Ensure that in v2 auth tenant_id matches trust
Previously if a trustee requests a trust scoped token for a project that is different to the one in the trust, however the trustor has the appropriate roles then a token would be issued. Ensure that the trust that was given matches the project that was specified in the scope. (cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a) Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc Closes-Bug: #1331912
This commit is contained in:
parent
381ba4a672
commit
44555e83ba
|
@ -693,13 +693,15 @@ class AuthWithTrust(AuthTest):
|
||||||
self.new_trust = self.trust_controller.create_trust(
|
self.new_trust = self.trust_controller.create_trust(
|
||||||
context, trust=trust_data)['trust']
|
context, trust=trust_data)['trust']
|
||||||
|
|
||||||
def build_v2_token_request(self, username, password):
|
def build_v2_token_request(self, username, password, tenant_id=None):
|
||||||
|
if not tenant_id:
|
||||||
|
tenant_id = self.tenant_bar['id']
|
||||||
body_dict = _build_user_auth(username=username, password=password)
|
body_dict = _build_user_auth(username=username, password=password)
|
||||||
self.unscoped_token = self.controller.authenticate({}, body_dict)
|
self.unscoped_token = self.controller.authenticate({}, body_dict)
|
||||||
unscoped_token_id = self.unscoped_token['access']['token']['id']
|
unscoped_token_id = self.unscoped_token['access']['token']['id']
|
||||||
request_body = _build_user_auth(token={'id': unscoped_token_id},
|
request_body = _build_user_auth(token={'id': unscoped_token_id},
|
||||||
trust_id=self.new_trust['id'],
|
trust_id=self.new_trust['id'],
|
||||||
tenant_id=self.tenant_bar['id'])
|
tenant_id=tenant_id)
|
||||||
return request_body
|
return request_body
|
||||||
|
|
||||||
def test_create_trust_bad_data_fails(self):
|
def test_create_trust_bad_data_fails(self):
|
||||||
|
@ -782,6 +784,15 @@ class AuthWithTrust(AuthTest):
|
||||||
exception.Forbidden,
|
exception.Forbidden,
|
||||||
self.controller.authenticate, {}, request_body)
|
self.controller.authenticate, {}, request_body)
|
||||||
|
|
||||||
|
def test_token_from_trust_wrong_project_fails(self):
|
||||||
|
for assigned_role in self.assigned_roles:
|
||||||
|
self.assignment_api.add_role_to_user_and_project(
|
||||||
|
self.trustor['id'], self.tenant_baz['id'], assigned_role)
|
||||||
|
request_body = self.build_v2_token_request('TWO', 'two2',
|
||||||
|
self.tenant_baz['id'])
|
||||||
|
self.assertRaises(exception.Forbidden, self.controller.authenticate,
|
||||||
|
{}, request_body)
|
||||||
|
|
||||||
def fetch_v2_token_from_trust(self):
|
def fetch_v2_token_from_trust(self):
|
||||||
request_body = self.build_v2_token_request('TWO', 'two2')
|
request_body = self.build_v2_token_request('TWO', 'two2')
|
||||||
auth_response = self.controller.authenticate({}, request_body)
|
auth_response = self.controller.authenticate({}, request_body)
|
||||||
|
|
|
@ -164,6 +164,8 @@ class Auth(controller.V2Controller):
|
||||||
|
|
||||||
user_ref = old_token_ref['user']
|
user_ref = old_token_ref['user']
|
||||||
user_id = user_ref['id']
|
user_id = user_ref['id']
|
||||||
|
tenant_id = self._get_project_id_from_auth(auth)
|
||||||
|
|
||||||
if not CONF.trust.enabled and 'trust_id' in auth:
|
if not CONF.trust.enabled and 'trust_id' in auth:
|
||||||
raise exception.Forbidden('Trusts are disabled.')
|
raise exception.Forbidden('Trusts are disabled.')
|
||||||
elif CONF.trust.enabled and 'trust_id' in auth:
|
elif CONF.trust.enabled and 'trust_id' in auth:
|
||||||
|
@ -172,6 +174,9 @@ class Auth(controller.V2Controller):
|
||||||
raise exception.Forbidden()
|
raise exception.Forbidden()
|
||||||
if user_id != trust_ref['trustee_user_id']:
|
if user_id != trust_ref['trustee_user_id']:
|
||||||
raise exception.Forbidden()
|
raise exception.Forbidden()
|
||||||
|
if (trust_ref['project_id'] and
|
||||||
|
tenant_id != trust_ref['project_id']):
|
||||||
|
raise exception.Forbidden()
|
||||||
if ('expires' in trust_ref) and (trust_ref['expires']):
|
if ('expires' in trust_ref) and (trust_ref['expires']):
|
||||||
expiry = trust_ref['expires']
|
expiry = trust_ref['expires']
|
||||||
if expiry < timeutils.parse_isotime(timeutils.isotime()):
|
if expiry < timeutils.parse_isotime(timeutils.isotime()):
|
||||||
|
@ -196,7 +201,6 @@ class Auth(controller.V2Controller):
|
||||||
current_user_ref = self.identity_api.get_user(user_id)
|
current_user_ref = self.identity_api.get_user(user_id)
|
||||||
|
|
||||||
metadata_ref = {}
|
metadata_ref = {}
|
||||||
tenant_id = self._get_project_id_from_auth(auth)
|
|
||||||
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
|
tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
|
||||||
user_id, tenant_id)
|
user_id, tenant_id)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue