Sanitizes authentication methods received in requests.
When a user authenticates against Identity V3 API, he can specify multiple authentication methods. This patch removes duplicates, which could have been used to achieve DoS attacks. Change-Id: Iec9a1875a4ff6e2fac0fb2c3db6f3ce34a5dfd1d Closes-Bug: 1300274
This commit is contained in:
parent
d99e34d0d0
commit
ce6cedb30c
|
@ -241,7 +241,13 @@ class AuthInfo(object):
|
|||
:returns: list of auth method names
|
||||
|
||||
"""
|
||||
return self.auth['identity']['methods'] or []
|
||||
# Sanitizes methods received in request's body
|
||||
# Filters out duplicates, while keeping elements' order.
|
||||
method_names = []
|
||||
for method in self.auth['identity']['methods']:
|
||||
if method not in method_names:
|
||||
method_names.append(method)
|
||||
return method_names
|
||||
|
||||
def get_method_data(self, method):
|
||||
"""Get the auth method payload.
|
||||
|
|
|
@ -84,6 +84,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
|
|||
None,
|
||||
auth_data)
|
||||
|
||||
def test_get_method_names_duplicates(self):
|
||||
auth_data = self.build_authentication_request(
|
||||
token='test',
|
||||
user_id='test',
|
||||
password='test')['auth']
|
||||
auth_data['identity']['methods'] = ['password', 'token',
|
||||
'password', 'password']
|
||||
context = None
|
||||
auth_info = auth.controllers.AuthInfo.create(context, auth_data)
|
||||
self.assertEqual(auth_info.get_method_names(),
|
||||
['password', 'token'])
|
||||
|
||||
def test_get_method_data_invalid_method(self):
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id='test',
|
||||
|
|
Loading…
Reference in New Issue