openstack
/
keystone
Code Issues Proposed changes
OpenStack Identity (Keystone)
12,106 Commits 9 Branches 40 Tags 231 MiB
Python 99.5%
Shell 0.5%
Go to file
Colleen Murphy 7653847a04 Ensure OAuth1 authorized roles are respected 
Without this patch, when an OAuth1 request token is authorized with a
limited set of roles, the roles for the access token are ignored when
the user uses it to request a keystone token. This means that user of an
access token can use it to escallate their role assignments beyond what
was authorized by the creator. This patch fixes the issue by ensuring
the token model accounts for an OAuth1-scoped token and correctly
populating the roles for it.

Modified to work with older test helper function:

  keystone/tests/unit/test_v3_oauth1.py

Conflicts:

  keystone/models/token_model.py

  The keystone token model was refactored in the Rocky release. This
  commit only backports the test so that we have test coverage against
  the bug and proves there wasn't a regression in Queens. As such, the
  code changes to token_model.py (where the bug was introduced) are not
  applicable to Pike.

  releasenotes/notes/bug-1873290-ff7f8e4cee15b75a.yaml

  Removed the release note since there isn't anything to signal to
  operators regarding a vulnerability. We're only adding test coverage
  to prove that stable/queens isn't vulnerable.

Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
Closes-bug: #1873290
(cherry picked from commit 6c73690f77)
(cherry picked from commit ba89d27793)
(cherry picked from commit 5ff52dbaa2082991d229d8557a8e4b65256d6c53)
(cherry picked from commit 2483a578a80a916d9f5acd672d85830385b236e2)
(cherry picked from commit 10bc689a67)
(cherry picked from commit d590441ce6)
 		2020-05-14 10:27:19 -07:00
api-ref/source Merge "Add description for relationship links in api-ref" 2017-08-10 10:49:31 +00:00
config-generator Move policy generator config to config-generator/ 2017-04-21 21:47:32 +00:00
devstack Merge "In the devstack plugin, restart keystone after modifying conf" 2017-07-26 23:55:10 +00:00
doc Replace openstack.org git:// URLs with https:// 2019-03-24 20:33:58 +00:00
etc Remove policy for self-service password changes 2017-08-04 13:56:59 +00:00
examples/pki Remove support for PKI and PKIz tokens 2016-11-01 22:05:01 +00:00
httpd remove httpd/keystone.py 2016-09-21 22:35:52 -04:00
keystone Ensure OAuth1 authorized roles are respected 2020-05-14 10:27:19 -07:00
keystone_tempest_plugin Remove the local tempest plugin 2017-06-06 11:48:37 +00:00
rally-jobs [rally] remove deprecated arg 2015-10-29 16:34:58 +02:00
releasenotes Delete shadow users when domain is deleted 2019-04-05 09:16:25 -07:00
tools Use ostestr instead of the custom pretty_tox.sh 2017-02-09 16:03:59 +01:00
.coveragerc Change ignore-errors to ignore_errors 2015-09-21 14:27:58 +00:00
.gitignore Cleanup policy generation 2017-05-02 15:08:41 +00:00
.gitreview OpenDev Migration Patch 2019-04-19 19:30:38 +00:00
.mailmap update mailmap with gyee's new email 2015-11-03 16:12:01 -08:00
.testr.conf Stop using oslotest.BaseTestCase 2016-03-01 21:44:20 +00:00
.zuul.yaml Import LDAP job into project 2019-10-17 14:36:33 -07:00
CONTRIBUTING.rst Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
HACKING.rst Use https for docs.openstack.org references 2017-01-30 16:05:08 -08:00
LICENSE Added Apache 2.0 License information. 2012-02-15 17:48:33 -08:00
README.rst Update URL in README.rst 2017-08-08 12:57:56 +05:30
babel.cfg setting up babel for i18n work 2012-06-21 18:03:09 -07:00
bindep.txt Differentiate between dpkg and rpm for libssl-dev 2017-03-31 11:27:25 -04:00
requirements.txt Add int storage of datetime for password created/expires 2017-08-15 18:34:20 +00:00
setup.cfg Cap bandit 2019-08-22 10:08:26 +02:00
setup.py Updated from global requirements 2017-03-06 01:10:37 +00:00
test-requirements.txt Create doc/requirements.txt 2018-01-12 22:30:21 +00:00
tox.ini Create doc/requirements.txt 2018-01-12 22:30:21 +00:00

README.rst

Team and repository tags

image

OpenStack Keystone

Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API specification and documentation are available at:

https://specs.openstack.org/openstack/keystone-specs/

The canonical client library is available at:

https://git.openstack.org/cgit/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://git.openstack.org/cgit/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs/#identity-program-specifications

Contributors are encouraged to join IRC (#openstack-keystone on freenode):

https://wiki.openstack.org/wiki/IRC

For information on contributing to Keystone, see CONTRIBUTING.rst.