diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-03-20 10:23:19 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-03-20 10:23:19 +0000 |
| commit | e9dc5af177c73abb51e9ff0a987e8b437db9e0c5 (patch) | |
| tree | 0d39dfe8f0cc84961ce25e10ef0b28bb53329b0c /keystone/token | |
| parent | 3c9768f6e002eac556a0e2f23d8f2cdd0ecfa5eb (diff) | |
| parent | 550973b64a64a546ae0c0e94c49af05bd2d64175 (diff) | |
| download | keystone-e9dc5af177c73abb51e9ff0a987e8b437db9e0c5.tar.gz keystone-e9dc5af177c73abb51e9ff0a987e8b437db9e0c5.tar.xz keystone-e9dc5af177c73abb51e9ff0a987e8b437db9e0c5.zip | |
Merge "Prohibit V3 V2 token intermix for resource in non-default domain (bug 1157430)"
Diffstat (limited to 'keystone/token')
| -rw-r--r-- | keystone/token/controllers.py | 45 |
1 files changed, 44 insertions, 1 deletions
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 8491a623..c6150605 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -471,6 +471,46 @@ class Auth(controller.V2Controller): _('Token does not belong to specified tenant.')) return data + def _assert_default_domain(self, context, token_ref): + """ Make sure we are operating on default domain only. """ + if token_ref.get('token_data'): + # this is a V3 token + msg = _('Non-default domain is not supported') + # user in a non-default is prohibited + if (token_ref['token_data']['token']['user']['domain']['id'] != + DEFAULT_DOMAIN_ID): + raise exception.Unauthorized(msg) + # domain scoping is prohibited + if token_ref['token_data']['token'].get('domain'): + raise exception.Unauthorized( + _('Domain scoped token is not supported')) + # project in non-default domain is prohibited + if token_ref['token_data']['token'].get('project'): + project = token_ref['token_data']['token']['project'] + project_domain_id = project['domain']['id'] + # scoped to project in non-default domain is prohibited + if project_domain_id != DEFAULT_DOMAIN_ID: + raise exception.Unauthorized(msg) + # if token is scoped to trust, both trustor and trustee must + # be in the default domain. Furthermore, the delegated project + # must also be in the default domain + metadata_ref = token_ref['metadata'] + if 'trust_id' in metadata_ref: + trust_ref = self.trust_api.get_trust(context, + metadata_ref['trust_id']) + trustee_user_ref = self.identity_api.get_user( + context, trust_ref['trustee_user_id']) + if trustee_user_ref['domain_id'] != DEFAULT_DOMAIN_ID: + raise exception.Unauthorized(msg) + trustor_user_ref = self.identity_api.get_user( + context, trust_ref['trustor_user_id']) + if trustor_user_ref['domain_id'] != DEFAULT_DOMAIN_ID: + raise exception.Unauthorized(msg) + project_ref = self.identity_api.get_project( + context, trust_ref['project_id']) + if project_ref['domain_id'] != DEFAULT_DOMAIN_ID: + raise exception.Unauthorized(msg) + # admin only def validate_token_head(self, context, token_id): """Check that a token is valid. @@ -481,7 +521,9 @@ class Auth(controller.V2Controller): """ belongs_to = context['query_string'].get('belongsTo') - assert self._get_token_ref(context, token_id, belongs_to) + token_ref = self._get_token_ref(context, token_id, belongs_to) + assert token_ref + self._assert_default_domain(context, token_ref) # admin only def validate_token(self, context, token_id): @@ -494,6 +536,7 @@ class Auth(controller.V2Controller): """ belongs_to = context['query_string'].get('belongsTo') token_ref = self._get_token_ref(context, token_id, belongs_to) + self._assert_default_domain(context, token_ref) # TODO(termie): optimize this call at some point and put it into the # the return for metadata |