Merge "Check consumer and project id before creating request token"

2015-02-23 16:05:06 +00:00 · 2015-02-23 16:05:06 +00:00 · 19aedf0472
parent cd32ba0704 ee2f991923
commit 19aedf0472
2 changed files with 24 additions and 1 deletions
--- a/keystone/contrib/oauth1/controllers.py
+++ b/keystone/contrib/oauth1/controllers.py
@ -204,7 +204,8 @@ class AccessTokenRolesV3(controller.V3Controller):
        return formatted_entity


-@dependency.requires('assignment_api', 'oauth_api', 'token_provider_api')
+@dependency.requires('assignment_api', 'oauth_api',
+                     'resource_api', 'token_provider_api')
 class OAuthControllerV3(controller.V3Controller):
    collection_name = 'not_used'
    member_name = 'not_used'
@ -214,6 +215,7 @@ class OAuthControllerV3(controller.V3Controller):
        oauth_headers = oauth1.get_oauth_headers(headers)
        consumer_id = oauth_headers.get('oauth_consumer_key')
        requested_project_id = headers.get('Requested-Project-Id')
+
        if not consumer_id:
            raise exception.ValidationError(
                attribute='oauth_consumer_key', target='request')
@ -221,6 +223,10 @@ class OAuthControllerV3(controller.V3Controller):
            raise exception.ValidationError(
                attribute='requested_project_id', target='request')

+        # NOTE(stevemar): Ensure consumer and requested project exist
+        self.resource_api.get_project(requested_project_id)
+        self.oauth_api.get_consumer(consumer_id)
+
        url = self.base_url(context, context['path'])

        req_headers = {'Requested-Project-Id': requested_project_id}
--- a/keystone/tests/unit/test_v3_oauth1.py
+++ b/keystone/tests/unit/test_v3_oauth1.py
@ -614,6 +614,23 @@ class MaliciousOAuth1Tests(OAuth1Tests):
        body = {'roles': [{'id': self.role_id}]}
        self.put(url, body=body, expected_status=404)

+    def test_bad_consumer_id(self):
+        consumer = self._create_single_consumer()
+        consumer_id = uuid.uuid4().hex
+        consumer_secret = consumer['secret']
+        consumer = {'key': consumer_id, 'secret': consumer_secret}
+        url, headers = self._create_request_token(consumer, self.project_id)
+        self.post(url, headers=headers, expected_status=404)
+
+    def test_bad_requested_project_id(self):
+        consumer = self._create_single_consumer()
+        consumer_id = consumer['id']
+        consumer_secret = consumer['secret']
+        consumer = {'key': consumer_id, 'secret': consumer_secret}
+        project_id = uuid.uuid4().hex
+        url, headers = self._create_request_token(consumer, project_id)
+        self.post(url, headers=headers, expected_status=404)
+
    def test_bad_verifier(self):
        consumer = self._create_single_consumer()
        consumer_id = consumer['id']