diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-02-20 00:49:00 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-02-20 00:49:00 +0000 |
| commit | d87ee708295b1d7b00b466ea966a5eb89f8f0af1 (patch) | |
| tree | fb97aa0273ec18e0d3ff46990d5a41d89645ea67 | |
| parent | 3d4d0338b9478f5629e05e269245b280670f15a0 (diff) | |
| parent | 9572bfc393f66f5ce3b44c0a77a9e29cc0374c6f (diff) | |
Merge "Ensure user and tenant enabled in EC2"
| -rw-r--r-- | keystone/contrib/ec2/core.py | 3 | ||||
| -rw-r--r-- | keystone/token/controllers.py | 37 | ||||
| -rw-r--r-- | keystone/token/core.py | 54 |
3 files changed, 59 insertions, 35 deletions
diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py index 02a0f649..d04b7455 100644 --- a/keystone/contrib/ec2/core.py +++ b/keystone/contrib/ec2/core.py @@ -161,6 +161,9 @@ class Ec2Controller(controller.V2Controller): user_id=user_ref['id'], tenant_id=tenant_ref['id']) + # Validate that the auth info is valid and nothing is disabled + token.validate_auth_info(self, context, user_ref, tenant_ref) + # TODO(termie): optimize this call at some point and put it into the # the return for metadata # fill out the roles in the metadata diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 5dbfc0c3..c44f736c 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -86,43 +86,10 @@ class Auth(controller.V2Controller): metadata_ref, expiry) - # If the user is disabled don't allow them to authenticate - if not user_ref.get('enabled', True): - msg = 'User is disabled: %s' % user_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - - # If the user's domain is disabled don't allow them to authenticate - # TODO(dolph): remove this check after default-domain migration - if user_ref.get('domain_id') is not None: - user_domain_ref = self.identity_api.get_domain( - context, - user_ref['domain_id']) - if user_domain_ref and not user_domain_ref.get('enabled', True): - msg = 'Domain is disabled: %s' % user_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) + # FIXME(dolph): domains will not be validated, as we just removed them + core.validate_auth_info(self, context, user_ref, tenant_ref) if tenant_ref: - # If the project is disabled don't allow them to authenticate - if not tenant_ref.get('enabled', True): - msg = 'Tenant is disabled: %s' % tenant_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - - # If the project's domain is disabled don't allow them to - # authenticate - # TODO(dolph): remove this check after default-domain migration - if tenant_ref.get('domain_id') is not None: - project_domain_ref = self.identity_api.get_domain( - context, - tenant_ref['domain_id']) - if (project_domain_ref and - not project_domain_ref.get('enabled', True)): - msg = 'Domain is disabled: %s' % project_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - catalog_ref = self.catalog_api.get_catalog( context=context, user_id=user_ref['id'], diff --git a/keystone/token/core.py b/keystone/token/core.py index 68bd94cd..4737f539 100644 --- a/keystone/token/core.py +++ b/keystone/token/core.py @@ -20,6 +20,7 @@ import datetime from keystone.common import cms from keystone.common import dependency +from keystone.common import logging from keystone.common import manager from keystone import config from keystone import exception @@ -28,6 +29,7 @@ from keystone.openstack.common import timeutils CONF = config.CONF config.register_int('expiration', group='token', default=86400) +LOG = logging.getLogger(__name__) def unique_id(token_id): @@ -55,6 +57,58 @@ def default_expire_time(): return timeutils.utcnow() + expire_delta +def validate_auth_info(self, context, user_ref, tenant_ref): + """Validate user and tenant auth info. + + Validate the user and tenant auth into in order to ensure that user and + tenant information is valid and not disabled. + + Consolidate the checks here to ensure consistency between token auth and + ec2 auth. + + :params context: keystone's request context + :params user_ref: the authenticating user + :params tenant_ref: the scope of authorization, if any + :raises Unauthorized: if any of the user, user's domain, tenant or + tenant's domain are either disabled or otherwise invalid + """ + # If the user is disabled don't allow them to authenticate + if not user_ref.get('enabled', True): + msg = 'User is disabled: %s' % user_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + # If the user's domain is disabled don't allow them to authenticate + # TODO(dolph): remove this check after default-domain migration + if user_ref.get('domain_id') is not None: + user_domain_ref = self.identity_api.get_domain( + context, + user_ref['domain_id']) + if user_domain_ref and not user_domain_ref.get('enabled', True): + msg = 'Domain is disabled: %s' % user_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + if tenant_ref: + # If the project is disabled don't allow them to authenticate + if not tenant_ref.get('enabled', True): + msg = 'Tenant is disabled: %s' % tenant_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + # If the project's domain is disabled don't allow them to authenticate + # TODO(dolph): remove this check after default-domain migration + if tenant_ref.get('domain_id') is not None: + project_domain_ref = self.identity_api.get_domain( + context, + tenant_ref['domain_id']) + if (project_domain_ref and + not project_domain_ref.get('enabled', True)): + msg = 'Domain is disabled: %s' % project_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + @dependency.provider('token_api') class Manager(manager.Manager): """Default pivot point for the Token backend. |