openstack/deb-keystone
Code Issues Proposed changes

Protect oauth controller calls and update policy.json

Browse Source 
We need to call controller.protected for most of the oauth_calls.
With the exception of the public ones (create_request_token,
create_access_token, and authenticate_access_token).
Also need to update the policy.json accordingly.

fixes bug 1231709

Change-Id: Ica111aa3ed82499d2de50d472754a0b5b3c5cc71
This commit is contained in:
Steve Martinelli 2013-09-26 17:03:24 -05:00
parent 2f75699719
commit 65f292144f
3 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
etc/policy.json
View File

@ -88,6 +88,19 @@
"identity:get_role_for_trust": [["@"]], "identity:get_role_for_trust": [["@"]],
"identity:delete_trust": [["@"]], "identity:delete_trust": [["@"]],
"identity:create_consumer": [["rule:admin_required"]],
"identity:get_consumer": [["rule:admin_required"]],
"identity:list_consumers": [["rule:admin_required"]],
"identity:delete_consumer": [["rule:admin_required"]],
"identity:update_consumer": [["rule:admin_required"]],
"identity:authorize_request_token": [["rule:admin_required"]],
"identity:list_access_token_roles": [["rule:admin_required"]],
"identity:get_access_token_role": [["rule:admin_required"]],
"identity:list_access_tokens": [["rule:admin_required"]],
"identity:get_access_token": [["rule:admin_required"]],
"identity:delete_access_token": [["rule:admin_required"]],
"identity:list_projects_for_endpoint": [["rule:admin_required"]], "identity:list_projects_for_endpoint": [["rule:admin_required"]],
"identity:add_endpoint_to_project": [["rule:admin_required"]], "identity:add_endpoint_to_project": [["rule:admin_required"]],
"identity:check_endpoint_in_project": [["rule:admin_required"]], "identity:check_endpoint_in_project": [["rule:admin_required"]],

13
keystone/contrib/oauth1/controllers.py
View File

@ -34,11 +34,13 @@ class ConsumerCrudV3(controller.V3Controller):
collection_name = 'consumers' collection_name = 'consumers'
member_name = 'consumer' member_name = 'consumer'
@controller.protected()
def create_consumer(self, context, consumer): def create_consumer(self, context, consumer):
ref = self._assign_unique_id(self._normalize_dict(consumer)) ref = self._assign_unique_id(self._normalize_dict(consumer))
consumer_ref = self.oauth_api.create_consumer(ref) consumer_ref = self.oauth_api.create_consumer(ref)
return ConsumerCrudV3.wrap_member(context, consumer_ref) return ConsumerCrudV3.wrap_member(context, consumer_ref)
@controller.protected()
def update_consumer(self, context, consumer_id, consumer): def update_consumer(self, context, consumer_id, consumer):
self._require_matching_id(consumer_id, consumer) self._require_matching_id(consumer_id, consumer)
ref = self._normalize_dict(consumer) ref = self._normalize_dict(consumer)
@ -46,14 +48,17 @@ class ConsumerCrudV3(controller.V3Controller):
ref = self.oauth_api.update_consumer(consumer_id, consumer) ref = self.oauth_api.update_consumer(consumer_id, consumer)
return ConsumerCrudV3.wrap_member(context, ref) return ConsumerCrudV3.wrap_member(context, ref)
@controller.protected()
def list_consumers(self, context): def list_consumers(self, context):
ref = self.oauth_api.list_consumers() ref = self.oauth_api.list_consumers()
return ConsumerCrudV3.wrap_collection(context, ref) return ConsumerCrudV3.wrap_collection(context, ref)
@controller.protected()
def get_consumer(self, context, consumer_id): def get_consumer(self, context, consumer_id):
ref = self.oauth_api.get_consumer(consumer_id) ref = self.oauth_api.get_consumer(consumer_id)
return ConsumerCrudV3.wrap_member(context, ref) return ConsumerCrudV3.wrap_member(context, ref)
@controller.protected()
def delete_consumer(self, context, consumer_id): def delete_consumer(self, context, consumer_id):
user_token_ref = self.token_api.get_token(context['token_id']) user_token_ref = self.token_api.get_token(context['token_id'])
user_id = user_token_ref['user'].get('id') user_id = user_token_ref['user'].get('id')
@ -71,6 +76,7 @@ class AccessTokenCrudV3(controller.V3Controller):
collection_name = 'access_tokens' collection_name = 'access_tokens'
member_name = 'access_token' member_name = 'access_token'
@controller.protected()
def get_access_token(self, context, user_id, access_token_id): def get_access_token(self, context, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id) access_token = self.oauth_api.get_access_token(access_token_id)
if access_token['authorizing_user_id'] != user_id: if access_token['authorizing_user_id'] != user_id:
@ -78,11 +84,13 @@ class AccessTokenCrudV3(controller.V3Controller):
access_token = self._format_token_entity(access_token) access_token = self._format_token_entity(access_token)
return AccessTokenCrudV3.wrap_member(context, access_token) return AccessTokenCrudV3.wrap_member(context, access_token)
@controller.protected()
def list_access_tokens(self, context, user_id): def list_access_tokens(self, context, user_id):
refs = self.oauth_api.list_access_tokens(user_id) refs = self.oauth_api.list_access_tokens(user_id)
formatted_refs = ([self._format_token_entity(x) for x in refs]) formatted_refs = ([self._format_token_entity(x) for x in refs])
return AccessTokenCrudV3.wrap_collection(context, formatted_refs) return AccessTokenCrudV3.wrap_collection(context, formatted_refs)
@controller.protected()
def delete_access_token(self, context, user_id, access_token_id): def delete_access_token(self, context, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id) access_token = self.oauth_api.get_access_token(access_token_id)
consumer_id = access_token['consumer_id'] consumer_id = access_token['consumer_id']
@ -117,6 +125,7 @@ class AccessTokenRolesV3(controller.V3Controller):
collection_name = 'roles' collection_name = 'roles'
member_name = 'role' member_name = 'role'
@controller.protected()
def list_access_token_roles(self, context, user_id, access_token_id): def list_access_token_roles(self, context, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id) access_token = self.oauth_api.get_access_token(access_token_id)
if access_token['authorizing_user_id'] != user_id: if access_token['authorizing_user_id'] != user_id:
@ -126,6 +135,7 @@ class AccessTokenRolesV3(controller.V3Controller):
refs = ([self._format_role_entity(x) for x in authed_role_ids]) refs = ([self._format_role_entity(x) for x in authed_role_ids])
return AccessTokenRolesV3.wrap_collection(context, refs) return AccessTokenRolesV3.wrap_collection(context, refs)
@controller.protected()
def get_access_token_role(self, context, user_id, def get_access_token_role(self, context, user_id,
access_token_id, role_id): access_token_id, role_id):
access_token = self.oauth_api.get_access_token(access_token_id) access_token = self.oauth_api.get_access_token(access_token_id)
@ -295,7 +305,8 @@ class OAuthControllerV3(controller.V3Controller):
return response return response
def authorize(self, context, request_token_id, roles): @controller.protected()
def authorize_request_token(self, context, request_token_id, roles):
"""An authenticated user is going to authorize a request token. """An authenticated user is going to authorize a request token.
As a security precaution, the requested roles must match those in As a security precaution, the requested roles must match those in

2
keystone/contrib/oauth1/routers.py
View File

@ -129,5 +129,5 @@ class OAuth1Extension(wsgi.ExtensionRouter):
mapper.connect( mapper.connect(
'/OS-OAUTH1/authorize/{request_token_id}', '/OS-OAUTH1/authorize/{request_token_id}',
controller=oauth_controller, controller=oauth_controller,
action='authorize', action='authorize_request_token',
conditions=dict(method=['PUT'])) conditions=dict(method=['PUT']))