"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/api/users.py" between
keystone-16.0.1.tar.gz and keystone-16.0.2.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Train" series (maintained release).

users.py  (keystone-16.0.1):users.py  (keystone-16.0.2)
skipping to change at line 117 skipping to change at line 117
def _build_enforcer_target_data_owner_and_user_id_match(): def _build_enforcer_target_data_owner_and_user_id_match():
ref = {} ref = {}
if flask.request.view_args: if flask.request.view_args:
credential_id = flask.request.view_args.get('credential_id') credential_id = flask.request.view_args.get('credential_id')
if credential_id is not None: if credential_id is not None:
hashed_id = utils.hash_access_key(credential_id) hashed_id = utils.hash_access_key(credential_id)
ref['credential'] = PROVIDERS.credential_api.get_credential( ref['credential'] = PROVIDERS.credential_api.get_credential(
hashed_id) hashed_id)
return ref return ref
def _update_request_user_id_attribute():
# This method handles a special case in policy enforcement. The application
# credential API is underneath the user path (e.g.,
# /v3/users/{user_id}/application_credentials/{application_credential_id}).
# The RBAC enforcer thinks the user to evaluate for application credential
# ownership comes from the path, but it should come from the actual
# application credential reference. By ensuring we pull the user ID from
# the application credential, we close a loop hole where users could
# effectively bypass authorization to view or delete any application
# credential in the system, assuming the attacker knows the application
# credential ID of another user. So long as the attacker matches the user
# ID in the request path to the user in the token of the request, they can
# pass the `rule:owner` policy check. This method protects against that by
# ensuring we use the application credential user ID and not something
# determined from the client.
app_cred = (
flask.request.view_args['user_id'] = app_cred['user_id']
# This target isn't really used in the default policy for application
# credentials, but we return it since we're using this method as a hook
# to update the flask request variables, which are used later in the
# keystone RBAC enforcer to populate the policy_dict, which ultimately
# turns into target attributes.
return {'user_id': app_cred['user_id']}
except ks_exception.NotFound: # nosec
# Defer existance in the event the application credential doesn't
# exist, we'll check this later anyway.
def _format_role_entity(role_id): def _format_role_entity(role_id):
role = PROVIDERS.role_api.get_role(role_id) role = PROVIDERS.role_api.get_role(role_id)
formatted_entity = role.copy() formatted_entity = role.copy()
if 'description' in role: if 'description' in role:
formatted_entity.pop('description') formatted_entity.pop('description')
if 'enabled' in role: if 'enabled' in role:
formatted_entity.pop('enabled') formatted_entity.pop('enabled')
return formatted_entity return formatted_entity
class UserResource(ks_flask.ResourceBase): class UserResource(ks_flask.ResourceBase):
skipping to change at line 634 skipping to change at line 668
class UserAppCredGetDeleteResource(ks_flask.ResourceBase): class UserAppCredGetDeleteResource(ks_flask.ResourceBase):
collection_key = 'application_credentials' collection_key = 'application_credentials'
member_key = 'application_credential' member_key = 'application_credential'
def get(self, user_id, application_credential_id): def get(self, user_id, application_credential_id):
"""Get application credential resource. """Get application credential resource.
GET/HEAD /v3/users/{user_id}/application_credentials/ GET/HEAD /v3/users/{user_id}/application_credentials/
{application_credential_id} {application_credential_id}
""" """
ENFORCER.enforce_call(action='identity:get_application_credential') target = _update_request_user_id_attribute()
ref = PROVIDERS.application_credential_api.get_application_credential( ref = PROVIDERS.application_credential_api.get_application_credential(
application_credential_id) application_credential_id)
return self.wrap_member(ref) return self.wrap_member(ref)
def delete(self, user_id, application_credential_id): def delete(self, user_id, application_credential_id):
"""Delete application credential resource. """Delete application credential resource.
DELETE /v3/users/{user_id}/application_credentials/ DELETE /v3/users/{user_id}/application_credentials/
{application_credential_id} {application_credential_id}
""" """
ENFORCER.enforce_call(action='identity:delete_application_credential') target = _update_request_user_id_attribute()
token = self.auth_context['token'] token = self.auth_context['token']
_check_unrestricted_application_credential(token) _check_unrestricted_application_credential(token)
PROVIDERS.application_credential_api.delete_application_credential( PROVIDERS.application_credential_api.delete_application_credential(
application_credential_id, initiator=self.audit_initiator) application_credential_id, initiator=self.audit_initiator)
return None, http_client.NO_CONTENT return None, http_client.NO_CONTENT
class UserAccessRuleListResource(ks_flask.ResourceBase): class UserAccessRuleListResource(ks_flask.ResourceBase):
collection_key = 'access_rules' collection_key = 'access_rules'
member_key = 'access_rule' member_key = 'access_rule'
 End of changes. 3 change blocks. 
2 lines changed or deleted 44 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)