No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration database store with an invalid domain id

Bug #1524562 reported by Thomas Hsiao on 2015-12-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Thomas Hsiao

Bug Description

No error raised if PUT/GET/PATCH/DELETE sql-based domain driver configuration with a invalid domain id:

For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid.
For example, a user can create config options using an invalid domain id (123456789) as shown below:

~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_cert":"demand",
> "user_tree_dn":"ou=Users50,dc=cdl,dc=hp,dc=com",
> "group_allow_update":"False"
> }
> }
> } ' \
> -XPUT "http://localhost:35357/v3/domains/123456789/config/"

{"config": {"identity": {"driver": "keystone.identity.backends.ldap.Identity"}, "ldap": {"user_allow_update": "False", ........"user_name_attribute": "cn", "use_pool": "True", "user_objectclass": "posixAccount", "group_id_attribute": "gidNumber", "user_allow_create": "False", "tls_req_cert": "demand".......}}}

Once the config options created in the database, the user can even use this invalid domain id to get/update/delete the config options, an example as shown below:

~$ curl -k -H "X-Auth-Token:ADMIN" http://localhost:35357/v3/domains/123456789/config/

{"config": {"identity": {"driver": "keystone.identity.backends.ldap.Identity"}, "ldap": {"user_allow_update": "False", "group_allow_delete": "False", "group_name_attribute": "cn", "suffix": "dc=cdl,dc=hp,dc=com", ......, "group_allow_update": "False".......}}}

summary: - No error raised if PUT/GET/PATCH/DELETE sql-based domain driver
- configuration with a invalid domain id
+ No error raised if PUT/GET/PATCH/DELETE domain-specific driver
+ configuration database store with an invalid domain id
description: updated
Changed in keystone:
assignee: nobody → Thomas Hsiao (thomas-hsiao)
Steve Martinelli (stevemar) wrote :

Seems like an easy fix, just have a check to make sure the domain can be found in the backend:

https://github.com/openstack/keystone/blob/master/keystone/resource/controllers.py#L168

presently this doesn't happen:

    def create_domain_config(self, context, domain_id, config):
        original_config = (
            self.domain_config_api.get_config_with_sensitive_info(domain_id))
        ref = self.domain_config_api.create_config(domain_id, config)

There should be call like:

    self.resource_api.get_domain(domain_id)

before the any of the other work is performed.

Changed in keystone:
importance: Undecided → Medium
status: New → Triaged
milestone: none → mitaka-2
Thomas Hsiao (thomas-hsiao) wrote :

Hi Steve,
What do you think if we add domain id check for all cases of create/read/update/delete?

Fix proposed to branch: master
Review: https://review.openstack.org/256889

Changed in keystone:
status: Triaged → In Progress
Changed in keystone:
assignee: Thomas Hsiao (thomas-hsiao) → Guang Yee (guang-yee)
Changed in keystone:
assignee: Guang Yee (guang-yee) → Thomas Hsiao (thomas-hsiao)

Reviewed: https://review.openstack.org/256889
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5560c7060dcc906b07080c44511551c45172ecf0
Submitter: Jenkins
Branch: master

commit 5560c7060dcc906b07080c44511551c45172ecf0
Author: Thomas Hsiao <email address hidden>
Date: Fri Dec 11 15:55:19 2015 -0800

    Validate domain for DB-based domain config. CRUD

    For CRUD of Identity API-based domain-specific driver configuration
    in database store, if the client provides an invalid domain id,
    the request shall be rejected with a response 404 domain not found.

    Change-Id: I9e861d450da1a49d31bac08bea12a0e2e84c6476
    Closes-Bug: 1524562

Changed in keystone:
status: In Progress → Fix Released
Thomas Hsiao (thomas-hsiao) wrote :

Could this fix backport to Liberty?

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers