From 05a129e54573b6cbda1ec095f4526f2b9ba90a90 Mon Sep 17 00:00:00 2001 From: Boris Bobrov Date: Tue, 25 Apr 2017 14:20:36 +0000 Subject: [PATCH] Do not fetch group assignments without groups Without the change, the method fetched all assignments for a project or domain, regardless of who has the assignment, user or group. This led to situation when federated user without groups could scope a token with other user's rules. Return empty list of assignments if no groups were passed. Closes-Bug: 1677723 Change-Id: I65f5be915bef2f979e70b043bde27064e970349d (cherry picked from commit 2139639eeabc8f6941f4461fc87d609cde3118c2) --- keystone/assignment/core.py | 5 ++++ keystone/tests/unit/test_v3_federation.py | 28 +++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py index e549abbe6..6a6717a35 100644 --- a/keystone/assignment/core.py +++ b/keystone/assignment/core.py @@ -165,6 +165,11 @@ class Manager(manager.Manager): def get_roles_for_groups(self, group_ids, project_id=None, domain_id=None): """Get a list of roles for this group on domain and/or project.""" + # if no group ids were passed, there are no roles. Without this check, + # all assignments for the project or domain will be fetched, + # which is not what we want. + if not group_ids: + return [] if project_id is not None: self.resource_api.get_project(project_id) assignment_list = self.list_role_assignments( diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index f3e9baa2b..1a7ce40d6 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -1776,6 +1776,34 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] self.assertEqual(0, len(token_groups)) + def test_issue_scoped_token_no_groups(self): + """Verify that token without groups cannot get scoped to project. + + This test is required because of bug 1677723. + """ + # issue unscoped token with no groups + r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') + self.assertIsNotNone(r.headers.get('X-Subject-Token')) + token_resp = r.json_body + token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] + self.assertEqual(0, len(token_groups)) + unscoped_token = r.headers.get('X-Subject-Token') + + # let admin get roles in a project + self.proj_employees + admin = unit.new_user_ref(CONF.identity.default_domain_id) + self.identity_api.create_user(admin) + self.assignment_api.create_grant(self.role_admin['id'], + user_id=admin['id'], + project_id=self.proj_employees['id']) + + # try to scope the token. It should fail + scope = self._scope_request( + unscoped_token, 'project', self.proj_employees['id'] + ) + self.v3_create_token( + scope, expected_status=http_client.UNAUTHORIZED) + def test_issue_unscoped_token_malformed_environment(self): """Test whether non string objects are filtered out.