From: Kevin Benton <blak111@gmail.com>
Date: Tue, 21 Apr 2015 09:01:39 +0000 (-0700)
Subject: Block allowed address pairs on other tenants' net
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=927399c011409b7d152b7670b896f15eee7d0db3;p=openstack-build%2Fneutron-build.git

Block allowed address pairs on other tenants' net

Don't allow tenants to use the allowed address pairs extension
when they are attaching a port to a network that does not belong
to them.

This is done because allowed address pairs can allow things like
ARP spoofing and all tenants attached to a shared network might not
implicitly trust each other.

Change-Id: Ie6c3e8ad04103804e40f2b043202387385e62ca5
Closes-Bug: #1447242
---

diff --git a/etc/policy.json b/etc/policy.json
index ae46bc2cd..8a5de9bf3 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -53,6 +53,7 @@
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
     "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
     "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
@@ -66,6 +67,7 @@
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",
     "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
     "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",
diff --git a/neutron/tests/api/admin/test_shared_network_extension.py b/neutron/tests/api/admin/test_shared_network_extension.py
index 2d8889a43..64fb33e74 100644
--- a/neutron/tests/api/admin/test_shared_network_extension.py
+++ b/neutron/tests/api/admin/test_shared_network_extension.py
@@ -14,6 +14,9 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from tempest_lib import exceptions as lib_exc
+import testtools
+
 from neutron.tests.api import base
 from neutron.tests.tempest import config
 from neutron.tests.tempest import test
@@ -94,3 +97,35 @@ class SharedNetworksTest(base.BaseAdminNetworkTest):
         # shared network extension attribute is returned.
         self._show_shared_network(self.admin_client)
         self._show_shared_network(self.client)
+
+
+class AllowedAddressPairSharedNetworkTest(base.BaseAdminNetworkTest):
+    allowed_address_pairs = [{'ip_address': '1.1.1.1'}]
+
+    @classmethod
+    def skip_checks(cls):
+        super(AllowedAddressPairSharedNetworkTest, cls).skip_checks()
+        if not test.is_extension_enabled('allowed-address-pairs', 'network'):
+            msg = "Allowed Address Pairs extension not enabled."
+            raise cls.skipException(msg)
+
+    @classmethod
+    def resource_setup(cls):
+        super(AllowedAddressPairSharedNetworkTest, cls).resource_setup()
+        cls.network = cls.create_shared_network()
+        cls.create_subnet(cls.network, client=cls.admin_client)
+
+    @test.attr(type='smoke')
+    @test.idempotent_id('86c3529b-1231-40de-803c-ffffffff1fff')
+    def test_create_with_address_pair_blocked_on_other_network(self):
+        with testtools.ExpectedException(lib_exc.Forbidden):
+            self.create_port(self.network,
+                             allowed_address_pairs=self.allowed_address_pairs)
+
+    @test.attr(type='smoke')
+    @test.idempotent_id('86c3529b-1231-40de-803c-ffffffff2fff')
+    def test_update_with_address_pair_blocked_on_other_network(self):
+        port = self.create_port(self.network)
+        with testtools.ExpectedException(lib_exc.Forbidden):
+            self.update_port(
+                port, allowed_address_pairs=self.allowed_address_pairs)
diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json
index ae46bc2cd..8a5de9bf3 100644
--- a/neutron/tests/etc/policy.json
+++ b/neutron/tests/etc/policy.json
@@ -53,6 +53,7 @@
     "create_port:binding:host_id": "rule:admin_only",
     "create_port:binding:profile": "rule:admin_only",
     "create_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "create_port:allowed_address_pairs": "rule:admin_or_network_owner",
     "get_port": "rule:admin_or_owner or rule:context_is_advsvc",
     "get_port:queue_id": "rule:admin_only",
     "get_port:binding:vif_type": "rule:admin_only",
@@ -66,6 +67,7 @@
     "update_port:binding:host_id": "rule:admin_only",
     "update_port:binding:profile": "rule:admin_only",
     "update_port:mac_learning_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
+    "update_port:allowed_address_pairs": "rule:admin_or_network_owner",
     "delete_port": "rule:admin_or_owner or rule:context_is_advsvc",
 
     "get_router:ha": "rule:admin_only",