diff options
| author | Dolph Mathews <dolph.mathews@gmail.com> | 2013-02-19 10:39:22 -0600 |
|---|---|---|
| committer | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-03-19 19:19:59 +0000 |
| commit | cd3f58a8d05010838bd5e2d095103c2623499112 (patch) | |
| tree | b0fe0e0553c71a4d5f603e4acf78e53fc5dd09e4 /keystone/token | |
| parent | a066b69fbe1ad2e3f577a3a21487d2eaebe22a15 (diff) | |
| download | keystone-cd3f58a8d05010838bd5e2d095103c2623499112.tar.gz keystone-cd3f58a8d05010838bd5e2d095103c2623499112.tar.xz keystone-cd3f58a8d05010838bd5e2d095103c2623499112.zip | |
Validate domains unconditionally (bug 1130236)
Ensure that we validate the domain status of user/project for
a user authenticating via the v2 API.
This patch builds on the initial functional change done by Dolph,
and fixes up the tests that broke sure to domain being required in
any tests that setup data directly in the backends.
Fixes Bug #1130236
Change-Id: I66dfd453fb95fa4fa3fde713b663386a2c2ecdf8
Diffstat (limited to 'keystone/token')
| -rw-r--r-- | keystone/token/controllers.py | 4 | ||||
| -rw-r--r-- | keystone/token/core.py | 34 |
2 files changed, 16 insertions, 22 deletions
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 06a1fe64..8491a623 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -79,6 +79,7 @@ class Auth(controller.V2Controller): context, auth) user_ref, tenant_ref, metadata_ref, expiry = auth_info + core.validate_auth_info(self, context, user_ref, tenant_ref) trust_id = metadata_ref.get('trust_id') user_ref = self._filter_domain_id(user_ref) if tenant_ref: @@ -88,9 +89,6 @@ class Auth(controller.V2Controller): metadata_ref, expiry) - # FIXME(dolph): domains will not be validated, as we just removed them - core.validate_auth_info(self, context, user_ref, tenant_ref) - if tenant_ref: catalog_ref = self.catalog_api.get_catalog( context=context, diff --git a/keystone/token/core.py b/keystone/token/core.py index 495e295a..5c3830da 100644 --- a/keystone/token/core.py +++ b/keystone/token/core.py @@ -79,15 +79,13 @@ def validate_auth_info(self, context, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the user's domain is disabled don't allow them to authenticate - # TODO(dolph): remove this check after default-domain migration - if user_ref.get('domain_id') is not None: - user_domain_ref = self.identity_api.get_domain( - context, - user_ref['domain_id']) - if user_domain_ref and not user_domain_ref.get('enabled', True): - msg = 'Domain is disabled: %s' % user_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) + user_domain_ref = self.identity_api.get_domain( + context, + user_ref['domain_id']) + if user_domain_ref and not user_domain_ref.get('enabled', True): + msg = 'Domain is disabled: %s' % user_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) if tenant_ref: # If the project is disabled don't allow them to authenticate @@ -97,16 +95,14 @@ def validate_auth_info(self, context, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the project's domain is disabled don't allow them to authenticate - # TODO(dolph): remove this check after default-domain migration - if tenant_ref.get('domain_id') is not None: - project_domain_ref = self.identity_api.get_domain( - context, - tenant_ref['domain_id']) - if (project_domain_ref and - not project_domain_ref.get('enabled', True)): - msg = 'Domain is disabled: %s' % project_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) + project_domain_ref = self.identity_api.get_domain( + context, + tenant_ref['domain_id']) + if (project_domain_ref and + not project_domain_ref.get('enabled', True)): + msg = 'Domain is disabled: %s' % project_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) @dependency.provider('token_api') |