Sanitizes authentication methods received in requests.

When a user authenticates against Identity V3 API, he can specify
multiple authentication methods. This patch removes duplicates, which
could have been used to achieve DoS attacks.

Closes-Bug: 1300274
(cherry picked from commit ef868ad92c)
Cherry-pick from https://review.openstack.org/#/c/84425/

Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab

keystone/auth/controllers.py

@@ -225,7 +225,13 @@ class AuthInfo(object):
         :returns: list of auth method names
 
         """
-        return self.auth['identity']['methods'] or []
+        # Sanitizes methods received in request's body
+        # Filters out duplicates, while keeping elements' order.
+        method_names = []
+        for method in self.auth['identity']['methods']:
+            if method not in method_names:
+                method_names.append(method)
+        return method_names
 
     def get_method_data(self, method):
         """Get the auth method payload.

keystone/tests/test_v3_auth.py

@@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
                           None,
                           auth_data)
 
+    def test_get_method_names_duplicates(self):
+        auth_data = self.build_authentication_request(
+            token='test',
+            user_id='test',
+            password='test')['auth']
+        auth_data['identity']['methods'] = ['password', 'token',
+                                            'password', 'password']
+        context = None
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
+        self.assertEqual(auth_info.get_method_names(),
+                         ['password', 'token'])
+
     def test_get_method_data_invalid_method(self):
         auth_data = self.build_authentication_request(
             user_id='test',