diff options
Diffstat (limited to 'keystone/contrib/oauth1/controllers.py')
-rw-r--r-- | keystone/contrib/oauth1/controllers.py | 85 |
1 files changed, 31 insertions, 54 deletions
diff --git a/keystone/contrib/oauth1/controllers.py b/keystone/contrib/oauth1/controllers.py index 6ab9b870e..ae1ccd4b2 100644 --- a/keystone/contrib/oauth1/controllers.py +++ b/keystone/contrib/oauth1/controllers.py @@ -95,8 +95,8 @@ class AccessTokenCrudV3(controller.V3Controller): formatted_entity = entity.copy() access_token_id = formatted_entity['id'] user_id = "" - if 'requested_roles' in entity: - formatted_entity.pop('requested_roles') + if 'role_ids' in entity: + formatted_entity.pop('role_ids') if 'access_secret' in entity: formatted_entity.pop('access_secret') if 'authorizing_user_id' in entity: @@ -112,7 +112,7 @@ class AccessTokenCrudV3(controller.V3Controller): return formatted_entity -@dependency.requires('oauth_api') +@dependency.requires('oauth_api', 'assignment_api') class AccessTokenRolesV3(controller.V3Controller): collection_name = 'roles' member_name = 'role' @@ -121,30 +121,30 @@ class AccessTokenRolesV3(controller.V3Controller): access_token = self.oauth_api.get_access_token(access_token_id) if access_token['authorizing_user_id'] != user_id: raise exception.NotFound() - roles = access_token['requested_roles'] - roles_refs = jsonutils.loads(roles) - formatted_refs = ([self._format_role_entity(x) for x in roles_refs]) - return AccessTokenRolesV3.wrap_collection(context, formatted_refs) + authed_role_ids = access_token['role_ids'] + authed_role_ids = jsonutils.loads(authed_role_ids) + refs = ([self._format_role_entity(x) for x in authed_role_ids]) + return AccessTokenRolesV3.wrap_collection(context, refs) def get_access_token_role(self, context, user_id, access_token_id, role_id): access_token = self.oauth_api.get_access_token(access_token_id) if access_token['authorizing_user_id'] != user_id: raise exception.Unauthorized(_('User IDs do not match')) - roles = access_token['requested_roles'] - roles_dict = jsonutils.loads(roles) - for role in roles_dict: - if role['id'] == role_id: - role = self._format_role_entity(role) + authed_role_ids = access_token['role_ids'] + authed_role_ids = jsonutils.loads(authed_role_ids) + for authed_role_id in authed_role_ids: + if authed_role_id == role_id: + role = self._format_role_entity(role_id) return AccessTokenRolesV3.wrap_member(context, role) raise exception.RoleNotFound(_('Could not find role')) - def _format_role_entity(self, entity): - - formatted_entity = entity.copy() - if 'description' in entity: + def _format_role_entity(self, role_id): + role = self.assignment_api.get_role(role_id) + formatted_entity = role.copy() + if 'description' in role: formatted_entity.pop('description') - if 'enabled' in entity: + if 'enabled' in role: formatted_entity.pop('enabled') return formatted_entity @@ -159,19 +159,14 @@ class OAuthControllerV3(controller.V3Controller): headers = context['headers'] oauth_headers = oauth1.get_oauth_headers(headers) consumer_id = oauth_headers.get('oauth_consumer_key') - requested_role_ids = headers.get('Requested-Role-Ids') requested_project_id = headers.get('Requested-Project-Id') if not consumer_id: raise exception.ValidationError( attribute='oauth_consumer_key', target='request') - if not requested_role_ids: - raise exception.ValidationError( - attribute='requested_role_ids', target='request') if not requested_project_id: raise exception.ValidationError( attribute='requested_project_id', target='request') - req_role_ids = requested_role_ids.split(',') consumer_ref = self.oauth_api.get_consumer_with_secret(consumer_id) consumer = oauth1.Consumer(key=consumer_ref['id'], secret=consumer_ref['secret']) @@ -182,8 +177,7 @@ class OAuthControllerV3(controller.V3Controller): http_url=url, headers=context['headers'], query_string=context['query_string'], - parameters={'requested_role_ids': requested_role_ids, - 'requested_project_id': requested_project_id}) + parameters={'requested_project_id': requested_project_id}) oauth_server = oauth1.Server() oauth_server.add_signature_method(oauth1.SignatureMethod_HMAC_SHA1()) params = oauth_server.verify_request(oauth_request, @@ -195,27 +189,8 @@ class OAuthControllerV3(controller.V3Controller): msg = _('Non-oauth parameter - project, do not match') raise exception.Unauthorized(message=msg) - roles_params = params['requested_role_ids'] - roles_params_list = roles_params.split(',') - if roles_params_list != req_role_ids: - msg = _('Non-oauth parameter - roles, do not match') - raise exception.Unauthorized(message=msg) - - req_role_list = list() - all_roles = self.identity_api.list_roles() - for role in all_roles: - for req_role in req_role_ids: - if role['id'] == req_role: - req_role_list.append(role) - - if len(req_role_list) == 0: - msg = _('could not find matching roles for provided role ids') - raise exception.Unauthorized(message=msg) - - json_roles = jsonutils.dumps(req_role_list) request_token_duration = CONF.oauth1.request_token_duration token_ref = self.oauth_api.create_request_token(consumer_id, - json_roles, requested_project_id, request_token_duration) @@ -320,7 +295,7 @@ class OAuthControllerV3(controller.V3Controller): return response - def authorize(self, context, request_token_id): + def authorize(self, context, request_token_id, roles): """An authenticated user is going to authorize a request token. As a security precaution, the requested roles must match those in @@ -339,24 +314,26 @@ class OAuthControllerV3(controller.V3Controller): if now > expires: raise exception.Unauthorized(_('Request token is expired')) - req_roles = req_token['requested_roles'] - req_roles_list = jsonutils.loads(req_roles) - - req_set = set() - for x in req_roles_list: - req_set.add(x['id']) + # put the roles in a set for easy comparison + authed_roles = set() + for role in roles: + authed_roles.add(role['id']) # verify the authorizing user has the roles user_token = self.token_api.get_token(context['token_id']) - credentials = user_token['metadata'].copy() - user_roles = credentials.get('roles') user_id = user_token['user'].get('id') + project_id = req_token['requested_project_id'] + user_roles = self.assignment_api.get_roles_for_user_and_project( + user_id, project_id) cred_set = set(user_roles) - if not cred_set.issuperset(req_set): + if not cred_set.issuperset(authed_roles): msg = _('authorizing user does not have role required') raise exception.Unauthorized(message=msg) + # create list of just the id's for the backend + role_list = list(authed_roles) + # verify the user has the project too req_project_id = req_token['requested_project_id'] user_projects = self.assignment_api.list_user_projects(user_id) @@ -371,7 +348,7 @@ class OAuthControllerV3(controller.V3Controller): # finally authorize the token authed_token = self.oauth_api.authorize_request_token( - request_token_id, user_id) + request_token_id, user_id, role_list) to_return = {'token': {'oauth_verifier': authed_token['verifier']}} return to_return |