diff options
| author | Jenkins <jenkins@review.openstack.org> | 2012-05-19 19:45:24 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2012-05-19 19:45:24 +0000 |
| commit | 014ccd9a62fe8a0976d3d455181841eb04499298 (patch) | |
| tree | aaaac9632d033c7c7b452da3df29455b25cb3f5e /keystone | |
| parent | 507294ab1a65726dceaf8fe4b7c3a2ad3bd71b56 (diff) | |
| parent | 628149b3dc6b58b91fd08e6ca8d91c728ccb8626 (diff) | |
Merge "Invalidate user tokens when a user is disabled"
Diffstat (limited to 'keystone')
| -rw-r--r-- | keystone/identity/core.py | 22 | ||||
| -rw-r--r-- | keystone/service.py | 14 |
2 files changed, 25 insertions, 11 deletions
diff --git a/keystone/identity/core.py b/keystone/identity/core.py index a0cacb3e..6421ea26 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -418,6 +418,17 @@ class UserController(wsgi.Application): raise exception.UserNotFound(user_id=user_id) user_ref = self.identity_api.update_user(context, user_id, user) + + # If the password was changed or the user was disabled we clear tokens + if user.get('password') or user.get('enabled', True) == False: + try: + for token_id in self.token_api.list_tokens(context, user_id): + self.token_api.delete_token(context, token_id) + except exception.NotImplemented: + # The users status has been changed but tokens remain valid for + # backends that can't list tokens for users + LOG.warning('User %s status has changed, but existing tokens ' + 'remain valid' % user_id) return {'user': user_ref} def delete_user(self, context, user_id): @@ -431,16 +442,7 @@ class UserController(wsgi.Application): return self.update_user(context, user_id, user) def set_user_password(self, context, user_id, user): - user_ref = self.update_user(context, user_id, user) - try: - for token_id in self.token_api.list_tokens(context, user_id): - self.token_api.delete_token(context, token_id) - except exception.NotImplemented: - # The password has been changed but tokens remain valid for - # backends that can't list tokens for users - LOG.warning('Password changed for %s, but existing tokens remain ' - 'valid' % user_id) - return user_ref + return self.update_user(context, user_id, user) def update_user_tenant(self, context, user_id, user): """Update the default tenant.""" diff --git a/keystone/service.py b/keystone/service.py index 1cb455dd..2b024f4e 100644 --- a/keystone/service.py +++ b/keystone/service.py @@ -28,6 +28,9 @@ from keystone.common import utils from keystone.common import wsgi +LOG = logging.getLogger(__name__) + + class AdminRouter(wsgi.ComposingRouter): def __init__(self): mapper = routes.Mapper() @@ -275,7 +278,8 @@ class TokenController(wsgi.Application): # If the user is disabled don't allow them to authenticate if not user_ref.get('enabled', True): - raise exception.Forbidden(message='User has been disabled') + LOG.warning('User %s is disabled' % user_id) + raise exception.Unauthorized() except AssertionError as e: raise exception.Unauthorized(e.message) @@ -314,6 +318,14 @@ class TokenController(wsgi.Application): user_ref = old_token_ref['user'] + # If the user is disabled don't allow them to authenticate + current_user_ref = self.identity_api.get_user( + context=context, + user_id=user_ref['id']) + if not current_user_ref.get('enabled', True): + LOG.warning('User %s is disabled' % user_ref['id']) + raise exception.Unauthorized() + tenants = self.identity_api.get_tenants_for_user(context, user_ref['id']) if tenant_id: |