openstack
/
keystone
Code Issues Proposed changes

Verify that user is trustee only on issuing token 

get_token_data is used to gather various data for token. One of the
checks it does is verifying that the authenticated user is a trustee.
Before Fernet, it was used during token issuing.

Impersonation in trusts substitutes information about user in token,
so instead of trustee, trustor is stored in token.

With Fernet tokens, get_token_data is used during token validation.
In case of impersonation, user_id, stored in Fernet token, is id of
the trustor, but the check described needs this id to be id of the
trustee.

Move the check to happen only on token issuing.

Change-Id: I7c02cc6a1dbfe4e28d390960ac85d4574759b1a8
Closes-Bug: 1524849
This commit is contained in:
Boris Bobrov 2015-12-14 19:42:43 +03:00
parent e0be6bf975
commit c885eeed34
2 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
keystone/tests/unit/test_v3_auth.py
View File

@ -4189,7 +4189,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
user['enabled'] = enabled user['enabled'] = enabled
self.identity_api.update_user(user['id'], user) self.identity_api.update_user(user['id'], user)
def _create_trust(self): def _create_trust(self, impersonation=False):
# Create a trustee user # Create a trustee user
trustee_user = unit.create_user(self.identity_api, trustee_user = unit.create_user(self.identity_api,
domain_id=self.domain_id) domain_id=self.domain_id)
@ -4197,7 +4197,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
trustor_user_id=self.user_id, trustor_user_id=self.user_id,
trustee_user_id=trustee_user['id'], trustee_user_id=trustee_user['id'],
project_id=self.project_id, project_id=self.project_id,
impersonation=False, impersonation=impersonation,
role_ids=[self.role_id]) role_ids=[self.role_id])
# Create a trust # Create a trust
@ -4403,6 +4403,12 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
# Validate a trust scoped token # Validate a trust scoped token
self._validate_token(trust_scoped_token) self._validate_token(trust_scoped_token)
def test_validate_a_trust_scoped_token_impersonated(self):
trustee_user, trust = self._create_trust(impersonation=True)
trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)
# Validate a trust scoped token
self._validate_token(trust_scoped_token)
def test_validate_tampered_trust_scoped_token_fails(self): def test_validate_tampered_trust_scoped_token_fails(self):
trustee_user, trust = self._create_trust() trustee_user, trust = self._create_trust()
trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust) trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)

8
keystone/token/providers/common.py
View File

@ -482,10 +482,6 @@ class V3TokenDataHelper(object):
if x in token: if x in token:
token_data[x] = token[x] token_data[x] = token[x]
if CONF.trust.enabled and trust:
if user_id != trust['trustee_user_id']:
raise exception.Forbidden(_('User is not a trustee.'))
if bind: if bind:
token_data['bind'] = bind token_data['bind'] = bind
@ -564,6 +560,10 @@ class BaseProvider(provider.Provider):
'trust_id' in metadata_ref): 'trust_id' in metadata_ref):
trust = self.trust_api.get_trust(metadata_ref['trust_id']) trust = self.trust_api.get_trust(metadata_ref['trust_id'])
if CONF.trust.enabled and trust:
if user_id != trust['trustee_user_id']:
raise exception.Forbidden(_('User is not a trustee.'))
token_ref = None token_ref = None
if auth_context and self._is_mapped_token(auth_context): if auth_context and self._is_mapped_token(auth_context):
token_ref = self._handle_mapped_tokens( token_ref = self._handle_mapped_tokens(