diff options
| author | Guang Yee <guang.yee@hp.com> | 2013-03-19 19:14:47 -0700 |
|---|---|---|
| committer | Guang Yee <guang.yee@hp.com> | 2013-03-19 19:14:47 -0700 |
| commit | 550973b64a64a546ae0c0e94c49af05bd2d64175 (patch) | |
| tree | 5c799cf29e42c0c0bfb34dbd2adbfc8a67e2be45 /keystone | |
| parent | 5cb8e1f2e5e12cf7e8c6bce91af53b901f6254a9 (diff) | |
| download | keystone-550973b64a64a546ae0c0e94c49af05bd2d64175.tar.gz keystone-550973b64a64a546ae0c0e94c49af05bd2d64175.tar.xz keystone-550973b64a64a546ae0c0e94c49af05bd2d64175.zip | |
Prohibit V3 V2 token intermix for resource in non-default domain (bug 1157430)
Change-Id: Ibe9019684b45651a9679311a3bacdad41b4116f5
Diffstat (limited to 'keystone')
| -rw-r--r-- | keystone/token/controllers.py | 45 |
1 files changed, 44 insertions, 1 deletions
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 06a1fe64..ca7ef346 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -473,6 +473,46 @@ class Auth(controller.V2Controller): _('Token does not belong to specified tenant.')) return data + def _assert_default_domain(self, context, token_ref): + """ Make sure we are operating on default domain only. """ + if token_ref.get('token_data'): + # this is a V3 token + msg = _('Non-default domain is not supported') + # user in a non-default is prohibited + if (token_ref['token_data']['token']['user']['domain']['id'] != + DEFAULT_DOMAIN_ID): + raise exception.Unauthorized(msg) + # domain scoping is prohibited + if token_ref['token_data']['token'].get('domain'): + raise exception.Unauthorized( + _('Domain scoped token is not supported')) + # project in non-default domain is prohibited + if token_ref['token_data']['token'].get('project'): + project = token_ref['token_data']['token']['project'] + project_domain_id = project['domain']['id'] + # scoped to project in non-default domain is prohibited + if project_domain_id != DEFAULT_DOMAIN_ID: + raise exception.Unauthorized(msg) + # if token is scoped to trust, both trustor and trustee must + # be in the default domain. Furthermore, the delegated project + # must also be in the default domain + metadata_ref = token_ref['metadata'] + if 'trust_id' in metadata_ref: + trust_ref = self.trust_api.get_trust(context, + metadata_ref['trust_id']) + trustee_user_ref = self.identity_api.get_user( + context, trust_ref['trustee_user_id']) + if trustee_user_ref['domain_id'] != DEFAULT_DOMAIN_ID: + raise exception.Unauthorized(msg) + trustor_user_ref = self.identity_api.get_user( + context, trust_ref['trustor_user_id']) + if trustor_user_ref['domain_id'] != DEFAULT_DOMAIN_ID: + raise exception.Unauthorized(msg) + project_ref = self.identity_api.get_project( + context, trust_ref['project_id']) + if project_ref['domain_id'] != DEFAULT_DOMAIN_ID: + raise exception.Unauthorized(msg) + # admin only def validate_token_head(self, context, token_id): """Check that a token is valid. @@ -483,7 +523,9 @@ class Auth(controller.V2Controller): """ belongs_to = context['query_string'].get('belongsTo') - assert self._get_token_ref(context, token_id, belongs_to) + token_ref = self._get_token_ref(context, token_id, belongs_to) + assert token_ref + self._assert_default_domain(context, token_ref) # admin only def validate_token(self, context, token_id): @@ -496,6 +538,7 @@ class Auth(controller.V2Controller): """ belongs_to = context['query_string'].get('belongsTo') token_ref = self._get_token_ref(context, token_id, belongs_to) + self._assert_default_domain(context, token_ref) # TODO(termie): optimize this call at some point and put it into the # the return for metadata |