Browse Source

Ensure OAuth1 authorized roles are respected

Without this patch, when an OAuth1 request token is authorized with a
limited set of roles, the roles for the access token are ignored when
the user uses it to request a keystone token. This means that user of an
access token can use it to escallate their role assignments beyond what
was authorized by the creator. This patch fixes the issue by ensuring
the token model accounts for an OAuth1-scoped token and correctly
populating the roles for it.

Modified to work with older test helper function:

  keystone/tests/unit/test_v3_oauth1.py

Conflicts:

  keystone/models/token_model.py

  The keystone token model was refactored in the Rocky release. This
  commit only backports the test so that we have test coverage against
  the bug and proves there wasn't a regression in Queens. As such, the
  code changes to token_model.py (where the bug was introduced) are not
  applicable to Queens.

  releasenotes/notes/bug-1873290-ff7f8e4cee15b75a.yaml

  Removed the release note since there isn't anything to signal to
  operators regarding a vulnerability. We're only adding test coverage
  to prove that stable/queens isn't vulnerable.

Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
Closes-bug: #1873290
(cherry picked from commit 6c73690f77)
(cherry picked from commit ba89d27793)
(cherry picked from commit 5ff52dbaa2)
(cherry picked from commit 2483a578a8)
(cherry picked from commit 10bc689a67)
changes/95/726395/4
Colleen Murphy 2 months ago
committed by Lance Bragstad
parent
commit
fac58fdfbe
1 changed files with 13 additions and 0 deletions
  1. +13
    -0
      keystone/tests/unit/test_v3_oauth1.py

+ 13
- 0
keystone/tests/unit/test_v3_oauth1.py View File

@@ -311,6 +311,19 @@ class OAuthFlowTests(OAuth1Tests):
self.keystone_token = content.result['token']
self.assertIsNotNone(self.keystone_token_id)

# add a new role assignment to ensure it is ignored in the access token
new_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
PROVIDERS.role_api.create_role(new_role['id'], new_role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_id=self.user_id,
tenant_id=self.project_id,
role_id=new_role['id'])
content = self.post(url, headers=headers, body=body)
token = content.result['token']
token_roles = [r['id'] for r in token['roles']]
self.assertIn(self.role_id, token_roles)
self.assertNotIn(new_role['id'], token_roles)


class AccessTokenCRUDTests(OAuthFlowTests):
def test_delete_access_token_dne(self):


Loading…
Cancel
Save