Fix plural policy names in tagging controller and floatingip policy

The TaggingController.create() and update() methods enforce policy
action names using the plural collection key (e.g. create_networks:tags)
instead of the singular member name (e.g. create_network:tags). Since
the registered policy rules use the singular form, the unmatched plural
names fall through to oslo.policy's default rule, allowing project
readers to mutate tags on same-project resources.

Fix the delete_floatingips:tags policy rule name (should be singular
delete_floatingip:tags) and add a unit test that validates
_get_policy_action produces the correct singular form for all supported
resources and actions, and that each generated name matches an actually
registered policy rule.

Conflicts:
  neutron/extensions/tagging.py

Closes-Bug: #2150132
Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Change-Id: I783510565e4fc4191b5494eb9a6dc0bdd3ace3fc
(cherry picked from commit 7401244)

Author: ralonsoh

neutron/conf/policies/floatingip.py

@@ -170,7 +170,7 @@
             deprecated_since=versionutils.deprecated.WALLABY)
     ),
     policy.DocumentedRuleDefault(
-        name='delete_floatingips:tags',
+        name='delete_floatingip:tags',
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Delete the floating IP tags',
         operations=ACTION_DELETE_TAGS,

neutron/extensions/tagging.py

@@ -197,8 +197,10 @@ def index(self, request, **kwargs):
         # GET /v2.0/{obj_resource}/{obj_resource_id}/tags
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs)
-        policy.enforce(ctx, 'get_{}_{}'.format(rinfo.obj_type, TAGS),
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("get", rinfo.obj_type),
+            rinfo.obj)
         return self.plugin.get_tags(ctx, rinfo.obj_type, rinfo.obj['id'])
 
     def show(self, request, id, **kwargs):
@@ -207,8 +209,10 @@ def show(self, request, id, **kwargs):
         validate_tag(id)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs)
-        policy.enforce(ctx, 'get_{}:{}'.format(rinfo.obj_type, TAGS),
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("get", rinfo.obj_type),
+            rinfo.obj)
         return self.plugin.get_tag(ctx, rinfo.obj_type, rinfo.obj['id'], id)
 
     def create(self, request, body, **kwargs):
@@ -217,8 +221,10 @@ def create(self, request, body, **kwargs):
         validate_tags(body)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs, tags=body[TAGS])
-        policy.enforce(ctx, 'create_{}:{}'.format(rinfo.obj_type, TAGS),
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("create", rinfo.obj_type),
+            rinfo.obj)
         validate_tags_limit(rinfo.obj_type, body['tags'])
         notify_tag_action(ctx, 'create.start', rinfo.obj_type,
                           rinfo.obj['id'], body['tags'])
@@ -234,8 +240,10 @@ def update(self, request, id, **kwargs):
         validate_tag(id)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs, tags=[id])
-        policy.enforce(ctx, 'update_{}:{}'.format(rinfo.obj_type, TAGS),
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("update", rinfo.obj_type),
+            rinfo.obj)
         current_tags = self.plugin.get_tags(
             ctx, rinfo.obj_type, rinfo.obj['id'])['tags']
         new_tags = current_tags + [id]

neutron/tests/unit/extensions/test_tagging.py

@@ -24,6 +24,7 @@
 from neutron_lib.utils import net as net_utils
 from oslo_utils import uuidutils
 
+from neutron.conf import policies as conf_policies
 from neutron.extensions import tagging
 from neutron.objects import network as network_obj
 from neutron.objects import network_segment_range as network_segment_range_obj
@@ -87,6 +88,22 @@ def test_all_ovo_cls_have_a_reference(self):
         ovo_resources = set(tagging.OVO_CLS.keys())
         self.assertEqual(tc_supported_resources, ovo_resources)
 
+    def test__get_policy_action_all_resources_and_actions(self):
+        registered_rules = {rule.name for rule in conf_policies.list_rules()}
+        actions = ('get', 'create', 'update', 'delete')
+        for collection, member in self.tc.supported_resources.items():
+            for action in actions:
+                expected = f'{action}_{member}:tags'
+                result = self.tc._get_policy_action(action, collection)
+                self.assertEqual(
+                    expected, result,
+                    f'_get_policy_action("{action}", "{collection}") '
+                    f'returned "{result}" instead of "{expected}"')
+                self.assertIn(
+                    result, registered_rules,
+                    f'Policy rule "{result}" is not registered in '
+                    f'neutron.conf.policies')
+
     def _check_resource_info(self, obj, obj_type):
         id_key = self.tc.supported_resources[obj_type] + '_id'
         res = self.tc._get_resource_info(self.ctx, {id_key: obj['id']})

releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml

@@ -0,0 +1,18 @@
+---
+security:
+  - |
+    Fixed a security issue where the tagging controller's single-tag write
+    endpoints (``POST /v2.0/{resource}/{id}/tags`` and
+    ``PUT /v2.0/{resource}/{id}/tags/{tag}``) enforced policy action names
+    using the plural collection key (e.g. ``create_networks:tags``) instead
+    of the singular member name (e.g. ``create_network:tags``). Because the
+    plural names did not match any registered policy rule, they fell through
+    to oslo.policy's default rule, allowing project readers to create and
+    update tags on same-project resources.
+    All tag-write endpoints now consistently use the singular policy action
+    names that match the registered rules.
+fixes:
+  - |
+    Fixed the ``delete_floatingips:tags`` policy rule name to use the correct
+    singular form ``delete_floatingip:tags``, consistent with all other
+    tag-related policy rules.