validate from backend (bug 1129713)

In certain cases we were depending on CMS to validate PKI tokens but that is not necessary, and by passes the revocation check Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4
2013-03-20 09:49:32 -05:00 · 2013-03-20 09:49:32 -05:00 · 255b1d4350
parent 8690166418
commit 255b1d4350
2 changed files with 57 additions and 13 deletions
--- a/keystone/service.py
+++ b/keystone/service.py
@ -490,20 +490,13 @@ class TokenController(wsgi.Application):
        """
        # TODO(termie): this stuff should probably be moved to middleware
        self.assert_admin(context)
+        data = self.token_api.get_token(context=context, token_id=token_id)
+        if belongs_to:
+            if (not data.get('tenant') or data['tenant'].get('id') !=
+                    belongs_to):
+                raise exception.Unauthorized()

-        if cms.is_ans1_token(token_id):
-            data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
-                                             config.CONF.signing.certfile,
-                                             config.CONF.signing.ca_certs))
-            data['access']['token']['user'] = data['access']['user']
-            data['access']['token']['metadata'] = data['access']['metadata']
-            if belongs_to:
-                assert data['access']['token']['tenant']['id'] == belongs_to
-            token_ref = data['access']['token']
-        else:
-            token_ref = self.token_api.get_token(context=context,
-                                                 token_id=token_id)
-        return token_ref
+        return data

    # admin only
    def validate_token_head(self, context, token_id):
--- a/tests/test_service.py
+++ b/tests/test_service.py
@ -150,3 +150,54 @@ class AuthTest(test.TestCase):
        body_dict = _build_user_auth(username='FOO', password='0' * 8193)
        self.assertRaises(exception.ValidationSizeError, self.api.authenticate,
                          {}, body_dict)
+
+
+class AuthWithToken(AuthTest):
+    def setUp(self):
+        super(AuthWithToken, self).setUp()
+
+    def test_belongs_to_no_tenant(self):
+        r = self.api.authenticate(
+            {},
+            auth={
+                'passwordCredentials': {
+                    'username': self.user_foo['name'],
+                    'password': self.user_foo['password']
+                }
+            })
+        unscoped_token_id = r['access']['token']['id']
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
+            token_id=unscoped_token_id)
+
+    def test_belongs_to_wrong_tenant(self):
+        body_dict = _build_user_auth(
+            username='FOO',
+            password='foo2',
+            tenant_name="BAR")
+
+        scoped_token = self.api.authenticate({}, body_dict)
+        scoped_token_id = scoped_token['access']['token']['id']
+
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'me'}),
+            token_id=scoped_token_id)
+
+    def test_belongs_to(self):
+        body_dict = _build_user_auth(
+            username='FOO',
+            password='foo2',
+            tenant_name="BAR")
+
+        scoped_token = self.api.authenticate({}, body_dict)
+        scoped_token_id = scoped_token['access']['token']['id']
+
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
+            token_id=scoped_token_id)