Verify that user is trustee only on issuing token
get_token_data is used to gather various data for token. One of the checks it does is verifying that the authenticated user is a trustee. Before Fernet, it was used during token issuing. Impersonation in trusts substitutes information about user in token, so instead of trustee, trustor is stored in token. With Fernet tokens, get_token_data is used during token validation. In case of impersonation, user_id, stored in Fernet token, is id of the trustor, but the check described needs this id to be id of the trustee. Move the check to happen only on token issuing. Change-Id: I7c02cc6a1dbfe4e28d390960ac85d4574759b1a8 Closes-Bug: 1524849
This commit is contained in:
parent
e0be6bf975
commit
c885eeed34
|
@ -4189,7 +4189,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
|
||||||
user['enabled'] = enabled
|
user['enabled'] = enabled
|
||||||
self.identity_api.update_user(user['id'], user)
|
self.identity_api.update_user(user['id'], user)
|
||||||
|
|
||||||
def _create_trust(self):
|
def _create_trust(self, impersonation=False):
|
||||||
# Create a trustee user
|
# Create a trustee user
|
||||||
trustee_user = unit.create_user(self.identity_api,
|
trustee_user = unit.create_user(self.identity_api,
|
||||||
domain_id=self.domain_id)
|
domain_id=self.domain_id)
|
||||||
|
@ -4197,7 +4197,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
|
||||||
trustor_user_id=self.user_id,
|
trustor_user_id=self.user_id,
|
||||||
trustee_user_id=trustee_user['id'],
|
trustee_user_id=trustee_user['id'],
|
||||||
project_id=self.project_id,
|
project_id=self.project_id,
|
||||||
impersonation=False,
|
impersonation=impersonation,
|
||||||
role_ids=[self.role_id])
|
role_ids=[self.role_id])
|
||||||
|
|
||||||
# Create a trust
|
# Create a trust
|
||||||
|
@ -4403,6 +4403,12 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
|
||||||
# Validate a trust scoped token
|
# Validate a trust scoped token
|
||||||
self._validate_token(trust_scoped_token)
|
self._validate_token(trust_scoped_token)
|
||||||
|
|
||||||
|
def test_validate_a_trust_scoped_token_impersonated(self):
|
||||||
|
trustee_user, trust = self._create_trust(impersonation=True)
|
||||||
|
trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)
|
||||||
|
# Validate a trust scoped token
|
||||||
|
self._validate_token(trust_scoped_token)
|
||||||
|
|
||||||
def test_validate_tampered_trust_scoped_token_fails(self):
|
def test_validate_tampered_trust_scoped_token_fails(self):
|
||||||
trustee_user, trust = self._create_trust()
|
trustee_user, trust = self._create_trust()
|
||||||
trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)
|
trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)
|
||||||
|
|
|
@ -482,10 +482,6 @@ class V3TokenDataHelper(object):
|
||||||
if x in token:
|
if x in token:
|
||||||
token_data[x] = token[x]
|
token_data[x] = token[x]
|
||||||
|
|
||||||
if CONF.trust.enabled and trust:
|
|
||||||
if user_id != trust['trustee_user_id']:
|
|
||||||
raise exception.Forbidden(_('User is not a trustee.'))
|
|
||||||
|
|
||||||
if bind:
|
if bind:
|
||||||
token_data['bind'] = bind
|
token_data['bind'] = bind
|
||||||
|
|
||||||
|
@ -564,6 +560,10 @@ class BaseProvider(provider.Provider):
|
||||||
'trust_id' in metadata_ref):
|
'trust_id' in metadata_ref):
|
||||||
trust = self.trust_api.get_trust(metadata_ref['trust_id'])
|
trust = self.trust_api.get_trust(metadata_ref['trust_id'])
|
||||||
|
|
||||||
|
if CONF.trust.enabled and trust:
|
||||||
|
if user_id != trust['trustee_user_id']:
|
||||||
|
raise exception.Forbidden(_('User is not a trustee.'))
|
||||||
|
|
||||||
token_ref = None
|
token_ref = None
|
||||||
if auth_context and self._is_mapped_token(auth_context):
|
if auth_context and self._is_mapped_token(auth_context):
|
||||||
token_ref = self._handle_mapped_tokens(
|
token_ref = self._handle_mapped_tokens(
|
||||||
|
|
Loading…
Reference in New Issue