diff options
| author | Dan Prince <dprince@redhat.com> | 2012-07-12 13:48:43 -0400 |
|---|---|---|
| committer | Dan Prince <dprince@redhat.com> | 2012-07-12 14:49:50 -0400 |
| commit | 86177dff68c45a459644f9953bef4c3afbed24ff (patch) | |
| tree | 4cc3cace93f9f32724ca463b63e7374af5070397 | |
| parent | 2a909ee83d23a38e2ae7ca8002e570788674521c (diff) | |
Prevent service catalog injection in auth_token.
Updates the auth_token middleware to explicitly prevent
X-Service-Catalog headers from being injected into responses.
In general Keystone would override these with its own service
catalog... however since X-Service-Catalog is optional and
not all implementations/calls return it is good to be safe and
just remove incoming X-Service-Catalog headers if they are set.
Fixes LP Bug #1023998.
Change-Id: I9497937abd1b434b42b40bc943a508dd7f1a3585
| -rw-r--r-- | keystone/middleware/auth_token.py | 1 | ||||
| -rw-r--r-- | tests/test_auth_token_middleware.py | 30 |
2 files changed, 30 insertions, 1 deletions
diff --git a/keystone/middleware/auth_token.py b/keystone/middleware/auth_token.py index b383aaf9..0fa35fde 100644 --- a/keystone/middleware/auth_token.py +++ b/keystone/middleware/auth_token.py @@ -211,6 +211,7 @@ class AuthProtocol(object): 'X-User-Id', 'X-User-Name', 'X-Roles', + 'X-Service-Catalog', # Deprecated 'X-User', 'X-Tenant', diff --git a/tests/test_auth_token_middleware.py b/tests/test_auth_token_middleware.py index 89e9a47c..1e71863f 100644 --- a/tests/test_auth_token_middleware.py +++ b/tests/test_auth_token_middleware.py @@ -92,7 +92,26 @@ TOKEN_RESPONSES = { ], }, }, - } + }, + 'valid-token-no-service-catalog': { + 'access': { + 'token': { + 'id': 'valid-token', + 'tenant': { + 'id': 'tenant_id1', + 'name': 'tenant_name1', + }, + }, + 'user': { + 'id': 'user_id1', + 'name': 'user_name1', + 'roles': [ + {'name': 'role1'}, + {'name': 'role2'}, + ], + } + }, + }, } @@ -326,6 +345,15 @@ class AuthTokenMiddlewareTest(BaseAuthTokenMiddlewareTest): auth_token.AuthProtocol(FakeApp(), conf) + def test_request_prevent_service_catalog_injection(self): + req = webob.Request.blank('/') + req.headers['X-Service-Catalog'] = '[]' + req.headers['X-Auth-Token'] = 'valid-token-no-service-catalog' + body = self.middleware(req.environ, self.start_fake_response) + self.assertEqual(self.response_status, 200) + self.assertFalse(req.headers.get('X-Service-Catalog')) + self.assertEqual(body, ['SUCCESS']) + if __name__ == '__main__': import unittest |