Browse Source

Verify that user is trustee only on issuing token

get_token_data is used to gather various data for token. One of the
checks it does is verifying that the authenticated user is a trustee.
Before Fernet, it was used during token issuing.

Impersonation in trusts substitutes information about user in token,
so instead of trustee, trustor is stored in token.

With Fernet tokens, get_token_data is used during token validation.
In case of impersonation, user_id, stored in Fernet token, is id of
the trustor, but the check described needs this id to be id of the
trustee.

Move the check to happen only on token issuing.

Change-Id: I7c02cc6a1dbfe4e28d390960ac85d4574759b1a8
Closes-Bug: 1524849
Boris Bobrov 3 years ago
parent
commit
c885eeed34
2 changed files with 12 additions and 6 deletions
  1. 8
    2
      keystone/tests/unit/test_v3_auth.py
  2. 4
    4
      keystone/token/providers/common.py

+ 8
- 2
keystone/tests/unit/test_v3_auth.py View File

@@ -4189,7 +4189,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
4189 4189
         user['enabled'] = enabled
4190 4190
         self.identity_api.update_user(user['id'], user)
4191 4191
 
4192
-    def _create_trust(self):
4192
+    def _create_trust(self, impersonation=False):
4193 4193
         # Create a trustee user
4194 4194
         trustee_user = unit.create_user(self.identity_api,
4195 4195
                                         domain_id=self.domain_id)
@@ -4197,7 +4197,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
4197 4197
             trustor_user_id=self.user_id,
4198 4198
             trustee_user_id=trustee_user['id'],
4199 4199
             project_id=self.project_id,
4200
-            impersonation=False,
4200
+            impersonation=impersonation,
4201 4201
             role_ids=[self.role_id])
4202 4202
 
4203 4203
         # Create a trust
@@ -4403,6 +4403,12 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
4403 4403
         # Validate a trust scoped token
4404 4404
         self._validate_token(trust_scoped_token)
4405 4405
 
4406
+    def test_validate_a_trust_scoped_token_impersonated(self):
4407
+        trustee_user, trust = self._create_trust(impersonation=True)
4408
+        trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)
4409
+        # Validate a trust scoped token
4410
+        self._validate_token(trust_scoped_token)
4411
+
4406 4412
     def test_validate_tampered_trust_scoped_token_fails(self):
4407 4413
         trustee_user, trust = self._create_trust()
4408 4414
         trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)

+ 4
- 4
keystone/token/providers/common.py View File

@@ -482,10 +482,6 @@ class V3TokenDataHelper(object):
482 482
                 if x in token:
483 483
                     token_data[x] = token[x]
484 484
 
485
-        if CONF.trust.enabled and trust:
486
-            if user_id != trust['trustee_user_id']:
487
-                raise exception.Forbidden(_('User is not a trustee.'))
488
-
489 485
         if bind:
490 486
             token_data['bind'] = bind
491 487
 
@@ -564,6 +560,10 @@ class BaseProvider(provider.Provider):
564 560
                 'trust_id' in metadata_ref):
565 561
             trust = self.trust_api.get_trust(metadata_ref['trust_id'])
566 562
 
563
+        if CONF.trust.enabled and trust:
564
+            if user_id != trust['trustee_user_id']:
565
+                raise exception.Forbidden(_('User is not a trustee.'))
566
+
567 567
         token_ref = None
568 568
         if auth_context and self._is_mapped_token(auth_context):
569 569
             token_ref = self._handle_mapped_tokens(

Loading…
Cancel
Save