yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1873290] Re: OAuth1 request token authorize silently ignores roles parameter

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1873290@xxxxxxxxxxxxxxxxxx>
Date: Thu, 07 May 2020 04:37:58 -0000
Reply-to: Bug 1873290 <1873290@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/725885
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=6c73690f779a42a5c62914b6bc37f0ac2f41a3e3
Submitter: Zuul
Branch:    master

commit 6c73690f779a42a5c62914b6bc37f0ac2f41a3e3
Author: Colleen Murphy <colleen.murphy@xxxxxxxx>
Date:   Thu Apr 16 20:35:46 2020 -0700

    Ensure OAuth1 authorized roles are respected
    
    Without this patch, when an OAuth1 request token is authorized with a
    limited set of roles, the roles for the access token are ignored when
    the user uses it to request a keystone token. This means that user of an
    access token can use it to escallate their role assignments beyond what
    was authorized by the creator. This patch fixes the issue by ensuring
    the token model accounts for an OAuth1-scoped token and correctly
    populating the roles for it.
    
    Change-Id: I02f9836fbd4d7e629653977fc341476cfd89859e
    Closes-bug: #1873290


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1873290

Title:
  OAuth1 request token authorize silently ignores roles parameter

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  Sorry for using "trustor" and "trustee" terms in OAuth1 context, but
  these terms clearly describe users positions.

  OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a
  role for an OAuth1 Access Token:

  $ openstack request token authorize
  usage: openstack request token authorize [-h]
                                           [-f {json,shell,table,value,yaml}]
                                           [-c COLUMN] [--noindent]
                                           [--prefix PREFIX]
                                           [--max-width <integer>] [--fit-width]
                                           [--print-empty] --request-key
                                           <request-key> --role <role>
  openstack request token authorize: error: the following arguments are required: --request-key, --role

  However a specified role is silently ignored and OAuth1 token gets all
  OAuth1 "trustor" roles.

  https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287

  As an OAuth1 "trustor" I expect the "trustee" to have only accepted
  roles.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1873290/+subscriptions