validate from backend (bug 1129713)
In certain cases we were depending on CMS to validate PKI tokens but that is not necessary, and by passes the revocation check Change-Id: I9d7e60b074aa8c8859971618fed20c8cde2220c4
This commit is contained in:
parent
8690166418
commit
255b1d4350
@ -490,20 +490,13 @@ class TokenController(wsgi.Application):
|
||||
"""
|
||||
# TODO(termie): this stuff should probably be moved to middleware
|
||||
self.assert_admin(context)
|
||||
data = self.token_api.get_token(context=context, token_id=token_id)
|
||||
if belongs_to:
|
||||
if (not data.get('tenant') or data['tenant'].get('id') !=
|
||||
belongs_to):
|
||||
raise exception.Unauthorized()
|
||||
|
||||
if cms.is_ans1_token(token_id):
|
||||
data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
|
||||
config.CONF.signing.certfile,
|
||||
config.CONF.signing.ca_certs))
|
||||
data['access']['token']['user'] = data['access']['user']
|
||||
data['access']['token']['metadata'] = data['access']['metadata']
|
||||
if belongs_to:
|
||||
assert data['access']['token']['tenant']['id'] == belongs_to
|
||||
token_ref = data['access']['token']
|
||||
else:
|
||||
token_ref = self.token_api.get_token(context=context,
|
||||
token_id=token_id)
|
||||
return token_ref
|
||||
return data
|
||||
|
||||
# admin only
|
||||
def validate_token_head(self, context, token_id):
|
||||
|
@ -150,3 +150,54 @@ class AuthTest(test.TestCase):
|
||||
body_dict = _build_user_auth(username='FOO', password='0' * 8193)
|
||||
self.assertRaises(exception.ValidationSizeError, self.api.authenticate,
|
||||
{}, body_dict)
|
||||
|
||||
|
||||
class AuthWithToken(AuthTest):
|
||||
def setUp(self):
|
||||
super(AuthWithToken, self).setUp()
|
||||
|
||||
def test_belongs_to_no_tenant(self):
|
||||
r = self.api.authenticate(
|
||||
{},
|
||||
auth={
|
||||
'passwordCredentials': {
|
||||
'username': self.user_foo['name'],
|
||||
'password': self.user_foo['password']
|
||||
}
|
||||
})
|
||||
unscoped_token_id = r['access']['token']['id']
|
||||
self.assertRaises(
|
||||
exception.Unauthorized,
|
||||
self.api.validate_token,
|
||||
dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
|
||||
token_id=unscoped_token_id)
|
||||
|
||||
def test_belongs_to_wrong_tenant(self):
|
||||
body_dict = _build_user_auth(
|
||||
username='FOO',
|
||||
password='foo2',
|
||||
tenant_name="BAR")
|
||||
|
||||
scoped_token = self.api.authenticate({}, body_dict)
|
||||
scoped_token_id = scoped_token['access']['token']['id']
|
||||
|
||||
self.assertRaises(
|
||||
exception.Unauthorized,
|
||||
self.api.validate_token,
|
||||
dict(is_admin=True, query_string={'belongsTo': 'me'}),
|
||||
token_id=scoped_token_id)
|
||||
|
||||
def test_belongs_to(self):
|
||||
body_dict = _build_user_auth(
|
||||
username='FOO',
|
||||
password='foo2',
|
||||
tenant_name="BAR")
|
||||
|
||||
scoped_token = self.api.authenticate({}, body_dict)
|
||||
scoped_token_id = scoped_token['access']['token']['id']
|
||||
|
||||
self.assertRaises(
|
||||
exception.Unauthorized,
|
||||
self.api.validate_token,
|
||||
dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
|
||||
token_id=scoped_token_id)
|
||||
|
Loading…
Reference in New Issue
Block a user