|
1 This upstream patch addresses CVE-2014-3520 and is tracked under |
|
2 Launchpad bug 1331912. It is addressed in Icehouse 2014.1.2 and Havana |
|
3 2013.2.4. |
|
4 |
|
5 commit 96d9bcf230a74d6122a2b14e00ef10915c8f76e3 |
|
6 Author: Jamie Lennox <[email protected]> |
|
7 Date: Thu Jun 19 14:41:22 2014 +1000 |
|
8 |
|
9 Ensure that in v2 auth tenant_id matches trust |
|
10 |
|
11 Previously if a trustee requests a trust scoped token for a project that |
|
12 is different to the one in the trust, however the trustor has the |
|
13 appropriate roles then a token would be issued. |
|
14 |
|
15 Ensure that the trust that was given matches the project that was |
|
16 specified in the scope. |
|
17 |
|
18 (cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a) |
|
19 |
|
20 Closes-Bug: #1331912 |
|
21 Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc |
|
22 |
|
23 diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py |
|
24 index 6371caf..0d97f44 100644 |
|
25 --- a/keystone/tests/test_auth.py |
|
26 +++ b/keystone/tests/test_auth.py |
|
27 @@ -624,13 +624,15 @@ class AuthWithTrust(AuthTest): |
|
28 self.new_trust = self.trust_controller.create_trust( |
|
29 context, trust=trust_data)['trust'] |
|
30 |
|
31 - def build_v2_token_request(self, username, password): |
|
32 + def build_v2_token_request(self, username, password, tenant_id=None): |
|
33 + if not tenant_id: |
|
34 + tenant_id = self.tenant_bar['id'] |
|
35 body_dict = _build_user_auth(username=username, password=password) |
|
36 self.unscoped_token = self.controller.authenticate({}, body_dict) |
|
37 unscoped_token_id = self.unscoped_token['access']['token']['id'] |
|
38 request_body = _build_user_auth(token={'id': unscoped_token_id}, |
|
39 trust_id=self.new_trust['id'], |
|
40 - tenant_id=self.tenant_bar['id']) |
|
41 + tenant_id=tenant_id) |
|
42 return request_body |
|
43 |
|
44 def test_create_trust_bad_data_fails(self): |
|
45 @@ -704,6 +706,15 @@ class AuthWithTrust(AuthTest): |
|
46 exception.Forbidden, |
|
47 self.controller.authenticate, {}, request_body) |
|
48 |
|
49 + def test_token_from_trust_wrong_project_fails(self): |
|
50 + for assigned_role in self.assigned_roles: |
|
51 + self.assignment_api.add_role_to_user_and_project( |
|
52 + self.trustor['id'], self.tenant_baz['id'], assigned_role) |
|
53 + request_body = self.build_v2_token_request('TWO', 'two2', |
|
54 + self.tenant_baz['id']) |
|
55 + self.assertRaises(exception.Forbidden, self.controller.authenticate, |
|
56 + {}, request_body) |
|
57 + |
|
58 def fetch_v2_token_from_trust(self): |
|
59 request_body = self.build_v2_token_request('TWO', 'two2') |
|
60 auth_response = self.controller.authenticate({}, request_body) |
|
61 diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py |
|
62 index 72486a1..de7e473 100644 |
|
63 --- a/keystone/token/controllers.py |
|
64 +++ b/keystone/token/controllers.py |
|
65 @@ -160,6 +160,8 @@ class Auth(controller.V2Controller): |
|
66 |
|
67 user_ref = old_token_ref['user'] |
|
68 user_id = user_ref['id'] |
|
69 + tenant_id = self._get_project_id_from_auth(auth) |
|
70 + |
|
71 if not CONF.trust.enabled and 'trust_id' in auth: |
|
72 raise exception.Forbidden('Trusts are disabled.') |
|
73 elif CONF.trust.enabled and 'trust_id' in auth: |
|
74 @@ -168,6 +170,9 @@ class Auth(controller.V2Controller): |
|
75 raise exception.Forbidden() |
|
76 if user_id != trust_ref['trustee_user_id']: |
|
77 raise exception.Forbidden() |
|
78 + if (trust_ref['project_id'] and |
|
79 + tenant_id != trust_ref['project_id']): |
|
80 + raise exception.Forbidden() |
|
81 if ('expires' in trust_ref) and (trust_ref['expires']): |
|
82 expiry = trust_ref['expires'] |
|
83 if expiry < timeutils.parse_isotime(timeutils.isotime()): |
|
84 @@ -190,7 +195,6 @@ class Auth(controller.V2Controller): |
|
85 current_user_ref = self.identity_api.get_user(user_id) |
|
86 |
|
87 metadata_ref = {} |
|
88 - tenant_id = self._get_project_id_from_auth(auth) |
|
89 tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref( |
|
90 user_id, tenant_id) |
|
91 |