bbabfe3
(cherry picked from commit 01fc2b9195f999df4d810df4ee63f77ecbc81f7e)
-rw-r--r-- | neutron/db/securitygroups_db.py | 4 | ||||
-rw-r--r-- | neutron/tests/unit/db/test_securitygroups_db.py | 12 |
2 files changed, 16 insertions, 0 deletions
diff --git a/neutron/db/securitygroups_db.py b/neutron/db/securitygroups_db.py index 28238358ae..fcfd5caccf 100644 --- a/neutron/db/securitygroups_db.py +++ b/neutron/db/securitygroups_db.py @@ -862,6 +862,10 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase, :returns: the default security group id for given tenant. """ + # Do not allow a tenant to create a default SG for another one. + # See Bug 1987410. + if tenant_id != context.tenant_id and not context.is_admin: + return if not extensions.is_extension_supported(self, 'security-group'): return default_group_id = self._get_default_sg_id(context, tenant_id) diff --git a/neutron/tests/unit/db/test_securitygroups_db.py b/neutron/tests/unit/db/test_securitygroups_db.py index 6925e976ee..1bdecdc034 100644 --- a/neutron/tests/unit/db/test_securitygroups_db.py +++ b/neutron/tests/unit/db/test_securitygroups_db.py @@ -615,3 +615,15 @@ class SecurityGroupDbMixinTestCase(testlib_api.SqlTestCase): self.mixin._ensure_default_security_group(self.ctx, 'tenant_1') create_sg.assert_not_called() get_default_sg_id.assert_not_called() + + def test__ensure_default_security_group_tenant_mismatch(self): + with mock.patch.object( + self.mixin, '_get_default_sg_id') as get_default_sg_id,\ + mock.patch.object( + self.mixin, 'create_security_group') as create_sg: + context = mock.Mock() + context.tenant_id = 'tenant_0' + context.is_admin = False + self.mixin._ensure_default_security_group(context, 'tenant_1') + create_sg.assert_not_called() + get_default_sg_id.assert_not_called() |