validate from backend (bug 1129713)
In certain cases we were depending on CMS to validate PKI tokens but that is not necessary, and by passes the revocation check Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4
This commit is contained in:
parent
8690166418
commit
255b1d4350
@ -490,20 +490,13 @@ class TokenController(wsgi.Application):
|
|||||||
"""
|
"""
|
||||||
# TODO(termie): this stuff should probably be moved to middleware
|
# TODO(termie): this stuff should probably be moved to middleware
|
||||||
self.assert_admin(context)
|
self.assert_admin(context)
|
||||||
|
data = self.token_api.get_token(context=context, token_id=token_id)
|
||||||
|
if belongs_to:
|
||||||
|
if (not data.get('tenant') or data['tenant'].get('id') !=
|
||||||
|
belongs_to):
|
||||||
|
raise exception.Unauthorized()
|
||||||
|
|
||||||
if cms.is_ans1_token(token_id):
|
return data
|
||||||
data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
|
|
||||||
config.CONF.signing.certfile,
|
|
||||||
config.CONF.signing.ca_certs))
|
|
||||||
data['access']['token']['user'] = data['access']['user']
|
|
||||||
data['access']['token']['metadata'] = data['access']['metadata']
|
|
||||||
if belongs_to:
|
|
||||||
assert data['access']['token']['tenant']['id'] == belongs_to
|
|
||||||
token_ref = data['access']['token']
|
|
||||||
else:
|
|
||||||
token_ref = self.token_api.get_token(context=context,
|
|
||||||
token_id=token_id)
|
|
||||||
return token_ref
|
|
||||||
|
|
||||||
# admin only
|
# admin only
|
||||||
def validate_token_head(self, context, token_id):
|
def validate_token_head(self, context, token_id):
|
||||||
|
@ -150,3 +150,54 @@ class AuthTest(test.TestCase):
|
|||||||
body_dict = _build_user_auth(username='FOO', password='0' * 8193)
|
body_dict = _build_user_auth(username='FOO', password='0' * 8193)
|
||||||
self.assertRaises(exception.ValidationSizeError, self.api.authenticate,
|
self.assertRaises(exception.ValidationSizeError, self.api.authenticate,
|
||||||
{}, body_dict)
|
{}, body_dict)
|
||||||
|
|
||||||
|
|
||||||
|
class AuthWithToken(AuthTest):
|
||||||
|
def setUp(self):
|
||||||
|
super(AuthWithToken, self).setUp()
|
||||||
|
|
||||||
|
def test_belongs_to_no_tenant(self):
|
||||||
|
r = self.api.authenticate(
|
||||||
|
{},
|
||||||
|
auth={
|
||||||
|
'passwordCredentials': {
|
||||||
|
'username': self.user_foo['name'],
|
||||||
|
'password': self.user_foo['password']
|
||||||
|
}
|
||||||
|
})
|
||||||
|
unscoped_token_id = r['access']['token']['id']
|
||||||
|
self.assertRaises(
|
||||||
|
exception.Unauthorized,
|
||||||
|
self.api.validate_token,
|
||||||
|
dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
|
||||||
|
token_id=unscoped_token_id)
|
||||||
|
|
||||||
|
def test_belongs_to_wrong_tenant(self):
|
||||||
|
body_dict = _build_user_auth(
|
||||||
|
username='FOO',
|
||||||
|
password='foo2',
|
||||||
|
tenant_name="BAR")
|
||||||
|
|
||||||
|
scoped_token = self.api.authenticate({}, body_dict)
|
||||||
|
scoped_token_id = scoped_token['access']['token']['id']
|
||||||
|
|
||||||
|
self.assertRaises(
|
||||||
|
exception.Unauthorized,
|
||||||
|
self.api.validate_token,
|
||||||
|
dict(is_admin=True, query_string={'belongsTo': 'me'}),
|
||||||
|
token_id=scoped_token_id)
|
||||||
|
|
||||||
|
def test_belongs_to(self):
|
||||||
|
body_dict = _build_user_auth(
|
||||||
|
username='FOO',
|
||||||
|
password='foo2',
|
||||||
|
tenant_name="BAR")
|
||||||
|
|
||||||
|
scoped_token = self.api.authenticate({}, body_dict)
|
||||||
|
scoped_token_id = scoped_token['access']['token']['id']
|
||||||
|
|
||||||
|
self.assertRaises(
|
||||||
|
exception.Unauthorized,
|
||||||
|
self.api.validate_token,
|
||||||
|
dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
|
||||||
|
token_id=scoped_token_id)
|
||||||
|
Loading…
Reference in New Issue
Block a user