Merge "Ensure OAuth1 authorized roles are respected" into stable/ussuri
This commit is contained in:
commit
eaec22bc8e
@ -13,6 +13,7 @@
|
|||||||
"""Unified in-memory token model."""
|
"""Unified in-memory token model."""
|
||||||
|
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
|
from oslo_serialization import jsonutils
|
||||||
from oslo_serialization import msgpackutils
|
from oslo_serialization import msgpackutils
|
||||||
from oslo_utils import reflection
|
from oslo_utils import reflection
|
||||||
|
|
||||||
@ -327,6 +328,21 @@ class TokenModel(object):
|
|||||||
|
|
||||||
return roles
|
return roles
|
||||||
|
|
||||||
|
def _get_oauth_roles(self):
|
||||||
|
roles = []
|
||||||
|
access_token_roles = self.access_token['role_ids']
|
||||||
|
access_token_roles = [
|
||||||
|
{'role_id': r} for r in jsonutils.loads(access_token_roles)]
|
||||||
|
effective_access_token_roles = (
|
||||||
|
PROVIDERS.assignment_api.add_implied_roles(access_token_roles)
|
||||||
|
)
|
||||||
|
user_roles = [r['id'] for r in self._get_project_roles()]
|
||||||
|
for role in effective_access_token_roles:
|
||||||
|
if role['role_id'] in user_roles:
|
||||||
|
role = PROVIDERS.role_api.get_role(role['role_id'])
|
||||||
|
roles.append({'id': role['id'], 'name': role['name']})
|
||||||
|
return roles
|
||||||
|
|
||||||
def _get_federated_roles(self):
|
def _get_federated_roles(self):
|
||||||
roles = []
|
roles = []
|
||||||
group_ids = [group['id'] for group in self.federated_groups]
|
group_ids = [group['id'] for group in self.federated_groups]
|
||||||
@ -430,6 +446,8 @@ class TokenModel(object):
|
|||||||
roles = self._get_system_roles()
|
roles = self._get_system_roles()
|
||||||
elif self.trust_scoped:
|
elif self.trust_scoped:
|
||||||
roles = self._get_trust_roles()
|
roles = self._get_trust_roles()
|
||||||
|
elif self.oauth_scoped:
|
||||||
|
roles = self._get_oauth_roles()
|
||||||
elif self.is_federated and not self.unscoped:
|
elif self.is_federated and not self.unscoped:
|
||||||
roles = self._get_federated_roles()
|
roles = self._get_federated_roles()
|
||||||
elif self.domain_scoped:
|
elif self.domain_scoped:
|
||||||
|
@ -308,6 +308,19 @@ class OAuthFlowTests(OAuth1Tests):
|
|||||||
self.keystone_token = content.result['token']
|
self.keystone_token = content.result['token']
|
||||||
self.assertIsNotNone(self.keystone_token_id)
|
self.assertIsNotNone(self.keystone_token_id)
|
||||||
|
|
||||||
|
# add a new role assignment to ensure it is ignored in the access token
|
||||||
|
new_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||||
|
PROVIDERS.role_api.create_role(new_role['id'], new_role)
|
||||||
|
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||||
|
user_id=self.user_id,
|
||||||
|
project_id=self.project_id,
|
||||||
|
role_id=new_role['id'])
|
||||||
|
content = self.post(url, headers=headers, body=body)
|
||||||
|
token = content.result['token']
|
||||||
|
token_roles = [r['id'] for r in token['roles']]
|
||||||
|
self.assertIn(self.role_id, token_roles)
|
||||||
|
self.assertNotIn(new_role['id'], token_roles)
|
||||||
|
|
||||||
|
|
||||||
class AccessTokenCRUDTests(OAuthFlowTests):
|
class AccessTokenCRUDTests(OAuthFlowTests):
|
||||||
def test_delete_access_token_dne(self):
|
def test_delete_access_token_dne(self):
|
||||||
|
19
releasenotes/notes/bug-1873290-ff7f8e4cee15b75a.yaml
Normal file
19
releasenotes/notes/bug-1873290-ff7f8e4cee15b75a.yaml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
[`bug 1873290 <https://bugs.launchpad.net/keystone/+bug/1873290>`_]
|
||||||
|
[`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
|
||||||
|
Fixed the token model to respect the roles authorized OAuth1 access tokens.
|
||||||
|
Previously, the list of roles authorized for an OAuth1 access token were
|
||||||
|
ignored, so when an access token was used to request a keystone token, the
|
||||||
|
keystone token would contain every role assignment the creator had for the
|
||||||
|
project. This also fixed EC2 credentials to respect those roles as well.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
[`bug 1873290 <https://bugs.launchpad.net/keystone/+bug/1873290>`_]
|
||||||
|
[`bug 1872735 <https://bugs.launchpad.net/keystone/+bug/1872735>`_]
|
||||||
|
Fixed the token model to respect the roles authorized OAuth1 access tokens.
|
||||||
|
Previously, the list of roles authorized for an OAuth1 access token were
|
||||||
|
ignored, so when an access token was used to request a keystone token, the
|
||||||
|
keystone token would contain every role assignment the creator had for the
|
||||||
|
project. This also fixed EC2 credentials to respect those roles as well.
|
Loading…
Reference in New Issue
Block a user