Ensure OAuth1 authorized roles are respected
Without this patch, when an OAuth1 request token is authorized with a limited set of roles, the roles for the access token are ignored when the user uses it to request a keystone token. This means that user of an access token can use it to escallate their role assignments beyond what was authorized by the creator. This patch fixes the issue by ensuring the token model accounts for an OAuth1-scoped token and correctly populating the roles for it. Modified to work with older test helper function: keystone/tests/unit/test_v3_oauth1.py Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e Closes-bug: #1873290 (cherry picked from commit6c73690f77
) (cherry picked from commitba89d27793
) (cherry picked from commit 5ff52dbaa2082991d229d8557a8e4b65256d6c53) (cherry picked from commit 2483a578a80a916d9f5acd672d85830385b236e2)
This commit is contained in:
parent
35f09e2b7c
commit
10bc689a67
|
@ -15,6 +15,7 @@
|
|||
import itertools
|
||||
|
||||
from oslo_log import log
|
||||
from oslo_serialization import jsonutils
|
||||
from oslo_serialization import msgpackutils
|
||||
from oslo_utils import reflection
|
||||
import six
|
||||
|
@ -311,6 +312,21 @@ class TokenModel(object):
|
|||
|
||||
return roles
|
||||
|
||||
def _get_oauth_roles(self):
|
||||
roles = []
|
||||
access_token_roles = self.access_token['role_ids']
|
||||
access_token_roles = [
|
||||
{'role_id': r} for r in jsonutils.loads(access_token_roles)]
|
||||
effective_access_token_roles = (
|
||||
PROVIDERS.assignment_api.add_implied_roles(access_token_roles)
|
||||
)
|
||||
user_roles = [r['id'] for r in self._get_project_roles()]
|
||||
for role in effective_access_token_roles:
|
||||
if role['role_id'] in user_roles:
|
||||
role = PROVIDERS.role_api.get_role(role['role_id'])
|
||||
roles.append({'id': role['id'], 'name': role['name']})
|
||||
return roles
|
||||
|
||||
def _get_federated_roles(self):
|
||||
roles = []
|
||||
group_ids = [group['id'] for group in self.federated_groups]
|
||||
|
@ -414,6 +430,8 @@ class TokenModel(object):
|
|||
roles = self._get_system_roles()
|
||||
elif self.trust_scoped:
|
||||
roles = self._get_trust_roles()
|
||||
elif self.oauth_scoped:
|
||||
roles = self._get_oauth_roles()
|
||||
elif self.is_federated and not self.unscoped:
|
||||
roles = self._get_federated_roles()
|
||||
elif self.domain_scoped:
|
||||
|
|
|
@ -308,6 +308,19 @@ class OAuthFlowTests(OAuth1Tests):
|
|||
self.keystone_token = content.result['token']
|
||||
self.assertIsNotNone(self.keystone_token_id)
|
||||
|
||||
# add a new role assignment to ensure it is ignored in the access token
|
||||
new_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
PROVIDERS.role_api.create_role(new_role['id'], new_role)
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user_id=self.user_id,
|
||||
tenant_id=self.project_id,
|
||||
role_id=new_role['id'])
|
||||
content = self.post(url, headers=headers, body=body)
|
||||
token = content.result['token']
|
||||
token_roles = [r['id'] for r in token['roles']]
|
||||
self.assertIn(self.role_id, token_roles)
|
||||
self.assertNotIn(new_role['id'], token_roles)
|
||||
|
||||
|
||||
class AccessTokenCRUDTests(OAuthFlowTests):
|
||||
def test_delete_access_token_dne(self):
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
[`bug 1873290 <https://bugs.launchpad.net/keystone/+bug/1873290>`_]
|
||||
[`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
|
||||
Fixed the token model to respect the roles authorized OAuth1 access tokens.
|
||||
Previously, the list of roles authorized for an OAuth1 access token were
|
||||
ignored, so when an access token was used to request a keystone token, the
|
||||
keystone token would contain every role assignment the creator had for the
|
||||
project. This also fixed EC2 credentials to respect those roles as well.
|
||||
fixes:
|
||||
- |
|
||||
[`bug 1873290 <https://bugs.launchpad.net/keystone/+bug/1873290>`_]
|
||||
[`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
|
||||
Fixed the token model to respect the roles authorized OAuth1 access tokens.
|
||||
Previously, the list of roles authorized for an OAuth1 access token were
|
||||
ignored, so when an access token was used to request a keystone token, the
|
||||
keystone token would contain every role assignment the creator had for the
|
||||
project. This also fixed EC2 credentials to respect those roles as well.
|
Loading…
Reference in New Issue