During the OpenStack Security Group Juno midcycle, some threat modelling work around Keystone trusts identified some threat scenarios that the existing unit tests do not cover. It should be made clear that these scenarios are handled correctly by Keystone form a security standpoint, but tests should be added to protect against regressions in these security sensitive areas.
Scenario 1:
-------------
The first scenario is related to deletion of a grant that has been previously delegated via a trust. We need to ensure that executing a trust for a role that the trustor no longer has is rejected. For example, consider the following chain of events:
- User A is granted 'somerole' on 'someproject'.
- User A creates a trust to delegate 'somerole' on 'someproject' to User B.
- The grant for 'somerole' on 'someproject' for user A is deleted.
- User B attempts to execute the trust, which should be rejected.
Scenario 2:
-------------
The second scenario is related to an attempt to use a trust token with impersonation to execute another trust as the impersonated user. We need to ensure that a trust token can't be used to execute another trust. For example, consider the following chain of events:
- User A creates a trust to delegate some roles to User B.
- User B creates a trust to delegate some roles to User C.
- User C successfully executes the trust to impersonate User B.
- User C uses the trust token that impersonates User B to attempt to execute the trust created by User A, which should be rejected.
Fix proposed to branch: master
Review: https:/