Generate patch

.gitreview

@@ -2,3 +2,4 @@
 host=review.opendev.org
 port=29418
 project=openstack/keystone.git
+defaultbranch=stable/2025.1

bindep.txt

@@ -37,3 +37,9 @@ openldap2-devel [platform:suse]
 
 # Required for sphinx graphviz image generation
 graphviz [test doc]
+
+# otherwise, it fails to build psycopg2, python-ldap
+build-essential [test]
+
+# otherwise, it fails to recognize pbr version
+git [test]

concourse_unit_test_task

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -ex
+
+export DEBIAN_FRONTEND=noninteractive
+apt-get update
+apt-get install -y \
+  python3-venv
+python3 -m venv $HOME/.local/tools
+source $HOME/.local/tools/bin/activate
+pip install -U \
+  pip \
+  bindep \
+  tox
+
+cd source
+apt-get install -y \
+  $(bindep -b test)
+git config --global --add safe.directory /source
+
+export UPPER_CONSTRAINTS_FILE=https://raw.githubusercontent.com/sapcc/requirements/stable/2025.1-m3/upper-constraints.txt
+export \
+  KEYSTONE_IDENTITY_BACKEND=ldap \
+  KEYSTONE_CLEAR_LDAP=yes \
+  ENABLE_LDAP_LIVE_TEST=true
+tox -e py312 \
+  --skip-missing-interpreters=false

custom-requirements.txt

@@ -0,0 +1,9 @@
+python-binary-memcached
+
+git+https://github.com/sapcc/raven-python.git@ccloud#egg=raven[flask]
+git+https://github.com/sapcc/openstack-watcher-middleware.git#egg=watcher-middleware
+git+https://github.com/funkyHat/py-radius@install_requires#egg=py-radius
+git+https://github.com/sapcc/keystone-extensions.git@stable/2025.1-m3#egg=keystone-extensions
+git+https://github.com/sapcc/openstack-rate-limit-middleware.git#egg=rate-limit-middleware
+
+passlib

doc/source/getting-started/policy_mapping.rst

@@ -245,6 +245,8 @@ identity:delete_application_credential                     DELETE /v3/users/{use
 identity:get_access_rule                                   GET /v3/users/{user_id}/access_rules/{access_rule_id}
 identity:list_access_rules                                 GET /v3/users/{user_id}/access_rules
 identity:delete_access_rule                                DELETE /v3/users/{user_id}/access_rules/{access_rule_id}
+identity:s3tokens_validate                                 POST /v3/s3tokens
+identity:ec2tokens_validate                                POST /v3/es2tokens
 
 =========================================================  ===
 

keystone/api/_shared/authentication.py

@@ -56,7 +56,12 @@ def _check_and_set_default_scoping(auth_info, auth_context):
 
     default_project_id = user_ref.get('default_project_id')
     if not default_project_id:
-        # User has no default project. He shall get an unscoped token.
+        # User has no default project. They shall get an unscoped token.
+        msg = (
+            "User %(user_id)s doesn't have a default project. "
+            " The token will be unscoped rather than scoped to a project."
+        )
+        LOG.debug(msg, {'user_id': user_ref['id']})
         return
 
     # make sure user's default project is legit before scoping to it
@@ -226,7 +231,23 @@ def authenticate_for_token(auth=None):
         app_cred_id = None
         if 'application_credential' in method_names:
             token_auth = auth_info.auth['identity']
-            app_cred_id = token_auth['application_credential']['id']
+            try:
+                app_cred_id = token_auth['application_credential']['id']
+            except KeyError:
+                # NOTE(bbobrov): see bug #1878438 on launchpad.
+                # There is no any good fix for it, at least with the current
+                # architecture. Lets just return a nice message that this
+                # is currently not supported.
+                LOG.warning(
+                    'Unsupported reauthentication attempt with a token '
+                    'after authenticating with application credentials'
+                )
+                raise exception.Unauthorized(
+                    _(
+                        'Cannot reauthenticate with a token issued with '
+                        'application credentials'
+                    )
+                )
 
         # Do MFA Rule Validation for the user
         if not core.UserMFARulesValidator.check_auth_methods_against_rules(

keystone/api/ec2tokens.py

@@ -21,6 +21,7 @@
 
 from keystone.api._shared import EC2_S3_Resource
 from keystone.api._shared import json_home_relations
+from keystone.common import rbac_enforcer
 from keystone.common import render_token
 from keystone.common import utils
 from keystone import exception
@@ -30,6 +31,9 @@
 CRED_TYPE_EC2 = 'ec2'
 
 
+ENFORCER = rbac_enforcer.RBACEnforcer
+
+
 class EC2TokensResource(EC2_S3_Resource.ResourceBase):
     @staticmethod
     def _check_signature(creds_ref, credentials):
@@ -57,12 +61,14 @@ def _check_signature(creds_ref, credentials):
         else:
             raise exception.Unauthorized(_('EC2 signature not supplied.'))
 
-    @ks_flask.unenforced_api
     def post(self):
         """Authenticate ec2 token.
 
         POST /v3/ec2tokens
         """
+        # Enforce RBAC in the same way as S3 tokens
+        ENFORCER.enforce_call(action='identity:ec2tokens_validate')
+
         token = self.handle_authenticate()
         token_reference = render_token.render_token_response_from_model(token)
         resp_body = jsonutils.dumps(token_reference)

keystone/api/projects.py

@@ -21,6 +21,7 @@
 from keystone.common import json_home
 from keystone.common import provider_api
 from keystone.common import rbac_enforcer
+from keystone.common import utils
 from keystone.common import validation as ks_validation
 import keystone.conf
 from keystone import exception
@@ -189,7 +190,17 @@ def get(self):
             if t in flask.request.args:
                 hints.add_filter(t, flask.request.args[t])
         refs = PROVIDERS.resource_api.list_projects(hints=hints)
-        if self.oslo_context.domain_id:
+
+        # the entries should not be filtered by domain_id if domain list was
+        # requested; otherwise all domains are getting filtered out
+        try:
+            is_domain_requested = utils.attr_as_boolean(
+                flask.request.args['is_domain']
+            )
+        except KeyError:
+            is_domain_requested = False
+
+        if self.oslo_context.domain_id and not is_domain_requested:
             domain_id = self.oslo_context.domain_id
             filtered_refs = [
                 ref for ref in refs if ref['domain_id'] == domain_id

keystone/api/s3tokens.py

@@ -22,12 +22,15 @@
 
 from keystone.api._shared import EC2_S3_Resource
 from keystone.api._shared import json_home_relations
+from keystone.common import rbac_enforcer
 from keystone.common import render_token
 from keystone.common import utils
 from keystone import exception
 from keystone.i18n import _
 from keystone.server import flask as ks_flask
 
+ENFORCER = rbac_enforcer.RBACEnforcer
+
 
 def _calculate_signature_v1(string_to_sign, secret_key):
     """Calculate a v1 signature.
@@ -96,12 +99,14 @@ def _check_signature(creds_ref, credentials):
                 message=_('Credential signature mismatch')
             )
 
-    @ks_flask.unenforced_api
     def post(self):
         """Authenticate s3token.
 
         POST /v3/s3tokens
         """
+        # Use standard Keystone policy enforcement for s3tokens access
+        ENFORCER.enforce_call(action='identity:s3tokens_validate')
+
         token = self.handle_authenticate()
         token_reference = render_token.render_token_response_from_model(token)
         resp_body = jsonutils.dumps(token_reference)

keystone/api/trusts.py

@@ -224,7 +224,9 @@ def get(self):
             )
             if not flask.request.args:
                 # NOTE(morgan): Admin can list all trusts.
-                ENFORCER.enforce_call(action='admin_required')
+                # ENFORCER.enforce_call(action='admin_required')
+                # ccloud: only allow cloud-admins to list all trusts
+                ENFORCER.enforce_call(action='cloud_admin')
 
         if not flask.request.args:
             trusts += PROVIDERS.trust_api.list_trusts()

keystone/api/users.py

@@ -420,13 +420,14 @@ def post(self, user_id):
 
         POST /v3/users/{user_id}/credentials/OS-EC2
         """
+        tenant_id = self.request_body_json.get('tenant_id')
+
         target = {}
-        target['credential'] = {'user_id': user_id}
+        target['credential'] = {'user_id': user_id, 'project_id': tenant_id}
         ENFORCER.enforce_call(
             action='identity:ec2_create_credential', target_attr=target
         )
         PROVIDERS.identity_api.get_user(user_id)
-        tenant_id = self.request_body_json.get('tenant_id')
         PROVIDERS.resource_api.get_project(tenant_id)
         blob = {
             'access': uuid.uuid4().hex,
@@ -806,8 +807,12 @@ class UserAccessRuleListResource(ks_flask.ResourceBase):
     collection_key = 'access_rules'
     member_key = 'access_rule'
 
-    @validation.request_query_schema(app_cred_schema.index_request_query)
-    @validation.response_body_schema(app_cred_schema.rule_index_response_body)
+    @validation.request_query_schema(
+        app_cred_schema.access_rule_index_request_query
+    )
+    @validation.response_body_schema(
+        app_cred_schema.access_rule_index_response_body
+    )
     def get(self, user_id):
         """List access rules for user.
 
@@ -830,8 +835,12 @@ class UserAccessRuleGetDeleteResource(ks_flask.ResourceBase):
     collection_key = 'access_rules'
     member_key = 'access_rule'
 
-    @validation.request_query_schema(app_cred_schema.rule_show_request_query)
-    @validation.response_body_schema(app_cred_schema.rule_show_response_body)
+    @validation.request_query_schema(
+        app_cred_schema.access_rule_show_request_query
+    )
+    @validation.response_body_schema(
+        app_cred_schema.access_rule_show_response_body
+    )
     def get(self, user_id, access_rule_id):
         """Get access rule resource.
 

keystone/api/validation/__init__.py

@@ -16,9 +16,15 @@
 import typing as ty
 
 import flask
+from oslo_log import log
 from oslo_serialization import jsonutils
 
 from keystone.api.validation import validators
+import keystone.conf
+from keystone import exception
+
+CONF = keystone.conf.CONF
+LOG = log.getLogger(__name__)
 
 
 def validated(cls):
@@ -138,26 +144,40 @@ def add_validator(func):
         def wrapper(*args, **kwargs):
             response = func(*args, **kwargs)
 
-            if schema is not None:
-                # In Flask it is not uncommon that the method return a tuple of
-                # body and the status code. In the runtime Keystone only return
-                # a body, but some of the used testtools do return a tuple.
-                if isinstance(response, tuple):
-                    _body = response[0]
-                else:
-                    _body = response
-
-                # NOTE(stephenfin): If our response is an object, we need to
-                # serializer and deserialize to convert e.g. date-time
-                # to strings
-                _body = jsonutils.dump_as_bytes(_body)
-
-                if _body == b"":
-                    body = None
+            if CONF.api.response_validation == 'ignore':
+                # don't waste our time checking anything if we're ignoring
+                # schema errors
+                return response
+
+            if schema is None:
+                return response
+
+            # In Flask it is not uncommon that the method return a tuple of
+            # body and the status code. In the runtime Keystone only return
+            # a body, but some of the used testtools do return a tuple.
+            if isinstance(response, tuple):
+                _body = response[0]
+            else:
+                _body = response
+
+            # NOTE(stephenfin): If our response is an object, we need to
+            # serializer and deserialize to convert e.g. date-time
+            # to strings
+            _body = jsonutils.dump_as_bytes(_body)
+
+            if _body == b'':
+                body = None
+            else:
+                body = jsonutils.loads(_body)
+
+            try:
+                _schema_validator(schema, body, args, kwargs, is_body=True)
+            except exception.SchemaValidationError:
+                if CONF.api.response_validation == 'warn':
+                    LOG.exception('Schema failed to validate')
                 else:
-                    body = jsonutils.loads(_body)
+                    raise
 
-                _schema_validator(schema, body, args, kwargs, is_body=True)
             return response
 
         wrapper._response_body_schema = schema