Merge pull request #9 from stackhpc/upstream/2025.1-2026-01-05

Synchronise 2025.1 with upstream

Author: priteau

doc/source/getting-started/policy_mapping.rst

@@ -245,6 +245,8 @@ identity:delete_application_credential                     DELETE /v3/users/{use
 identity:get_access_rule                                   GET /v3/users/{user_id}/access_rules/{access_rule_id}
 identity:list_access_rules                                 GET /v3/users/{user_id}/access_rules
 identity:delete_access_rule                                DELETE /v3/users/{user_id}/access_rules/{access_rule_id}
+identity:s3tokens_validate                                 POST /v3/s3tokens
+identity:ec2tokens_validate                                POST /v3/es2tokens
 
 =========================================================  ===
 

keystone/api/_shared/authentication.py

@@ -56,7 +56,12 @@ def _check_and_set_default_scoping(auth_info, auth_context):
 
     default_project_id = user_ref.get('default_project_id')
     if not default_project_id:
-        # User has no default project. He shall get an unscoped token.
+        # User has no default project. They shall get an unscoped token.
+        msg = (
+            "User %(user_id)s doesn't have a default project. "
+            " The token will be unscoped rather than scoped to a project."
+        )
+        LOG.debug(msg, {'user_id': user_ref['id']})
         return
 
     # make sure user's default project is legit before scoping to it
@@ -178,6 +183,13 @@ def authenticate(auth_info, auth_context):
                 resp_method_names = resp.response_data.pop('method_names', [])
                 auth_context['method_names'].extend(resp_method_names)
                 auth_context.update(resp.response_data or {})
+                # NOTE(gtema): When trying to get token from
+                # application_credential based token we need to restore
+                # application_credential_id to prevent escaping its bounds.
+                if "application_credential_id" in resp:
+                    auth_context["application_credential_id"] = resp[
+                        "application_credential_id"
+                    ]
             elif resp.response_body:
                 auth_response['methods'].append(method_name)
                 auth_response[method_name] = resp.response_body
@@ -226,7 +238,14 @@ def authenticate_for_token(auth=None):
         app_cred_id = None
         if 'application_credential' in method_names:
             token_auth = auth_info.auth['identity']
-            app_cred_id = token_auth['application_credential']['id']
+            if "application_credential" in token_auth:
+                app_cred_id = token_auth['application_credential']['id']
+            elif "application_credential_id" in auth_context:
+                app_cred_id = auth_context["application_credential_id"]
+            else:
+                raise exception.MissingApplicationCredentialId(
+                    user_id=auth_context['user_id']
+                )
 
         # Do MFA Rule Validation for the user
         if not core.UserMFARulesValidator.check_auth_methods_against_rules(

keystone/api/ec2tokens.py

@@ -21,6 +21,7 @@
 
 from keystone.api._shared import EC2_S3_Resource
 from keystone.api._shared import json_home_relations
+from keystone.common import rbac_enforcer
 from keystone.common import render_token
 from keystone.common import utils
 from keystone import exception
@@ -30,6 +31,9 @@
 CRED_TYPE_EC2 = 'ec2'
 
 
+ENFORCER = rbac_enforcer.RBACEnforcer
+
+
 class EC2TokensResource(EC2_S3_Resource.ResourceBase):
     @staticmethod
     def _check_signature(creds_ref, credentials):
@@ -57,12 +61,14 @@ def _check_signature(creds_ref, credentials):
         else:
             raise exception.Unauthorized(_('EC2 signature not supplied.'))
 
-    @ks_flask.unenforced_api
     def post(self):
         """Authenticate ec2 token.
 
         POST /v3/ec2tokens
         """
+        # Enforce RBAC in the same way as S3 tokens
+        ENFORCER.enforce_call(action='identity:ec2tokens_validate')
+
         token = self.handle_authenticate()
         token_reference = render_token.render_token_response_from_model(token)
         resp_body = jsonutils.dumps(token_reference)

keystone/api/s3tokens.py

@@ -22,12 +22,15 @@
 
 from keystone.api._shared import EC2_S3_Resource
 from keystone.api._shared import json_home_relations
+from keystone.common import rbac_enforcer
 from keystone.common import render_token
 from keystone.common import utils
 from keystone import exception
 from keystone.i18n import _
 from keystone.server import flask as ks_flask
 
+ENFORCER = rbac_enforcer.RBACEnforcer
+
 
 def _calculate_signature_v1(string_to_sign, secret_key):
     """Calculate a v1 signature.
@@ -96,12 +99,14 @@ def _check_signature(creds_ref, credentials):
                 message=_('Credential signature mismatch')
             )
 
-    @ks_flask.unenforced_api
     def post(self):
         """Authenticate s3token.
 
         POST /v3/s3tokens
         """
+        # Use standard Keystone policy enforcement for s3tokens access
+        ENFORCER.enforce_call(action='identity:s3tokens_validate')
+
         token = self.handle_authenticate()
         token_reference = render_token.render_token_response_from_model(token)
         resp_body = jsonutils.dumps(token_reference)

keystone/api/validation/__init__.py

@@ -16,9 +16,15 @@
 import typing as ty
 
 import flask
+from oslo_log import log
 from oslo_serialization import jsonutils
 
 from keystone.api.validation import validators
+import keystone.conf
+from keystone import exception
+
+CONF = keystone.conf.CONF
+LOG = log.getLogger(__name__)
 
 
 def validated(cls):
@@ -138,26 +144,40 @@ def add_validator(func):
         def wrapper(*args, **kwargs):
             response = func(*args, **kwargs)
 
-            if schema is not None:
-                # In Flask it is not uncommon that the method return a tuple of
-                # body and the status code. In the runtime Keystone only return
-                # a body, but some of the used testtools do return a tuple.
-                if isinstance(response, tuple):
-                    _body = response[0]
-                else:
-                    _body = response
-
-                # NOTE(stephenfin): If our response is an object, we need to
-                # serializer and deserialize to convert e.g. date-time
-                # to strings
-                _body = jsonutils.dump_as_bytes(_body)
-
-                if _body == b"":
-                    body = None
+            if CONF.api.response_validation == 'ignore':
+                # don't waste our time checking anything if we're ignoring
+                # schema errors
+                return response
+
+            if schema is None:
+                return response
+
+            # In Flask it is not uncommon that the method return a tuple of
+            # body and the status code. In the runtime Keystone only return
+            # a body, but some of the used testtools do return a tuple.
+            if isinstance(response, tuple):
+                _body = response[0]
+            else:
+                _body = response
+
+            # NOTE(stephenfin): If our response is an object, we need to
+            # serializer and deserialize to convert e.g. date-time
+            # to strings
+            _body = jsonutils.dump_as_bytes(_body)
+
+            if _body == b'':
+                body = None
+            else:
+                body = jsonutils.loads(_body)
+
+            try:
+                _schema_validator(schema, body, args, kwargs, is_body=True)
+            except exception.SchemaValidationError:
+                if CONF.api.response_validation == 'warn':
+                    LOG.exception('Schema failed to validate')
                 else:
-                    body = jsonutils.loads(_body)
+                    raise
 
-                _schema_validator(schema, body, args, kwargs, is_body=True)
             return response
 
         wrapper._response_body_schema = schema

keystone/auth/plugins/token.py

@@ -14,13 +14,15 @@
 
 import flask
 from oslo_log import log
+import typing as ty
 
 from keystone.auth.plugins import base
 from keystone.auth.plugins import mapped
 from keystone.common import provider_api
 import keystone.conf
 from keystone import exception
 from keystone.i18n import _
+from keystone.models.token_model import TokenModel
 
 LOG = log.getLogger(__name__)
 
@@ -49,13 +51,12 @@ def authenticate(self, auth_payload):
         # for re-scoping and we want to maintain the values. Most
         # AuthMethodHandlers do no such thing and this is not required.
         response_data.setdefault('method_names', []).extend(token.methods)
-
         return base.AuthHandlerResponse(
             status=True, response_body=None, response_data=response_data
         )
 
 
-def token_authenticate(token):
+def token_authenticate(token: TokenModel) -> dict[str, ty.Any]:
     response_data = {}
     try:
         # Do not allow tokens used for delegation to
@@ -88,6 +89,20 @@ def token_authenticate(token):
                     'or domain-scoped token is not allowed.'
                 )
             )
+        elif token.application_credential:
+            # NOTE(gtema): when getting token from token (initially issued by
+            # application credential) it is necessary to ensure scope is not
+            # requested.
+            if project_scoped or domain_scoped:
+                raise exception.ForbiddenAction(
+                    action=_(
+                        "Using an application credential token to create a "
+                        "project-scoped or domain-scoped token is not allowed."
+                    )
+                )
+            response_data["application_credential_id"] = (
+                token.application_credential["id"]
+            )
 
         if not CONF.token.allow_rescope_scoped_token:
             # Do not allow conversion from scoped tokens.

keystone/common/policies/__init__.py

@@ -22,6 +22,7 @@
 from keystone.common.policies import domain
 from keystone.common.policies import domain_config
 from keystone.common.policies import ec2_credential
+from keystone.common.policies import ec2tokens
 from keystone.common.policies import endpoint
 from keystone.common.policies import endpoint_group
 from keystone.common.policies import grant
@@ -40,6 +41,7 @@
 from keystone.common.policies import revoke_event
 from keystone.common.policies import role
 from keystone.common.policies import role_assignment
+from keystone.common.policies import s3tokens
 from keystone.common.policies import service
 from keystone.common.policies import service_provider
 from keystone.common.policies import token
@@ -78,6 +80,8 @@ def list_rules():
         revoke_event.list_rules(),
         role.list_rules(),
         role_assignment.list_rules(),
+        s3tokens.list_rules(),
+        ec2tokens.list_rules(),
         service.list_rules(),
         service_provider.list_rules(),
         token_revocation.list_rules(),

keystone/common/policies/ec2tokens.py

@@ -0,0 +1,34 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+# Align EC2 tokens API with S3 tokens: require admin or service users
+ADMIN_OR_SERVICE = 'rule:service_or_admin'
+
+
+ec2tokens_policies = [
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'ec2tokens_validate',
+        check_str=ADMIN_OR_SERVICE,
+        scope_types=['system', 'domain', 'project'],
+        description='Validate EC2 credentials and create a Keystone token. '
+        'Restricted to service users or administrators.',
+        operations=[{'path': '/v3/ec2tokens', 'method': 'POST'}],
+    )
+]
+
+
+def list_rules():
+    return ec2tokens_policies

keystone/common/policies/s3tokens.py

@@ -0,0 +1,35 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+from keystone.common.policies import base
+
+# S3 tokens API requires service authentication to prevent presigned URL exploitation
+# This policy restricts access to service users or administrators only
+ADMIN_OR_SERVICE = 'rule:service_or_admin'
+
+s3tokens_policies = [
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 's3tokens_validate',
+        check_str=ADMIN_OR_SERVICE,
+        scope_types=['system', 'domain', 'project'],
+        description='Validate S3 credentials and create a Keystone token. '
+        'Restricted to service users or administrators to prevent '
+        'exploitation via presigned URLs.',
+        operations=[{'path': '/v3/s3tokens', 'method': 'POST'}],
+    )
+]
+
+
+def list_rules():
+    return s3tokens_policies

keystone/conf/__init__.py

@@ -19,6 +19,7 @@
 from oslo_middleware import cors
 from osprofiler import opts as profiler
 
+from keystone.conf import api
 from keystone.conf import application_credential
 from keystone.conf import assignment
 from keystone.conf import auth
@@ -54,8 +55,8 @@
 
 CONF = cfg.CONF
 
-
 conf_modules = [
+    api,
     application_credential,
     assignment,
     auth,
@@ -90,7 +91,6 @@
     wsgi,
 ]
 
-
 oslo_messaging.set_transport_defaults(control_exchange='keystone')