From 4c824c8088e359d4fd9434e01d1652a26b905335 Mon Sep 17 00:00:00 2001 From: wangxiyuan Date: Wed, 22 Nov 2017 11:41:35 +0800 Subject: [PATCH] Add schema check for OS-TRUST:trust authentication If the OS-TRUST:trust is not a dict when authenticating, Keystone will raise 500 error. This patch add the related schema check to avoid the error. Change-Id: I575440fa507c5274e0c3bc09f4cfcb9b3d91a28c Closes-bug: #1733754 --- keystone/auth/schema.py | 6 ++++++ keystone/tests/unit/auth/test_schema.py | 9 +++++++++ keystone/tests/unit/test_v3_auth.py | 3 --- releasenotes/notes/bug-1733754-4d9d3042b8501ec6.yaml | 7 +++++++ 4 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1733754-4d9d3042b8501ec6.yaml diff --git a/keystone/auth/schema.py b/keystone/auth/schema.py index c09afe2863..591e442ff8 100644 --- a/keystone/auth/schema.py +++ b/keystone/auth/schema.py @@ -82,6 +82,12 @@ token_issue = { 'name': {'type': 'string', }, }, }, + 'OS-TRUST:trust': { + 'type': 'object', + 'properties': { + 'id': {'type': 'string', }, + }, + }, }, }, }, diff --git a/keystone/tests/unit/auth/test_schema.py b/keystone/tests/unit/auth/test_schema.py index 5831c588b7..eb365edbe8 100644 --- a/keystone/tests/unit/auth/test_schema.py +++ b/keystone/tests/unit/auth/test_schema.py @@ -367,6 +367,15 @@ class TestValidateIssueTokenAuth(unit.BaseTestCase): } self._expect_failure(p) + def test_trust_not_object_ex(self): + p = { + 'identity': {'methods': [], }, + 'scope': { + 'OS-TRUST:trust': 'something', + }, + } + self._expect_failure(p) + def test_unscoped(self): post_data = { 'identity': { diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 11c7062afc..8ee7df23c0 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -43,7 +43,6 @@ from keystone.tests.common import auth as common_auth from keystone.tests import unit from keystone.tests.unit import ksfixtures from keystone.tests.unit import test_v3 -from keystone.tests.unit import utils as test_utils CONF = keystone.conf.CONF @@ -3966,8 +3965,6 @@ class TrustAPIBehavior(test_v3.RestfulTestCase): r = self.v3_create_token(auth_data) return trust - @test_utils.wip('Waiting on validation to be added from fixing bug ' - '1733754') def test_authenticate_without_trust_dict_returns_bad_request(self): # Authenticate for a token to use in the request token = self.v3_create_token( diff --git a/releasenotes/notes/bug-1733754-4d9d3042b8501ec6.yaml b/releasenotes/notes/bug-1733754-4d9d3042b8501ec6.yaml new file mode 100644 index 0000000000..0554f47f78 --- /dev/null +++ b/releasenotes/notes/bug-1733754-4d9d3042b8501ec6.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + [`bug 1733754 `_] + Keystone didn't validate the OS-TRUST:trust key of the authentication + request is actually a dictionary. This results in a 500 Internal Server + Error when it should really be a 400 Bad Request.