When a developer is implementing an Authentication plugin, in some cases
(like an OpenID Connect plugin) it is needed to perform a redirect to
the provider to complete the flow. This was possible in the past (before
moving to Flask) by raising an exception with the proper HTTP code set,
but the framework change made this possibility not available anymore.
Closes-Bug: #1854041
Co-authored-by: Alvaro Lopez Garcia <aloga@ifca.unican.es>
Change-Id: I333eb15c66f37207e6937d0cb3a80f26cf9bebfc
The OAuth2.0 Access Token API is added, support to get an OAuth2.0
access token from the keystone identity server with application
credentials.
Change-Id: I4c54649a51534637be831450afc32d3ef8644ee5
This patch allows adds new config option 'user_limit'
to credentials to set maximum number of credentials a
user is permitted to create.
Closes-Bug: #1872732
Change-Id: Ic9dc9a4a9ec1ecbf01842c865e19a7a100e5041d
This repo does not support Python 2 anymore, so we don't need
six for compatibility between Python2 and 3, convert six usage to Python
3 code.
Change-Id: Icba56808f38277b27af2ae5aac4b8507dee71b3b
This change creates a /v3/users/{user_id}/access_rules endpoint to allow
users to view and delete their own access rules. Access rules are not
automatically deleted when an application credential is deleted, so they
can be re-used for other application credentials or explicitly deleted
by the user. Access rules are automatically deleted when the user is
deleted, the same way that application credentials are. Access rules
that are in use by an application credential may not be deleted.
bp whitelist-extension-for-app-creds
Change-Id: I37d243d802cd538189ccfffee6ebf0624b7785d3
Add in support for immutable roles and projects (including domains).
If the immutable option is set for a role or a project that
resource may not:
* Be Deleted
* Be Updated, except to change the value of "immutable" from
`True` to `False` or `None` (None explicitly unsets the
resource option).
* For projects (and domains), project tags cannot be created,
updated, or deleted.
The immutable check is performed at the manager layer allowing
for exceptional code-cases to work directly with the driver.
Change-Id: I2027b1235a260b7ae5d66cbd6c369773d9e99876
Partial-bug: #1823258
Since pki-setup was removed in pike.This
patch removes the config options that were
left for backward compatibility, as PKI is
not supported.
Partial-Bug: #1829453
Change-Id: I83cd08e57fbc046ad69bd42eb2e5fa1ace6e8a28
This reverts commit f028ca4edd.
In the Train PTG[1] we agreed to defer this feature until we had some
kind of traceability or discoverability for APIs and that this wasn't
feasible or useful until then.
This change was merged to master but never released, so I submit that
it is safe to revert.
[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials
Change-Id: I8fc5fcb2b35431882f0d64866765d6b0cd31356f
This reverts commit 37fc2b9120.
In the Train PTG[1] we agreed to defer the access rules config part of
this feature until we had some kind of traceability or discoverability
for APIs. For simplicity of review, this patch reverts the access rules
addition to the app cred manager so that we can reimplement it in a way
that doesn't require using the access_rules_config API provider.
[1] https://etherpad.openstack.org/p/keystone-train-ptg-application-credentials
Change-Id: I65ac52b8730221562391adc8b0dbccd22ea79b16
This allows domain_ids to match across distinct Keystone
deployments The domain_id is used to create unique
identifiers with the mapping backend. When this
option is used, mapped user identifiers can be
consistant across different Keystone servers.
closes-bug: 1794527
Change-Id: I100bca162e71a9d394ed5787b976b13b1e57987f
This uses the access_rules manager to validate access rules against
configured access rules.
bp whitelist-extension-for-app-creds
Change-Id: I075ab8472cbe93db1c2327c2e82211ff71e9ef72
The access rules config driver will read a JSON file that represents
rules for accessing service APIs. This is to support application
credential access rules, which will be checked against the configured
rules upon creation. The name for this new API is borrowed from Istio's
near identical concept[1].
[1] https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1/#AccessRule
bp whitelist-extension-for-app-creds
Change-Id: If8b9c1e9df55874052dfd9b99fbcea6e06c1ca35
Adds a new model and provider for receipts which are
very similar to tokens (fernet based), and share the
same fernet mechanisms.
Adds changes to the auth layer to handle the creation,
validation, and consumptions of receipts as part of
the auth process.
Change-Id: Iccb6e6fc7aee57c58a53f90c1d671402b8efcdbb
bp: mfa-auth-receipt
Exceptions are now handled in the Flask APP instead of in the
legacy webob Application code (at this point that code was living
in the URL Normalizing Middleware). All Keystone API exceptions
(derived from keystone.exception.Error) are automatically
registered on definition with the
keystone.exception.KEYSTONE_API_EXCEPTIONS set. This set is
processed once the app is created in keystone.server.application
to the flask-friendly handler.
TypeError and generic Exception are registered to an explicit
error handler that converts TypeError to ValidationError (BAD_REQUEST)
and all other Exceptions to UnexpectedError (INTERNAL SERVER ERROR).
These exceptions are then emitted in a "jsonify-ed" manner to the
client.
Two other minor changes were required:
* Unenforced API decorator had it's core functionality split into
a dedicated function that can be called in the case of an error
being raised in a "before_request" function (such as validation
in the JSON Body before request func.
* The JSON Body before request func now explicitly sets the
api to "unenforced_ok" if it is raising an exception. This
prevents the flask "was this API enforced" assertion from failing
because @unenforced_api was never run (the ValidationError was
raised prior to the resource's method being called).
Change-Id: I0d0ef6a774eb86b4769238ed34d7703232ce86c3
Partial-Bug: #1776504
The PasswordHistoryValidationError was missing a space, causing two
words to be smushed together when rendering the exception.
Change-Id: Ibfafd5e6a6e1dca1029ff8a785d4d169fd235d82
Add a check function for project hierarchical tree check
when starting Keystone. If the tree depth exceed the
enforcement model's depth, fail to start keystone process
Change-Id: I4ce6a48505b8b9688bbdd18ee46ce035ee0938ed
bp: strict-two-level-model
This patch introduced the hierarchical limit structure
into Keystone.
The strict two level enforcement model is added as well.
Change-Id: Ic80e435a14ad7d6d4eccd4cd6365fb2d99fd26c1
bp: strict-two-level-model
Future changes are going to rely on an instance of TokenModel through
out the token provider API instead of a dictionary. We need to
serialize the new object so that we can cache it like we do with
dictionaries.
This change addes a handler that serializes instances of TokenModel
before putting them into the cache backend and reinflates them back
into TokenModel objects on the way out.
Partial-Bug: 1778945
Change-Id: I3d8def90b035616a21edfc0ed42f43fcbd76fe23
The ValidationSizeError exception was never actually used anywhere in
the code base. This commit removes it.
Change-Id: I748b0ecc17ef67c3f8555cb2d2e6c8846bb684c4
User option ``lock_password`` has been implemented. This
option when set to ``True`` will prevent the usage of the
self-service password change API. If the ``lock_password``
option is set to ``False`` or ``None`` (to remove the
option from the user-data structure) normal password
change operations are allowed
Closes-Bug: #1755874
Change-Id: Icf1776c5fe625c2e9292bfcf40a8a9f17a002656
In order to protect against possible abuse or bloat, add a config option
to set a limit on the number of application credentials a user may have.
bp application-credentials
Change-Id: Ieab33c3265fa0c0b1b1c6d586e5ea8a9a39edfb1
Add an auth plugin for application credentials and update the common
auth utilities to understand an auth method of 'application_credential'
and validate and scope accordingly.
By default, application credentials should not be allowed to be used for
creating other application credentials or trusts. If a user creates an
application credential with flag `allow_application_credential_creation`
then that application should be allowed to be used for creating and
deleting other application credentials and trusts. Ensure a flag is set
in the token if this property is set to allow this behavior.
bp application-credentials
Change-Id: I15a03e79128a11314d06751b94343f22d533243a
Add the controller, router, schema, and policies for application
credentials. If a secret is not provided, one is generated at the
controller layer.
bp application-credentials
Depends-on: Id26a2790acae25f80bd28a8cb121c80cb5064645
Depends-on: Icbd58464182b082854fb5d73ccc93c900ede020c
Change-Id: I7a371d59c19a11e55f17baf12d92327c1258533d
This patch does:
1. Improve the error message as Morgan suggested before.
2. Add a new error type: RegisteredLimitError.
3. Catch the DBReferenceError in update/delete resigtered limit
functions.
4. Handle the case that region_id=None for update/delete
registered limits.
5. Fix a code error in create_limits function.
Change-Id: Id572348ca7867d7ce6f258cb3132b05a313624bd
bp: unified-limits
Since it's possible to have a role assignment on the system now, we
should make sure we handle that case in the RoleAssignmentNotFound
exception
bp system-scope
Change-Id: I2388d65ffa5b68690d9c4f0dd16f16e158f5a091
Add the manager layer for application credentials. This handles
generating CADF notifications on create/delete and listening for
notifications that affect application credentials' lifetime. On create,
the manager keeps a copy of the initial secret so that it may be
returned to the user, but it is otherwise never stored. The secret hash
is stored and must be filtered out before being returned to the user.
bp application-credentials
Change-Id: Iae6377e78d2b8e15472d378ef54e29a946dc51b5
This patch adds the db operation part for unified limit
Co-Authored-By: Colleen Murphy<colleen@gazlene.net>
Change-Id: Ifb2bb54b35ea0d1573cdb9cdab77dfdeb8f22446
bp: unified-limits
The help message for unique_last_password_count doesn't tell the
count logic to users, so that the users may misunderstand it.
This patch updated the message to make it more clear.
Change-Id: I8ab1db5c07b199a3a0ef86a79e9895be48c0a1db
Closes-bug: #1727099
LDAP servers have sizelimit configuration to limit the number of
user/group objects that can be returned for an LDAP query. This
change catches the size limit exceeded exception when users/groups
returned from ldap search query exceeds the configured limit and
responds with an appropriate error message instead of default
500 error message.
Change-Id: I9949bb7d458b4b037616c701e0e4d362bfa36473
Closes-Bug: #1712415
This change adds the tags attribute of project into the resource
manager. This change builds off of the backend logic.
Change-Id: Ie988b7a2065f0ecdb8ec953a1d01f5e3cbd67a1b
Partially-Implements: bp project-tags
Co-Authored-By: Jaewoo Park <jp655p@att.com>
Co-Authored-By: Nicolas Helgeson <nh202b@att.com>
Depends-On: I00f094a5584be40ab477cbf680a5f6d1afb4d21b
Depends-On: I5f8e4a53089b9fcc38084bb958d09f63ccc59d2a
This change catches the invalid credentials exception
when binding with LDAP and responds with a more clear error
message of "Invalid username or password" instead of just
supplying the default 500 error message.
Change-Id: I523dd816333ad76cde8f18ae0fa43040a4478524
Closes-Bug: #1684994
If a user is trying to create a trust by specifying roles by name
and the name is used by multiple roles, return a more descriptive
error message. Prior to this it was returning "role not found".
Change-Id: Ife437ac15774f546f551e191cd5e6fdde7c67d49
Partial-Bug: 1696111
When the correct IndexError happens in federation mapping rule, '{0}'
is in a local section, but the value in direct_maps is null.
Now I have set insecure_debug to 'True', and it shows like '...
(e.g. {0} in a local section).'. But it still shows 'An unexpected...'.
Change-Id: If6263229b153828ffa07ee3ad6004f3db7cdfd98
Closes-Bug: #1695131
The base class of LDAPServerConnectionError is changed from Error to
UnexpectedError so that it will result in HTTP 500 instead of 504. It
is inappropriate to be telling API users that there was a timeout,
which implies that LDAP is being used when they should not know that.
Change-Id: Ic9ac3443bb2117e33b1ec66d570ae2a7a2f62df2
Closes-Bug: #1687115
The httplib (py2) and http.client (py3) have nice constants for all
the standard HTTP status codes. This patch changes the exception
module to make use of those.
Change-Id: I67d3717dca5aecf3c8b36f5b69f1ca659c0b08b1
Process and validate the auth methods used by a given auth request
against the user's MFA ruleset(s) and ensure the required auth
methods have been used. If insufficient auth methods are used
an "InsufficientAuthMethods" exception is raised (401) indicating
the reason for failure.
Change-Id: I2a83aa164f1c17352807188bfbaae17d909b3e5f
bp: per-user-auth-plugin-reqs
New query added for determining when passwords will expire.
The following are the new queries:
/v3/groups/{group_id}/users?password_expires_at={operator}:{timestamp}
- Lists users belonging to a group whose password will expire based
on the operator given.
/v3/users?password_expires_at={operator}:{timestamp}
- Lists users whose password will expire based on the operator given.
{timestamp} is a datetime in the format "YYYY-MM-DDTHH:mm:ssZ".
{operator} is one of lt, lte, gt gte, eq, and neq to filter in.
If no operator is given, it is treated as eq.
Examples:
- GET /v3/users?password_expires_at=lt:2016-11-06T15:32:17Z
- GET /v3/groups/079c578fd99b428ab61fcd4c9bd88ecd/users?password_expires_at=gt:2016-12-08T22:02:00Z
Partially-Implements: bp pci-dss-query-password-expired-users
Change-Id: If0b9cc3c8af92b2ea5d41a0e8afeb78e12b7689c
Currently, if a users password expires, they must contact an
administrator in order to have their password reset for them.
This change allows a user to perform the change_password call
without a token, which will allow a user with an expired password
to change it if they are using PCI-DSS related features. This
removes the issue of needing an administrator to reset any
user's password that has expired.
Also updated the api-ref with the related changes.
Change-Id: I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
Closes-Bug: #1641645
Provide a way to provision projects and assignments when a federated
user authenticates for the first time for an unscoped token.
implements bp shadow-mapping
Change-Id: I6029dac8294e8cfc4bf622ac71b5e731956389db
As mentioned in the bug report, keystone/exceptions.py has many
exceptions with messages that are not consistant with each other
and have various punctuational differences, such as some ending
with a period while others do not.
This change adds a '.' to the end of many exception messages and
adds small changes to other messages in order to keep all of the
exception messages consistant.
Change-Id: I21cac56ff70dbc2693c6090b887537a7c1f303e1
Closes-Bug: #1656026
Presently the Identity LDAP driver does not set a connection timeout
option which has the disadvantage of causing the Identity LDAP backend
handler to stall indefinitely (or until TCP timeout) on LDAP bind, if
a) the LDAP URL is incorrect, or b) there is a connection failure/link
loss.
This commit add a new option to set the LDAP connection timeout to
set a new OPT_NETWORK_TIMEOUT option on the LDAP object. This will
raise ldap.SERVER_DOWN exceptions on timeout.
Signed-off-by: Kam Nasim <kam.nasim@windriver.com>
Closes-Bug: #1636950
Change-Id: I574e6368169ad60bef2cc990d2d410a638d1b770
This adds a reason to the CADF event notifications that are emitted
for the following events related to PCI-DSS:
- Change user passwords/passphrases at least once every X days
- Limit repeated access attempts by locking out the user ID after
not more than X attempts
- Do not allow an individual to submit a new password/phrase that
is the same as any of the last X passwords/phrases he or she has used
- Passwords/phrases must meet the specificed regex
- User attempting to change password early
Implements: bp pci-dss-notifications
Co-Authored-By: Tin Lam <tinlam@gmail.com>
Change-Id: Ia678d25bdfa151c95483f5fcb77853184fbecfd1