Protect oauth controller calls and update policy.json

We need to call controller.protected for most of the oauth_calls.
With the exception of the public ones (create_request_token,
create_access_token, and authenticate_access_token).
Also need to update the policy.json accordingly.

fixes bug 1231709

Change-Id: Ica111aa3ed82499d2de50d472754a0b5b3c5cc71

etc/policy.json

@@ -88,6 +88,19 @@
     "identity:get_role_for_trust": [["@"]],
     "identity:delete_trust": [["@"]],
 
+    "identity:create_consumer": [["rule:admin_required"]],
+    "identity:get_consumer": [["rule:admin_required"]],
+    "identity:list_consumers": [["rule:admin_required"]],
+    "identity:delete_consumer": [["rule:admin_required"]],
+    "identity:update_consumer": [["rule:admin_required"]],
+
+    "identity:authorize_request_token": [["rule:admin_required"]],
+    "identity:list_access_token_roles": [["rule:admin_required"]],
+    "identity:get_access_token_role": [["rule:admin_required"]],
+    "identity:list_access_tokens": [["rule:admin_required"]],
+    "identity:get_access_token": [["rule:admin_required"]],
+    "identity:delete_access_token": [["rule:admin_required"]],
+
     "identity:list_projects_for_endpoint": [["rule:admin_required"]],
     "identity:add_endpoint_to_project": [["rule:admin_required"]],
     "identity:check_endpoint_in_project": [["rule:admin_required"]],

keystone/contrib/oauth1/controllers.py

@@ -34,11 +34,13 @@ class ConsumerCrudV3(controller.V3Controller):
     collection_name = 'consumers'
     member_name = 'consumer'
 
+    @controller.protected()
     def create_consumer(self, context, consumer):
         ref = self._assign_unique_id(self._normalize_dict(consumer))
         consumer_ref = self.oauth_api.create_consumer(ref)
         return ConsumerCrudV3.wrap_member(context, consumer_ref)
 
+    @controller.protected()
     def update_consumer(self, context, consumer_id, consumer):
         self._require_matching_id(consumer_id, consumer)
         ref = self._normalize_dict(consumer)
@@ -46,14 +48,17 @@ class ConsumerCrudV3(controller.V3Controller):
         ref = self.oauth_api.update_consumer(consumer_id, consumer)
         return ConsumerCrudV3.wrap_member(context, ref)
 
+    @controller.protected()
     def list_consumers(self, context):
         ref = self.oauth_api.list_consumers()
         return ConsumerCrudV3.wrap_collection(context, ref)
 
+    @controller.protected()
     def get_consumer(self, context, consumer_id):
         ref = self.oauth_api.get_consumer(consumer_id)
         return ConsumerCrudV3.wrap_member(context, ref)
 
+    @controller.protected()
     def delete_consumer(self, context, consumer_id):
         user_token_ref = self.token_api.get_token(context['token_id'])
         user_id = user_token_ref['user'].get('id')
@@ -71,6 +76,7 @@ class AccessTokenCrudV3(controller.V3Controller):
     collection_name = 'access_tokens'
     member_name = 'access_token'
 
+    @controller.protected()
     def get_access_token(self, context, user_id, access_token_id):
         access_token = self.oauth_api.get_access_token(access_token_id)
         if access_token['authorizing_user_id'] != user_id:
@@ -78,11 +84,13 @@ class AccessTokenCrudV3(controller.V3Controller):
         access_token = self._format_token_entity(access_token)
         return AccessTokenCrudV3.wrap_member(context, access_token)
 
+    @controller.protected()
     def list_access_tokens(self, context, user_id):
         refs = self.oauth_api.list_access_tokens(user_id)
         formatted_refs = ([self._format_token_entity(x) for x in refs])
         return AccessTokenCrudV3.wrap_collection(context, formatted_refs)
 
+    @controller.protected()
     def delete_access_token(self, context, user_id, access_token_id):
         access_token = self.oauth_api.get_access_token(access_token_id)
         consumer_id = access_token['consumer_id']
@@ -117,6 +125,7 @@ class AccessTokenRolesV3(controller.V3Controller):
     collection_name = 'roles'
     member_name = 'role'
 
+    @controller.protected()
     def list_access_token_roles(self, context, user_id, access_token_id):
         access_token = self.oauth_api.get_access_token(access_token_id)
         if access_token['authorizing_user_id'] != user_id:
@@ -126,6 +135,7 @@ class AccessTokenRolesV3(controller.V3Controller):
         refs = ([self._format_role_entity(x) for x in authed_role_ids])
         return AccessTokenRolesV3.wrap_collection(context, refs)
 
+    @controller.protected()
     def get_access_token_role(self, context, user_id,
                               access_token_id, role_id):
         access_token = self.oauth_api.get_access_token(access_token_id)
@@ -295,7 +305,8 @@ class OAuthControllerV3(controller.V3Controller):
 
         return response
 
-    def authorize(self, context, request_token_id, roles):
+    @controller.protected()
+    def authorize_request_token(self, context, request_token_id, roles):
         """An authenticated user is going to authorize a request token.
 
         As a security precaution, the requested roles must match those in

keystone/contrib/oauth1/routers.py

@@ -129,5 +129,5 @@ class OAuth1Extension(wsgi.ExtensionRouter):
         mapper.connect(
             '/OS-OAUTH1/authorize/{request_token_id}',
             controller=oauth_controller,
-            action='authorize',
+            action='authorize_request_token',
             conditions=dict(method=['PUT']))