Disable EC2 credentials access_id update

Without this patch user can alter EC2 credential access_id and user cannot use it anymore as an ec2 auth token since EC2 credential access ID is used to calculate an ID of the "credential" [1] and it doesn't update the EC2 credential ID with new access ID. This leads to unwanted EC2 credentials stored in database. As per the discussion of keystone team [2] we decided to block patching of "access_id" attribute. [1] 7bb6314e40/keystone/api/users.py (L363) [2]http://eavesdrop.openstack.org/irclogs/%23openstack-meeting-alt/%23openstack-meeting-alt.2020-05-12.log.html#t2020-05-12T17:45:20 Closes-Bug: #1872753 Change-Id: I1f6ce3927c2881d9a2d7dcda3ccd29e0a82e45a9
2020-05-15 14:13:40 +05:30 · 2020-05-15 14:13:40 +05:30 · 252c23b1b8
commit 252c23b1b8
parent 89cc35f0b1
3 changed files with 38 additions and 1 deletions
--- a/keystone/api/credentials.py
+++ b/keystone/api/credentials.py
@ -176,7 +176,8 @@ class CredentialResource(ks_flask.ResourceBase):
            if isinstance(old_blob, str):
                old_blob = jsonutils.loads(old_blob)
            # if there was a scope set, prevent changing it or unsetting it
-            for key in ['trust_id', 'app_cred_id', 'access_token_id']:
+            for key in ['trust_id', 'app_cred_id', 'access_token_id',
+                        'access_id']:
                if old_blob.get(key) != new_blob.get(key):
                    message = _('%s can not be updated for credential') % key
                    raise exception.ValidationError(message=message)
--- a/keystone/tests/unit/test_v3_credential.py
+++ b/keystone/tests/unit/test_v3_credential.py
@ -407,6 +407,34 @@ class CredentialTestCase(CredentialBaseTestCase):
            body={'credential': update_ref},
            expected_status=http.client.BAD_REQUEST)

+    def test_update_ec2_credential_change_access_id(self):
+        """Call ``PATCH /credentials/{credential_id}``."""
+        blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
+                                            project_id=self.project_id)
+        blob['access_id'] = uuid.uuid4().hex
+        ref['blob'] = json.dumps(blob)
+        r = self.post(
+            '/credentials',
+            body={'credential': ref})
+        self.assertValidCredentialResponse(r, ref)
+        credential_id = r.result.get('credential')['id']
+        # Try changing to a different access_id
+        blob['access_id'] = uuid.uuid4().hex
+        update_ref = {'blob': json.dumps(blob)}
+        self.patch(
+            '/credentials/%(credential_id)s' % {
+                'credential_id': credential_id},
+            body={'credential': update_ref},
+            expected_status=http.client.BAD_REQUEST)
+        # Try removing the access_id
+        del blob['access_id']
+        update_ref = {'blob': json.dumps(blob)}
+        self.patch(
+            '/credentials/%(credential_id)s' % {
+                'credential_id': credential_id},
+            body={'credential': update_ref},
+            expected_status=http.client.BAD_REQUEST)
+
    def test_delete_credential(self):
        """Call ``DELETE /credentials/{credential_id}``."""
        self.delete(
--- a/releasenotes/notes/bug-1872753-e2a934eac919ccde.yaml
+++ b/releasenotes/notes/bug-1872753-e2a934eac919ccde.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - >
+    [`bug 1872753 <https://bugs.launchpad.net/keystone/+bug/1872753>`_]
+    Added validation to the EC2 credential API to prevent altering the ``access_id``
+    field in the blob attribute. This prevents accidentally orphaning an EC2 credential
+    resource when an altered ``access_id`` no longer resolves to the credential's
+    resource ID.