openstack
/
keystone
Code Issues Proposed changes
keystone/keystone/api
History
Lance Bragstad 6b739ffc33 Use app cred user ID in policy enforcement 
The application credential policies use the `rule:owner` policy to allow
users to manage their own credentials. The policy engine pulled the
user_id attribute from the request path instead of the actual
application credential. This allowed for users to exploit the
enforcement and view or delete application credentials they don't own.

This commit attempts to resolve the issue by updating the flask
parameters before they're translated to policy arguments and target
data, prior to policy enforcement.

Change-Id: I903d20fa41270499ca1c39d296120dd97cef5405
Closes-Bug: 1901207
(cherry picked from commit 2d7bf10a5a)
(cherry picked from commit 80832de6ce)
 		2021-03-09 19:31:55 +00:00
..
_shared Fix security issues with EC2 credentials 2020-05-02 12:35:14 -07:00
__init__.py Revert "Add API for /v3/access_rules_config" 2019-05-28 08:38:39 -07:00
auth.py NIT: Fix spelling 2020-03-06 12:52:15 +05:30
credentials.py Fix security issues with EC2 credentials 2020-05-02 12:35:14 -07:00
discovery.py Add expiring user group memberships on mapped authentication 2020-04-07 19:30:57 -04:00
domains.py Remove six usage 2020-01-30 06:06:51 +00:00
ec2tokens.py Remove six usage 2020-01-30 06:06:51 +00:00
endpoints.py Remove six usage 2020-01-30 06:06:51 +00:00
groups.py Remove six usage 2020-01-30 06:06:51 +00:00
limits.py Remove six usage 2020-01-30 06:06:51 +00:00
os_ep_filter.py Remove six usage 2020-01-30 06:06:51 +00:00
os_federation.py Expiring Group Memberships API - Allow set idp authorization_ttl 2020-04-09 01:59:58 +00:00
os_inherit.py Remove six usage 2020-01-30 06:06:51 +00:00
os_oauth1.py Remove six usage 2020-01-30 06:06:51 +00:00
os_revoke.py Move json_home "extension" rel functions 2018-08-16 20:49:01 +00:00
os_simple_cert.py Fix missing print format and missing ws between words 2019-08-06 08:29:34 +08:00
policy.py Remove six usage 2020-01-30 06:06:51 +00:00
projects.py Remove six usage 2020-01-30 06:06:51 +00:00
regions.py Remove six usage 2020-01-30 06:06:51 +00:00
registered_limits.py Remove six usage 2020-01-30 06:06:51 +00:00
role_assignments.py Fix validation of role assignment subtree list 2019-09-17 23:12:47 -07:00
role_inferences.py Convert role_inferences API to flask native dispatching 2018-08-13 20:06:35 +00:00
roles.py Remove six usage 2020-01-30 06:06:51 +00:00
s3tokens.py Remove six usage 2020-01-30 06:06:51 +00:00
services.py Remove six usage 2020-01-30 06:06:51 +00:00
system.py Remove six usage 2020-01-30 06:06:51 +00:00
trusts.py Remove six usage 2020-01-30 06:06:51 +00:00
users.py Use app cred user ID in policy enforcement 2021-03-09 19:31:55 +00:00