diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-03-20 08:26:50 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-03-20 08:26:50 +0000 |
| commit | 3c9768f6e002eac556a0e2f23d8f2cdd0ecfa5eb (patch) | |
| tree | 9f90c4b02c5ce7f90c31db3bc5ee8f30e1f9d789 /keystone | |
| parent | 533bb01947199e20b840917ab5ee387451b174a0 (diff) | |
| parent | cd3f58a8d05010838bd5e2d095103c2623499112 (diff) | |
Merge "Validate domains unconditionally (bug 1130236)"
Diffstat (limited to 'keystone')
| -rw-r--r-- | keystone/auth/plugins/password.py | 3 | ||||
| -rw-r--r-- | keystone/common/kvs.py | 5 | ||||
| -rw-r--r-- | keystone/test.py | 28 | ||||
| -rw-r--r-- | keystone/token/controllers.py | 4 | ||||
| -rw-r--r-- | keystone/token/core.py | 34 |
5 files changed, 46 insertions, 28 deletions
diff --git a/keystone/auth/plugins/password.py b/keystone/auth/plugins/password.py index 46ae6cb9..9d924059 100644 --- a/keystone/auth/plugins/password.py +++ b/keystone/auth/plugins/password.py @@ -91,6 +91,9 @@ class UserAuthInfo(object): else: user_ref = self.identity_api.get_user( context=self.context, user_id=user_id) + domain_ref = self.identity_api.get_domain( + context=self.context, domain_id=user_ref['domain_id']) + self._assert_domain_is_enabled(domain_ref) except exception.UserNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) diff --git a/keystone/common/kvs.py b/keystone/common/kvs.py index a0062fa2..b517bc5d 100644 --- a/keystone/common/kvs.py +++ b/keystone/common/kvs.py @@ -20,7 +20,10 @@ from keystone import exception class DictKvs(dict): def get(self, key, default=None): try: - return self[key] + if isinstance(self[key], dict): + return self[key].copy() + else: + return self[key][:] except KeyError: if default is not None: return default diff --git a/keystone/test.py b/keystone/test.py index 3a28b5ff..afe77255 100644 --- a/keystone/test.py +++ b/keystone/test.py @@ -242,25 +242,43 @@ class TestCase(NoModule, unittest.TestCase): # TODO(termie): doing something from json, probably based on Django's # loaddata will be much preferred. if hasattr(self, 'identity_api'): + for domain in fixtures.DOMAINS: + try: + rv = self.identity_api.create_domain(domain['id'], domain) + except (exception.Conflict, exception.NotImplemented): + pass + setattr(self, 'domain_%s' % domain['id'], domain) + for tenant in fixtures.TENANTS: - rv = self.identity_api.create_project(tenant['id'], tenant) + try: + rv = self.identity_api.create_project(tenant['id'], tenant) + except exception.Conflict: + rv = self.identity_api.get_project(tenant['id']) + pass setattr(self, 'tenant_%s' % tenant['id'], rv) for role in fixtures.ROLES: try: rv = self.identity_api.create_role(role['id'], role) except exception.Conflict: + rv = self.identity_api.get_role(role['id']) pass setattr(self, 'role_%s' % role['id'], rv) for user in fixtures.USERS: user_copy = user.copy() tenants = user_copy.pop('tenants') - rv = self.identity_api.create_user(user['id'], - user_copy.copy()) + try: + rv = self.identity_api.create_user(user['id'], + user_copy.copy()) + except exception.Conflict: + pass for tenant_id in tenants: - self.identity_api.add_user_to_project(tenant_id, - user['id']) + try: + self.identity_api.add_user_to_project(tenant_id, + user['id']) + except exception.Conflict: + pass setattr(self, 'user_%s' % user['id'], user_copy) for metadata in fixtures.METADATA: diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 06a1fe64..8491a623 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -79,6 +79,7 @@ class Auth(controller.V2Controller): context, auth) user_ref, tenant_ref, metadata_ref, expiry = auth_info + core.validate_auth_info(self, context, user_ref, tenant_ref) trust_id = metadata_ref.get('trust_id') user_ref = self._filter_domain_id(user_ref) if tenant_ref: @@ -88,9 +89,6 @@ class Auth(controller.V2Controller): metadata_ref, expiry) - # FIXME(dolph): domains will not be validated, as we just removed them - core.validate_auth_info(self, context, user_ref, tenant_ref) - if tenant_ref: catalog_ref = self.catalog_api.get_catalog( context=context, diff --git a/keystone/token/core.py b/keystone/token/core.py index 495e295a..5c3830da 100644 --- a/keystone/token/core.py +++ b/keystone/token/core.py @@ -79,15 +79,13 @@ def validate_auth_info(self, context, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the user's domain is disabled don't allow them to authenticate - # TODO(dolph): remove this check after default-domain migration - if user_ref.get('domain_id') is not None: - user_domain_ref = self.identity_api.get_domain( - context, - user_ref['domain_id']) - if user_domain_ref and not user_domain_ref.get('enabled', True): - msg = 'Domain is disabled: %s' % user_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) + user_domain_ref = self.identity_api.get_domain( + context, + user_ref['domain_id']) + if user_domain_ref and not user_domain_ref.get('enabled', True): + msg = 'Domain is disabled: %s' % user_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) if tenant_ref: # If the project is disabled don't allow them to authenticate @@ -97,16 +95,14 @@ def validate_auth_info(self, context, user_ref, tenant_ref): raise exception.Unauthorized(msg) # If the project's domain is disabled don't allow them to authenticate - # TODO(dolph): remove this check after default-domain migration - if tenant_ref.get('domain_id') is not None: - project_domain_ref = self.identity_api.get_domain( - context, - tenant_ref['domain_id']) - if (project_domain_ref and - not project_domain_ref.get('enabled', True)): - msg = 'Domain is disabled: %s' % project_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) + project_domain_ref = self.identity_api.get_domain( + context, + tenant_ref['domain_id']) + if (project_domain_ref and + not project_domain_ref.get('enabled', True)): + msg = 'Domain is disabled: %s' % project_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) @dependency.provider('token_api') |