diff options
| author | Dolph Mathews <dolph.mathews@gmail.com> | 2012-07-16 16:08:32 -0500 |
|---|---|---|
| committer | Dolph Mathews <dolph.mathews@gmail.com> | 2012-07-16 16:08:34 -0500 |
| commit | 4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685 (patch) | |
| tree | 75b35e2985cdd4855e218c4582386f159ed67443 | |
| parent | 4b97716e4a68cb55652fe2bfd62373adf2b417c5 (diff) | |
| download | keystone-4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685.tar.gz keystone-4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685.tar.xz keystone-4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685.zip | |
Raise unauthorized if tenant disabled (bug 988920)
If the client attempts to explicitly authenticate against a disabled
tenant, keystone should return HTTP 401 Unauthorized.
Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c
| -rw-r--r-- | keystone/service.py | 14 | ||||
| -rw-r--r-- | tests/test_keystoneclient.py | 47 |
2 files changed, 60 insertions, 1 deletions
diff --git a/keystone/service.py b/keystone/service.py index 913b8761..eec858ee 100644 --- a/keystone/service.py +++ b/keystone/service.py @@ -20,7 +20,6 @@ import routes from keystone import catalog from keystone.common import logging -from keystone.common import utils from keystone.common import wsgi from keystone import exception from keystone import identity @@ -284,6 +283,11 @@ class TokenController(wsgi.Application): if not user_ref.get('enabled', True): LOG.warning('User %s is disabled' % user_id) raise exception.Unauthorized() + + # If the tenant is disabled don't allow them to authenticate + if tenant_ref and not tenant_ref.get('enabled', True): + LOG.warning('Tenant %s is disabled' % tenant_id) + raise exception.Unauthorized() except AssertionError as e: raise exception.Unauthorized(e.message) @@ -354,6 +358,14 @@ class TokenController(wsgi.Application): tenant_ref = None metadata_ref = {} catalog_ref = {} + except exception.MetadataNotFound: + metadata_ref = {} + catalog_ref = {} + + # If the tenant is disabled don't allow them to authenticate + if tenant_ref and not tenant_ref.get('enabled', True): + LOG.warning('Tenant %s is disabled' % tenant_id) + raise exception.Unauthorized() token_ref = self.token_api.create_token( context, token_id, dict(id=token_id, diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py index 69d4ffc2..944ca790 100644 --- a/tests/test_keystoneclient.py +++ b/tests/test_keystoneclient.py @@ -180,6 +180,53 @@ class KeystoneClientTests(object): self.get_client, user_ref) + def test_authenticate_disabled_tenant(self): + from keystoneclient import exceptions as client_exceptions + + admin_client = self.get_client(admin=True) + + tenant = { + 'name': uuid.uuid4().hex, + 'description': uuid.uuid4().hex, + 'enabled': False, + } + tenant_ref = admin_client.tenants.create( + tenant_name=tenant['name'], + description=tenant['description'], + enabled=tenant['enabled']) + tenant['id'] = tenant_ref.id + + user = { + 'name': uuid.uuid4().hex, + 'password': uuid.uuid4().hex, + 'email': uuid.uuid4().hex, + 'tenant_id': tenant['id'], + } + user_ref = admin_client.users.create( + name=user['name'], + password=user['password'], + email=user['email'], + tenant_id=user['tenant_id']) + user['id'] = user_ref.id + + # password authentication + self.assertRaises( + client_exceptions.Unauthorized, + self._client, + username=user['name'], + password=user['password'], + tenant_id=tenant['id']) + + # token authentication + client = self._client( + username=user['name'], + password=user['password']) + self.assertRaises( + client_exceptions.Unauthorized, + self._client, + token=client.auth_token, + tenant_id=tenant['id']) + # FIXME(ja): this test should require the "keystone:admin" roled # (probably the role set via --keystone_admin_role flag) # FIXME(ja): add a test that admin endpoint is only sent to admin user |