The OAuth2.0 Access Token API is modified, support to get an OAuth2.0
certificate-bound access token from the keystone identity server with
OAuth 2.0 credentials and Mutual-TLS certificates.
Co-Authored-By: Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
Change-Id: I885527bec61429b1437a046097a16491848b5a0a
Implements: blueprint support-oauth2-mtls
If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.
Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
GET /v3/auth/tokens?allow_expired=1 works fine with fernet tokens
returning the expired token data, whereas it returns exception
TokenNotFound for JWT. This patch fixes the same.
Change-Id: I03f6c58dce7d140d62055a97063aeb480498e5e6
Closes-Bug: #1886017
This change moves the time mocking from using freezegun to
using oslo.utils TimeFixture for the unit test
test_with_passcode_in_previous_windows_extended, which was
occasionally failing with 401 errors due to
the totp creation time not properly be faked with
4 extended windows.
Closes-Bug: #1843464
Change-Id: I3aefd99907fbc2d03538c9814f7279b282715679
The mock library is a third party lib that attempted to bridge the gap
between Python 2 and Python 3 mocking. Now that we have moved to py3
only, there is no need to use a third party lib and we can use the
standard built-in mocking support.
Change-Id: I8bbcedb7ad3f0bc2e06dfa13878a97411ee1dc6d
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
In 09088690 we mistakenly added E501 to the flake8 ignore list. Since
then, many new violations have been introduced. This patch re-enables
the check and corrects all violations, except in some cases like unit
test names where the subunit output would suffer if we attempted to
shorten the function name.
This may appear to be a pointless no-op that messes with
git-blameability, and it is, but the reason to do this is that if PEP8
violations are introduced in master and then backported to a stable
branch, most stable branches will fail the pep8 job since the flake8
ignore list is correct for those branches. Rather than loosening the
check in older branches or requiring those backports to fix the linter
errors independently of what's been merged in master, we should fix it
now so that we don't introduce more errors in the future and patches can
more easily be backported.
Change-Id: I9f71926105eb448bb0200201d1838b67d4963cd6
This commit removes a bunch of tests that were originally written to
test the policy.v3cloudsample.json policy file. Now that we've
implemented system-scope, default roles, and removed the
policy.v3cloudsample.json policy file, we can remove these tests.
This commit also ports some token revocation tests over to the
protection test suite so we have full coverage from
TestTokenRevokeSelfAndAdmin.
Change-Id: Ie0c0b48d240b118f7b491d164e5c1a203ebb31e8
We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.v3cloudsample.json`` file obsolete.
Let's simply things for users, operators, and develpers by removing
it.
A follow-on patch will remove the test_v3_protection.py file since
those behaviors are passing all the protection tests with the default
policies in code.
Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
This change adds application credential access rules to the token model
and ensures that only clients (that is, keystonemiddleware) that support
access rule enforcement are allowed to validate tokens containing
access rules.
Depends-on: https://review.openstack.org/633369
bp whitelist-extension-for-app-creds
Change-Id: I301651369cf03e06550bc29eb534506674e56a1f
When calling certain group or user APIs, keystone logic would attempt
to figure out the domain to scope responses to. This was specific to
enabling domain-specific driver support, where each domain is backed
by a different identity store. This functionality is turned off by
default. Since system-scoped tokens are not associated to a domain
(unlike project-scoped tokens or domain-scoped tokens), the logic to
determine a domain from a system-scoped token was breaking and
returning an erroneous HTTP 401 Unauthorized when system users
attempted to list users or groups.
This commit adds support for domain detection with system-scoped
tokens.
Change-Id: I8f0f7a623a1741f461493d872849fae7ef3e8077
Closes-Bug: 1843609
Update the TOTP auth plugin so that it can be configured
to allow a passcode from a given number of windows back to
still work.
This gives TOTP some slighly better UX so by default at least
one passcode back will still work. Can be disabled, or more
windows added for clouds less worried about security and more
about clock drift.
Change-Id: I8ba4127a365392f0d0e9de5fd9c979750c354dc7
Closes-Bug: #1839577
When using role assignment through groups, the user cannot use
the application credentials created. This allows to look up
the membership by checking inherited and group assignments.
Change-Id: If1bf5bd785a494923303265797311d42018ba7af
Closes-Bug: #1773967
Since os-pki API is deprecated and isn't supported
Thus it will return 403 forbidden. The tests was
incorrectly inheriting from object and not a unit
test class and so wasn't being run.
Change-Id: I6050a57cb77ebde42b77a39623e043544e3d6381
This commit introduces a class that implements the JWS token provider
functionality.
bp json-web-tokens
Change-Id: Ie16110894348a83e3a80cba4649e6cccdc3c84b1
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.
Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.
Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
The implementation for system-scoped tokens lacked support for
expanding implied roles. This patch modifies the token model so that
it generates implied roles on the system in the token response.
Change-Id: I46ff38a9cff6c605ccb9a52b1533f01fa4faec17
Closes-Bug: 1788694
If a user has a role assignment on the system, which implies another
role assignment, the system-scoped token response should include
both role assignments.
This patch exposes a bug in the system-scoped token implementation
where implied roles aren't expanded out before returning the
token response to the user.
Change-Id: I176bbbda9658a54f6873a4009938f140a5b1a33e
Related-Bug: 1788694
The ksfixtures.Policy object used to accept two arguments. One was
the path of the policy file and the other was the test fixture. Since
policy is now kept in code and the default policy file has been
removed from keystone source, we can simplify the fixture to
optionally deal with a file path, instead of passing a non-existant
file to it all the time.
Change-Id: I9d8c4cbf963099fe73e39dbf46e03f66f9a79f43
The unit test uses sqlite for test which closes db foreign keys
function by default. This patch enabled the sqlite foreign keys
function for unit test by default.
The "project" table is a self referencing FK table(id <-> domain_id
column). So when the FK is enabled, there must exists a root record
before insert data to this table. It's <<keystone.domain.root>>.
Usually, the <<keystone.domain.root>> recored is inserted into the
table once operators run "keystone-manage db_sync" command when
deploy Keystone. But the unit test code doesn't run this command,
it initialise the db schema by reading sqlalchemy object model, so
the <<keystone.domain.root>> record is missed. Then we can't create
any project record, it'll raise FK error.
So in this patch, before creating any projects in the test, we must
ensure the <<keystone.domain.root>> record exists first.
Change-Id: I565d12395ca39a58ba90faf8641a9e02d986aeb9
Closes-Bug: #1744195
These tests have not been run in > 2 years. They are commented out
with an updated FIXME to rework once the flask port is done (auth).
It is out of scope of Flask to re-enable long disabled tests.
We do not want to lose the context of the coverage the tests provide
thus we are commenting them out instead of outright deletion.
Change-Id: I0760746dc62b65607ac0e88ee6d03395c9226fe7
When sets project-scoped with project ID key but the value is a
domain id, it retures 400 BadRequest: "object of type 'NoneType'
has no len()".
The expected code should be 404 project not found internal and
401 to end user.
This patch exposes this bug and it will be fixed in the following patch.
Partial-bug: #1784536
Change-Id: I67983bdd300452a5bff947ca3bcfb77a0e6b4574
Now that support for sql token storage and uuid tokens has been
removed, it doesn't make sense to still expose an API for listing
revoked tokens. Maintaining this behavior would require keystone to
persist non-persistent tokens, which defeats the purpose.
This change makes the API return either a 410 Gone or a 403 Forbidden
depending on configuration for backwards compatibility. Logic to
list revoked tokens was also removed from the token provider API
since it's no longer called by any controllers.
Change-Id: Ic7bcba148f0a062b144e6dfbe9693f2125008458
Tests in keystone.tests.unit.test_v3 and kestone.tests.unit.test_v3_auth
no longer directly instantiate or calls to the auth controllers. The
only exception are test classes that are not used, those have had a
TODO note added to them. This is being done for the conversion to flask
where the auth controllers will no longer exist. All test changes are
done outside of the conversion of webob controller -> flask restful
api.
Change-Id: Ib668ca18faf42b41bc63558c6634fca96224d195
Partial-Bug: #1776504
The GET /v3/OS-FEDERATION/projects and GET /v3/OS-FEDERATION/domains
APIs were introduced to handle tokens from federated users, but now
that GET /v3/auth/projects and GET /v3/auth/domains know how to handle
federated tokens, they're just duplicate APIs.
In the past we deprecated these federated auth APIs, but they still
used separate code paths from GET /v3/auth/projects and GET
/v3/auth/domains. The two code paths are true duplication in that they
don't expect to differ over time and should provide the same user
experience.
Instead of running the risk that comes with two code paths that do the
same thing, we should consolidate them.
Co-Authored-By: Kristi Nikolla <kristi@nikolla.me>
Closes-Bug: 1779205
Change-Id: Ib906c42e1dd2c2408ccd2e256ffd876af02af3fe
Then `enable` config option of trust feature is depreacted in
Queens. Remove it in Rocky now.
Change-Id: I186b49471cb774e161ff4c35c9879a0a4fa9538f
bp: removed-as-of-rocky.
Token bind operations were deprecated in Pike with UUID tokens and
staged for removal in Rocky.
https://review.openstack.org/#/c/428388/
This change does keep a configuration option around since it was not
officially deprecated with the rest of the token bind functionality.
The option is being officially deprecated in this commit and
additional context about the change was added to the help text for the
option.
bp removed-as-of-rocky
Change-Id: I7a42408893c782bcc20fb40ebba5f2d8af9da6a5
Create the base implementation of the RBAC enforcer with compat code
for the legacy mechanism via @protected decorators.
Change-Id: I80662d9b23e706b720d56670cb849318e951a3b4
Parital-Bug: #1776504
With the complete removal of the v2.0 API, keystone no longer
differentiates between admin and public endpoints. This change
deprecates the "admin_endpoint" configuration option and converts
keystone over to only using the public endpoint. The "admin" endpoint
was only used for unit testing purposes.
This change does not clean up all code related, it is aimed to make
the most minimal set of changes eliminating the use of the
"admin_endpoint" configuration option.
Partial-Bug: #1776504
Change-Id: I08f6f8ae078d65203bd95c43c80367dd3489be48
Basic conversion of Keystone's core application to flask framework.
This doesn't add much in the way of flask-specific-isms but should
get keystone running directly under flask. This implementation does
not use paste-deploy.
Change-Id: Ib4c1ed3f645dd55fbfb76395263ecdaf605caae7
The direct loading of drivers was deprecated in Liberty and noted
to be removed in Newton. This patch cleans up the deprecation and
fixes the unit tests. Some of the example request/response json
message bodies of the domain config API were also updated to the
correct way of loading a driver now.
bp removed-as-of-rocky
Change-Id: If3f4c2303da6e264e5e0d73280cc21fa01a3cfd4
Without this patch, the token formatter does not have enough data to
construct a token created with an application credential. This means
that if the token cache is disabled or expired, when keystone goes to
create the token it will not find any application credential information
and will not recreate the application_credential_restricted parameter in
the token data. This patch creates a new Payload class for application
credentials so that the application credential ID is properly persisted
in the msgpack'd payload. It also adds more data to the token data
object so that the application credential ID and name as well as its
restricted status is available when the token is queried.
Co-authored-by: Lance Bragstad <lbragstad@gmail.com>
Change-Id: I322a40404d8287748fe8c3a8d6dc1256d935d84a
Closes-bug: #1750415
This will help with testing since SQLite will start enforcing the
foreign key relationships.
We will still have a problem with migrations for tables that refer to
each other. SQLite can't alter tables and sqlalchemy-migrates tmp table
strategy for migrations fails in this situation.
This patch did:
1. Add FK support for the tests. Disable it by default.
2. Make sure the Fk is disabled for test_sql_upgrade and
identity.backens.test_sql
Partial-Bug: #1744195
Co-Authored-By: wangxiyuan<wangxiyuan@huawei.com>
Change-Id: I276af7c0125dc2cb2c54215d54491665db1caa22
Both of these drivers were staged for removal in Rocky. Now that
Rocky is open for development we can remove them. This commit removes
just the bare-bones aspects of each. Subsequent patches will do the
following:
- Remove test class that were only meant for sql or uuid scenarios
- Refactor the notification framework to not hint at token storage
- Refactor the token provider API interfaces to be simpler and
cleaner
- Remove the needs_persistence property from the token provider API
and document the ability to push that logic into individual
providers that require it
- Return 403 Forbidden for all requests to fetch a revocation list
- Remove the signing directory configuration options
These changes will result in simpler interfaces which will be
important for people implementing their own token providers and
storage layers.
bp removed-as-of-rocky
Change-Id: I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce
A previous change started remove the self magic:
Ic2094dca56158d8e4cd843eadff837f3a17ea38f
This commit finishes that work. A subsequent patch will remove the
self manager logic all together and we'll fix up any trivial test
infrastructure then.
Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278
Add an auth plugin for application credentials and update the common
auth utilities to understand an auth method of 'application_credential'
and validate and scope accordingly.
By default, application credentials should not be allowed to be used for
creating other application credentials or trusts. If a user creates an
application credential with flag `allow_application_credential_creation`
then that application should be allowed to be used for creating and
deleting other application credentials and trusts. Ensure a flag is set
in the token if this property is set to allow this behavior.
bp application-credentials
Change-Id: I15a03e79128a11314d06751b94343f22d533243a
Keystone has APIs for retrieving projects and domains based on the
role assignments a user has on projects and domains. We should
introduce similar functionality for system assignments. This will
make discovering system access for users and client easier.
bp system-scope
Change-Id: Iab577fcd1b57b8b5593c3f9d50a772466383a999
This commit exposes the necessary bits to expose system-scoped
token authenticate and validation via the API
bp system-scope
Change-Id: I572a8e48953f493d521fd2aa00007df46e562e2e