Merge "New config option 'user_limit' in credentials"

This commit is contained in:
Zuul 2020-06-23 20:22:29 +00:00 committed by Gerrit Code Review
commit e3bd1d747d
5 changed files with 43 additions and 1 deletions

View File

@ -69,6 +69,15 @@ The length of time in minutes for which a signed EC2 or S3 token request is
valid from the timestamp contained in the token request. valid from the timestamp contained in the token request.
""")) """))
user_limit = cfg.IntOpt(
'user_limit',
default=-1,
help=utils.fmt("""
Maximum number of credentials a user is permitted to create. A value of
-1 means unlimited. If a limit is not set, users are permitted to create
credentials at will, which could lead to bloat in the keystone database
or open keystone to a DoS attack.
"""))
GROUP_NAME = __name__.split('.')[-1] GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [ ALL_OPTS = [
@ -77,7 +86,8 @@ ALL_OPTS = [
key_repository, key_repository,
caching, caching,
cache_time, cache_time,
auth_ttl auth_ttl,
user_limit,
] ]

View File

@ -86,6 +86,14 @@ class Manager(manager.Manager):
credential_copy.pop('blob', None) credential_copy.pop('blob', None)
return credential_copy return credential_copy
def _assert_limit_not_exceeded(self, user_id):
user_limit = CONF.credential.user_limit
if user_limit >= 0:
cred_count = len(self.list_credentials_for_user(user_id))
if cred_count >= user_limit:
raise exception.CredentialLimitExceeded(
limit=user_limit)
@manager.response_truncated @manager.response_truncated
def list_credentials(self, hints=None): def list_credentials(self, hints=None):
credentials = self.driver.list_credentials( credentials = self.driver.list_credentials(
@ -119,6 +127,8 @@ class Manager(manager.Manager):
initiator=None): initiator=None):
"""Create a credential.""" """Create a credential."""
credential_copy = self._encrypt_credential(credential) credential_copy = self._encrypt_credential(credential)
user_id = credential_copy['user_id']
self._assert_limit_not_exceeded(user_id)
ref = self.driver.create_credential(credential_id, credential_copy) ref = self.driver.create_credential(credential_id, credential_copy)
if MEMOIZE.should_cache(ref): if MEMOIZE.should_cache(ref):
self._get_credential.set(ref, self._get_credential.set(ref,

View File

@ -222,6 +222,11 @@ class ApplicationCredentialLimitExceeded(ForbiddenNotSecurity):
"maximum of %(limit)d already exceeded for user.") "maximum of %(limit)d already exceeded for user.")
class CredentialLimitExceeded(ForbiddenNotSecurity):
message_format = _("Unable to create additional credentials, maximum "
"of %(limit)d already exceeded for user.")
class SecurityError(Error): class SecurityError(Error):
"""Security error exception. """Security error exception.

View File

@ -12,6 +12,8 @@
import uuid import uuid
from oslo_config import fixture as config_fixture
from keystone.common import provider_api from keystone.common import provider_api
from keystone.credential.providers import fernet as credential_provider from keystone.credential.providers import fernet as credential_provider
from keystone.tests import unit from keystone.tests import unit
@ -20,6 +22,7 @@ from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import database from keystone.tests.unit.ksfixtures import database
from keystone.credential.backends import sql as credential_sql from keystone.credential.backends import sql as credential_sql
from keystone import exception
PROVIDERS = provider_api.ProviderAPIs PROVIDERS = provider_api.ProviderAPIs
@ -102,3 +105,11 @@ class SqlCredential(SqlTests):
# Make sure CredentialModel is handing over a text string # Make sure CredentialModel is handing over a text string
# to the database. To avoid encoding issues # to the database. To avoid encoding issues
self.assertIsInstance(ref.encrypted_blob, str) self.assertIsInstance(ref.encrypted_blob, str)
def test_credential_limits(self):
config_fixture_ = self.user = self.useFixture(config_fixture.Config())
config_fixture_.config(group='credential', user_limit=4)
self._create_credential_with_user_id(self.user_foo['id'])
self.assertRaises(exception.CredentialLimitExceeded,
self._create_credential_with_user_id,
self.user_foo['id'])

View File

@ -0,0 +1,6 @@
---
features:
- >
[`bug 1872732 <https://bugs.launchpad.net/keystone/+bug/1872732>`_]
'user_limit' is added to config file of credentials that allows user to set
maximum number of credentials a user is permitted to create.