Sanitizes authentication methods received in requests.

When a user authenticates against Identity V3 API, he can specify multiple authentication methods. This patch removes duplicates, which could have been used to achieve DoS attacks. Closes-Bug: 1300274 (cherry picked from commit ef868ad92c) Cherry-pick from https://review.openstack.org/#/c/84425/ Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
9 years ago · e364ba5b12
parent a96d1a44bc
commit e364ba5b12
2 changed files with 19 additions and 1 deletions
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@ -225,7 +225,13 @@ class AuthInfo(object):
        :returns: list of auth method names

        """
-        return self.auth['identity']['methods'] or []
+        # Sanitizes methods received in request's body
+        # Filters out duplicates, while keeping elements' order.
+        method_names = []
+        for method in self.auth['identity']['methods']:
+            if method not in method_names:
+                method_names.append(method)
+        return method_names

    def get_method_data(self, method):
        """Get the auth method payload.
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
                          None,
                          auth_data)

+    def test_get_method_names_duplicates(self):
+        auth_data = self.build_authentication_request(
+            token='test',
+            user_id='test',
+            password='test')['auth']
+        auth_data['identity']['methods'] = ['password', 'token',
+                                            'password', 'password']
+        context = None
+        auth_info = auth.controllers.AuthInfo(context, auth_data)
+        self.assertEqual(auth_info.get_method_names(),
+                         ['password', 'token'])
+
    def test_get_method_data_invalid_method(self):
        auth_data = self.build_authentication_request(
            user_id='test',