No error raised if PUT/GET/PATCH/DELETE domain-specific driver configuration database store with an invalid domain id
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Thomas Hsiao |
Bug Description
No error raised if PUT/GET/
For domain-specific driver configuration database store, Identity API creates the configuration options into the database even though the provided domain id is the the request url is invalid.
For example, a user can create config options using an invalid domain id (123456789) as shown below:
~$ curl -s \
> -H "X-Auth-Token: ADMIN" \
> -H "Content-Type: application/json" \
> -d '
> {
> "config":{
> "identity":{
> "driver":"ldap"
> },
> "ldap":{
> .........
> "tls_req_
> "user_tree_
> "group_
> }
> }
> } ' \
> -XPUT "http://
{"config": {"identity": {"driver": "keystone.
Once the config options created in the database, the user can even use this invalid domain id to get/update/delete the config options, an example as shown below:
~$ curl -k -H "X-Auth-
{"config": {"identity": {"driver": "keystone.
summary: |
- No error raised if PUT/GET/PATCH/DELETE sql-based domain driver - configuration with a invalid domain id + No error raised if PUT/GET/PATCH/DELETE domain-specific driver + configuration database store with an invalid domain id |
description: | updated |
Changed in keystone: | |
assignee: | nobody → Thomas Hsiao (thomas-hsiao) |
Changed in keystone: | |
assignee: | Thomas Hsiao (thomas-hsiao) → Guang Yee (guang-yee) |
Changed in keystone: | |
assignee: | Guang Yee (guang-yee) → Thomas Hsiao (thomas-hsiao) |
Seems like an easy fix, just have a check to make sure the domain can be found in the backend:
https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ resource/ controllers. py#L168
presently this doesn't happen:
def create_ domain_ config( self, context, domain_id, config):
original_ config = (
self. domain_ config_ api.get_ config_ with_sensitive_ info(domain_ id)) config_ api.create_ config( domain_ id, config)
ref = self.domain_
There should be call like:
self. resource_ api.get_ domain( domain_ id)
before the any of the other work is performed.