OpenStack Identity (keystone)

Bug #1873290
Comment #49

Comment 49 for bug 1873290

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-02: Fix merged to keystone (stable/pike)

#49

Reviewed: https://review.opendev.org/726016
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7653847a04e56555b8d172a3d5c76a95533cdec7
Submitter: Zuul
Branch: stable/pike

commit 7653847a04e56555b8d172a3d5c76a95533cdec7
Author: Colleen Murphy <email address hidden>
Date: Thu Apr 16 20:35:46 2020 -0700

Ensure OAuth1 authorized roles are respected

    Without this patch, when an OAuth1 request token is authorized with a
    limited set of roles, the roles for the access token are ignored when
    the user uses it to request a keystone token. This means that user of an
    access token can use it to escallate their role assignments beyond what
    was authorized by the creator. This patch fixes the issue by ensuring
    the token model accounts for an OAuth1-scoped token and correctly
    populating the roles for it.

Modified to work with older test helper function:

keystone/tests/unit/test_v3_oauth1.py

Conflicts:

keystone/models/token_model.py

      The keystone token model was refactored in the Rocky release. This
      commit only backports the test so that we have test coverage against
      the bug and proves there wasn't a regression in Queens. As such, the
      code changes to token_model.py (where the bug was introduced) are not
      applicable to Pike.

releasenotes/notes/bug-1873290-ff7f8e4cee15b75a.yaml

      Removed the release note since there isn't anything to signal to
      operators regarding a vulnerability. We're only adding test coverage
      to prove that stable/queens isn't vulnerable.

    Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
    Closes-bug: #1873290
    (cherry picked from commit 6c73690f779a42a5c62914b6bc37f0ac2f41a3e3)
    (cherry picked from commit ba89d27793c2d3a26ad95642660fa9bd820ed3be)
    (cherry picked from commit 5ff52dbaa2082991d229d8557a8e4b65256d6c53)
    (cherry picked from commit 2483a578a80a916d9f5acd672d85830385b236e2)
    (cherry picked from commit 10bc689a6796f85c44d19e0c18f0e37b0a87474c)
    (cherry picked from commit d590441ce6897a7a169db7262eb17bcd5d90bcd2)

Reviewed:  https://review.opendev.org/726016
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7653847a04e56555b8d172a3d5c76a95533cdec7
Submitter: Zuul
Branch:    stable/pike

commit 7653847a04e56555b8d172a3d5c76a95533cdec7
Author: Colleen Murphy <colleen.murphy@suse.com>
Date:   Thu Apr 16 20:35:46 2020 -0700

Ensure OAuth1 authorized roles are respected
    
    Without this patch, when an OAuth1 request token is authorized with a
    limited set of roles, the roles for the access token are ignored when
    the user uses it to request a keystone token. This means that user of an
    access token can use it to escallate their role assignments beyond what
    was authorized by the creator. This patch fixes the issue by ensuring
    the token model accounts for an OAuth1-scoped token and correctly
    populating the roles for it.
    
    Modified to work with older test helper function:
    
      keystone/tests/unit/test_v3_oauth1.py
    
    Conflicts:
    
      keystone/models/token_model.py
    
      The keystone token model was refactored in the Rocky release. This
      commit only backports the test so that we have test coverage against
      the bug and proves there wasn't a regression in Queens. As such, the
      code changes to token_model.py (where the bug was introduced) are not
      applicable to Pike.
    
      releasenotes/notes/bug-1873290-ff7f8e4cee15b75a.yaml
    
      Removed the release note since there isn't anything to signal to
      operators regarding a vulnerability. We're only adding test coverage
      to prove that stable/queens isn't vulnerable.
    
    Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
    Closes-bug: #1873290
    (cherry picked from commit 6c73690f779a42a5c62914b6bc37f0ac2f41a3e3)
    (cherry picked from commit ba89d27793c2d3a26ad95642660fa9bd820ed3be)
    (cherry picked from commit 5ff52dbaa2082991d229d8557a8e4b65256d6c53)
    (cherry picked from commit 2483a578a80a916d9f5acd672d85830385b236e2)
    (cherry picked from commit 10bc689a6796f85c44d19e0c18f0e37b0a87474c)
    (cherry picked from commit d590441ce6897a7a169db7262eb17bcd5d90bcd2)