Raise unauthorized if tenant disabled (bug 988920)

If the client attempts to explicitly authenticate against a disabled
tenant, keystone should return HTTP 401 Unauthorized.

Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c

1 files changed, 13 insertions, 1 deletions

diff --git a/keystone/service.py b/keystone/service.py
index 913b8761..eec858ee 100644
--- a/keystone/service.py
+++ b/keystone/service.py
@@ -20,7 +20,6 @@ import routes
 
 from keystone import catalog
 from keystone.common import logging
-from keystone.common import utils
 from keystone.common import wsgi
 from keystone import exception
 from keystone import identity
@@ -284,6 +283,11 @@ class TokenController(wsgi.Application):
                 if not user_ref.get('enabled', True):
                     LOG.warning('User %s is disabled' % user_id)
                     raise exception.Unauthorized()
+
+                # If the tenant is disabled don't allow them to authenticate
+                if tenant_ref and not tenant_ref.get('enabled', True):
+                    LOG.warning('Tenant %s is disabled' % tenant_id)
+                    raise exception.Unauthorized()
             except AssertionError as e:
                 raise exception.Unauthorized(e.message)
 
@@ -354,6 +358,14 @@ class TokenController(wsgi.Application):
                 tenant_ref = None
                 metadata_ref = {}
                 catalog_ref = {}
+            except exception.MetadataNotFound:
+                metadata_ref = {}
+                catalog_ref = {}
+
+            # If the tenant is disabled don't allow them to authenticate
+            if tenant_ref and not tenant_ref.get('enabled', True):
+                LOG.warning('Tenant %s is disabled' % tenant_id)
+                raise exception.Unauthorized()
 
             token_ref = self.token_api.create_token(
                 context, token_id, dict(id=token_id,