Sanitizes authentication methods received in requests.

When a user authenticates against Identity V3 API, he can specify multiple authentication methods. This patch removes duplicates, which could have been used to achieve DoS attacks. Change-Id: Iec9a1875a4ff6e2fac0fb2c3db6f3ce34a5dfd1d Closes-Bug: 1300274
2014-04-01 12:48:22 +00:00 · 2014-04-01 12:48:22 +00:00 · ce6cedb30c
parent d99e34d0d0
commit ce6cedb30c
2 changed files with 19 additions and 1 deletions
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@ -241,7 +241,13 @@ class AuthInfo(object):
        :returns: list of auth method names

        """
-        return self.auth['identity']['methods'] or []
+        # Sanitizes methods received in request's body
+        # Filters out duplicates, while keeping elements' order.
+        method_names = []
+        for method in self.auth['identity']['methods']:
+            if method not in method_names:
+                method_names.append(method)
+        return method_names

    def get_method_data(self, method):
        """Get the auth method payload.
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -84,6 +84,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
                          None,
                          auth_data)

+    def test_get_method_names_duplicates(self):
+        auth_data = self.build_authentication_request(
+            token='test',
+            user_id='test',
+            password='test')['auth']
+        auth_data['identity']['methods'] = ['password', 'token',
+                                            'password', 'password']
+        context = None
+        auth_info = auth.controllers.AuthInfo.create(context, auth_data)
+        self.assertEqual(auth_info.get_method_names(),
+                         ['password', 'token'])
+
    def test_get_method_data_invalid_method(self):
        auth_data = self.build_authentication_request(
            user_id='test',