Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

validate tenant id against account id during authN #44

Merged
merged 1 commit into from

3 participants

@bodenr

this change validates that a native openstack authN request which
contains a tenantId is validated against the users SL account id. if the
two don't match the authN request is invalid and rejected.

implements: #43

@bodenr bodenr validate tenant id against account id during authN
this change validates that a native openstack authN request which
contains a tenantId is validated against the users SL account id. if the
two don't match the authN request is invalid and rejected.

implements: softlayer/jumpgate#43
b75372a
@sudorandom
Collaborator

Looks good to me. +1

I'll let Nathan do the merge if he's okay with this change.

@beittenc beittenc merged commit e7fddd5 into softlayer:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Feb 17, 2014
  1. @bodenr

    validate tenant id against account id during authN

    bodenr authored
    this change validates that a native openstack authN request which
    contains a tenantId is validated against the users SL account id. if the
    two don't match the authN request is invalid and rejected.
    
    implements: softlayer/jumpgate#43
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 0 deletions.
  1. +7 −0 jumpgate/common/sl/auth.py
View
7 jumpgate/common/sl/auth.py
@@ -31,10 +31,16 @@ def get_new_token(credentials):
username = lookup(credentials, 'auth', 'passwordCredentials', 'username')
credential = lookup(credentials, 'auth', 'passwordCredentials', 'password')
+ def assert_tenant(user):
+ tenant = lookup(credentials, 'auth', 'tenantId')
+ if tenant and str(user['accountId']) != tenant:
+ raise Unauthorized('Invalid username, password or tenant id')
+
# If the 'password' is the right length, treat it as an API api_key
if len(credential) == 64:
client = Client(username=username, api_key=credential)
user = client['Account'].getCurrentUser(mask=USER_MASK)
+ assert_tenant(user)
return {'username': username,
'api_key': credential,
'auth_type': 'api_key',
@@ -47,6 +53,7 @@ def get_new_token(credentials):
userId, tokenHash = client.authenticate_with_password(username,
credential)
user = client['Account'].getCurrentUser(mask=USER_MASK)
+ assert_tenant(user)
return {'userId': userId,
'tokenHash': tokenHash,
'auth_type': 'token',
Something went wrong with that request. Please try again.