diff options
| author | Morgan Fainberg <morgan.fainberg@gmail.com> | 2016-01-07 15:18:03 -0800 |
|---|---|---|
| committer | Brant Knudson <bknudson@us.ibm.com> | 2016-01-29 16:59:13 +0000 |
| commit | 7724b912b81c0e3d452f9d87f8d32257ced0dec0 (patch) | |
| tree | 416070c0137ab49a4001d827da4e49ba45d21690 | |
| parent | 23b2c9700314905dbd93dbcef453ac86a418157b (diff) | |
| download | keystone-7724b912b81c0e3d452f9d87f8d32257ced0dec0.tar.gz | |
Revert "Validate domain ownership for v2 tokens"
This reverts commit c4723550aa95be403ff591dd132c9024549eff10.
This revert is being proposed as it breaks behavior that real-world
deployments rely on. The deployments requested the V2 token with
user_id and tenantId and then used the V2 token for the
non-default-domain user to access swift.
While the deployment is being encouraged to fix their code to use V3,
this is behavior that was supported and used.
Conflicts (new file post Liberty):
keystone/tests/unit/test_v3_resource.py
Closes-Bug: 1527759
Change-Id: I4a303a5fcc8c2dacef5960e9e26ad9402f34a790
| -rw-r--r-- | keystone/common/controller.py | 32 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_assignment.py | 11 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_auth.py | 33 | ||||
| -rw-r--r-- | keystone/token/providers/common.py | 36 |
4 files changed, 15 insertions, 97 deletions
diff --git a/keystone/common/controller.py b/keystone/common/controller.py index 56bc211a9..54182b264 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -224,27 +224,13 @@ class V2Controller(wsgi.Application): @staticmethod def filter_domain_id(ref): """Remove domain_id since v2 calls are not domain-aware.""" - if 'domain_id' in ref: - if ref['domain_id'] != CONF.identity.default_domain_id: - raise exception.Unauthorized( - _('Non-default domain is not supported')) - del ref['domain_id'] + ref.pop('domain_id', None) return ref @staticmethod def filter_domain(ref): - """Remove domain since v2 calls are not domain-aware. - - V3 Fernet tokens builds the users with a domain in the token data. - This method will ensure that users create in v3 belong to the default - domain. - - """ - if 'domain' in ref: - if ref['domain'].get('id') != CONF.identity.default_domain_id: - raise exception.Unauthorized( - _('Non-default domain is not supported')) - del ref['domain'] + """Remove domain since v2 calls are not domain-aware.""" + ref.pop('domain', None) return ref @staticmethod @@ -287,15 +273,9 @@ class V2Controller(wsgi.Application): def v3_to_v2_user(ref): """Convert a user_ref from v3 to v2 compatible. - - v2.0 users are not domain aware, and should have domain_id validated - to be the default domain, and then removed. - - - v2.0 users expect the use of tenantId instead of default_project_id. - - - v2.0 users have a username attribute. - - This method should only be applied to user_refs being returned from the - v2.0 controller(s). + * v2.0 users are not domain aware, and should have domain_id removed + * v2.0 users expect the use of tenantId instead of default_project_id + * v2.0 users have a username attribute If ref is a list type, we will iterate through each element and do the conversion. diff --git a/keystone/tests/unit/test_v3_assignment.py b/keystone/tests/unit/test_v3_assignment.py index 6b15b1c3b..20c5d7cf1 100644 --- a/keystone/tests/unit/test_v3_assignment.py +++ b/keystone/tests/unit/test_v3_assignment.py @@ -124,7 +124,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase, self.user2['id']) # First check a user in that domain can authenticate. The v2 user - # cannot authenticate because they exist outside the default domain. + # can authenticate even though they exist outside the default domain. body = { 'auth': { 'passwordCredentials': { @@ -135,8 +135,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase, } } self.admin_request( - path='/v2.0/tokens', method='POST', body=body, - expected_status=http_client.UNAUTHORIZED) + path='/v2.0/tokens', method='POST', body=body) auth_data = self.build_authentication_request( user_id=self.user2['id'], @@ -3170,9 +3169,9 @@ class AssignmentV3toV2MethodsTestCase(unit.TestCase): 'other_data': other_data} updated_ref = controller.V2Controller.filter_domain(default_domain_ref) self.assertNotIn('domain', updated_ref) - self.assertRaises(exception.Unauthorized, - controller.V2Controller.filter_domain, - non_default_domain_ref) + self.assertNotIn( + 'domain', + controller.V2Controller.filter_domain(non_default_domain_ref)) def test_v2controller_filter_project_parent_id(self): # V2.0 is not project hierarchy aware, ensure parent_id is popped off. diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 45d2d88a6..40e9032b3 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -132,18 +132,6 @@ class TokenAPITests(object): def test_default_fixture_scope_token(self): self.assertIsNotNone(self.get_scoped_token()) - def test_v3_v2_intermix_non_default_domain_failed(self): - v3_token = self.get_requested_token(self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'])) - - # now validate the v3 token with v2 API - self.admin_request( - path='/v2.0/tokens/%s' % v3_token, - token=CONF.admin_token, - method='GET', - expected_status=http_client.UNAUTHORIZED) - def test_v3_v2_intermix_new_default_domain(self): # If the default_domain_id config option is changed, then should be # able to validate a v3 token with user in the new domain. @@ -202,7 +190,7 @@ class TokenAPITests(object): token=CONF.admin_token, expected_status=http_client.UNAUTHORIZED) - def test_v3_v2_intermix_non_default_project_failed(self): + def test_v3_v2_intermix_non_default_project_succeed(self): # self.project is in a non-default domain v3_token = self.get_requested_token(self.build_authentication_request( user_id=self.default_domain_user['id'], @@ -213,10 +201,9 @@ class TokenAPITests(object): self.admin_request( method='GET', path='/v2.0/tokens/%s' % v3_token, - token=CONF.admin_token, - expected_status=http_client.UNAUTHORIZED) + token=CONF.admin_token) - def test_v3_v2_intermix_non_default_user_failed(self): + def test_v3_v2_intermix_non_default_user_succeed(self): self.assignment_api.create_grant( self.role['id'], user_id=self.user['id'], @@ -232,8 +219,7 @@ class TokenAPITests(object): self.admin_request( method='GET', path='/v2.0/tokens/%s' % v3_token, - token=CONF.admin_token, - expected_status=http_client.UNAUTHORIZED) + token=CONF.admin_token) def test_v3_v2_intermix_domain_scope_failed(self): self.assignment_api.create_grant( @@ -4524,17 +4510,6 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase): self.token_provider_api.validate_token, trust_scoped_token) - def test_v2_validate_unscoped_token_returns_unauthorized(self): - """Test raised exception when validating unscoped token. - - Test that validating an unscoped token in v2.0 of a v3 user of a - non-default domain returns unauthorized. - """ - unscoped_token = self._get_unscoped_token() - self.assertRaises(exception.Unauthorized, - self.token_provider_api.validate_v2_token, - unscoped_token) - def test_v2_validate_domain_scoped_token_returns_unauthorized(self): """Test raised exception when validating a domain scoped token. diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py index b71458cd8..926515aa5 100644 --- a/keystone/token/providers/common.py +++ b/keystone/token/providers/common.py @@ -47,23 +47,7 @@ class V2TokenDataHelper(object): token['issued_at'] = v3_token.get('issued_at') token['audit_ids'] = v3_token.get('audit_ids') - # Bail immediately if this is a domain-scoped token, which is not - # supported by the v2 API at all. - if 'domain' in v3_token: - raise exception.Unauthorized(_( - 'Domains are not supported by the v2 API. Please use the v3 ' - 'API instead.')) - - # Bail if this is a project-scoped token outside the default domain, - # which may result in a namespace collision with a project inside the - # default domain. if 'project' in v3_token: - if (v3_token['project']['domain']['id'] != - CONF.identity.default_domain_id): - raise exception.Unauthorized(_( - 'Project not found in the default domain (please use the ' - 'v3 API instead): %s') % v3_token['project']['id']) - # v3 token_data does not contain all tenant attributes tenant = self.resource_api.get_project( v3_token['project']['id']) @@ -74,15 +58,6 @@ class V2TokenDataHelper(object): # Build v2 user v3_user = v3_token['user'] - # Bail if this is a token outside the default domain, - # which may result in a namespace collision with a project inside the - # default domain. - if ('domain' in v3_user and v3_user['domain']['id'] != - CONF.identity.default_domain_id): - raise exception.Unauthorized(_( - 'User not found in the default domain (please use the v3 API ' - 'instead): %s') % v3_user['id']) - user = common_controller.V2Controller.v3_to_v2_user(v3_user) # Maintain Trust Data @@ -636,21 +611,10 @@ class BaseProvider(provider.Provider): token.provider.V3): # this is a V3 token msg = _('Non-default domain is not supported') - # user in a non-default is prohibited - if (token_ref['token_data']['token']['user']['domain']['id'] != - CONF.identity.default_domain_id): - raise exception.Unauthorized(msg) # domain scoping is prohibited if token_ref['token_data']['token'].get('domain'): raise exception.Unauthorized( _('Domain scoped token is not supported')) - # project in non-default domain is prohibited - if token_ref['token_data']['token'].get('project'): - project = token_ref['token_data']['token']['project'] - project_domain_id = project['domain']['id'] - # scoped to project in non-default domain is prohibited - if project_domain_id != CONF.identity.default_domain_id: - raise exception.Unauthorized(msg) # if token is scoped to trust, both trustor and trustee must # be in the default domain. Furthermore, the delegated project # must also be in the default domain |