1
Description: Raise unauthorized if tenant disabled
2
If the client attempts to explicitly authenticate against a disabled
3
tenant, keystone should return HTTP 401 Unauthorized.
4
Bug-Debian: http://bugs.debian.org/689210
5
Bug-Ubuntu: https://bugs.launchpad.net/keystone/+bug/988920
6
Author: Dolph Mathews <dolph.mathews@gmail.com>
9
Index: keystone/keystone/service.py
10
===================================================================
11
--- keystone.orig/keystone/service.py 2012-10-01 06:25:28.000000000 +0000
12
+++ keystone/keystone/service.py 2012-10-01 06:25:41.000000000 +0000
14
if not user_ref.get('enabled', True):
15
LOG.warning('User %s is disabled' % user_id)
16
raise exception.Unauthorized()
18
+ # If the tenant is disabled don't allow them to authenticate
19
+ if tenant_ref and not tenant_ref.get('enabled', True):
20
+ LOG.warning('Tenant %s is disabled' % tenant_id)
21
+ raise exception.Unauthorized()
22
except AssertionError as e:
23
raise exception.Unauthorized(e.message)
27
tenant_ref = self.identity_api.get_tenant(context=context,
30
+ # If the tenant is disabled don't allow them to authenticate
31
+ if tenant_ref and not tenant_ref.get('enabled', True):
32
+ LOG.warning('Tenant %s is disabled' % tenant_id)
33
+ raise exception.Unauthorized()
36
metadata_ref = self.identity_api.get_metadata(
38
Index: keystone/tests/test_keystoneclient.py
39
===================================================================
40
--- keystone.orig/tests/test_keystoneclient.py 2012-10-01 06:25:41.000000000 +0000
41
+++ keystone/tests/test_keystoneclient.py 2012-10-01 06:25:41.000000000 +0000
46
+ def test_authenticate_disabled_tenant(self):
47
+ from keystoneclient import exceptions as client_exceptions
49
+ admin_client = self.get_client(admin=True)
52
+ 'name': uuid.uuid4().hex,
53
+ 'description': uuid.uuid4().hex,
56
+ tenant_ref = admin_client.tenants.create(
57
+ tenant_name=tenant['name'],
58
+ description=tenant['description'],
59
+ enabled=tenant['enabled'])
60
+ tenant['id'] = tenant_ref.id
63
+ 'name': uuid.uuid4().hex,
64
+ 'password': uuid.uuid4().hex,
65
+ 'email': uuid.uuid4().hex,
66
+ 'tenant_id': tenant['id'],
68
+ user_ref = admin_client.users.create(
70
+ password=user['password'],
71
+ email=user['email'],
72
+ tenant_id=user['tenant_id'])
73
+ user['id'] = user_ref.id
75
+ # password authentication
77
+ client_exceptions.Unauthorized,
79
+ username=user['name'],
80
+ password=user['password'],
81
+ tenant_id=tenant['id'])
83
+ # token authentication
84
+ client = self._client(
85
+ username=user['name'],
86
+ password=user['password'])
88
+ client_exceptions.Unauthorized,
90
+ token=client.auth_token,
91
+ tenant_id=tenant['id'])
93
# FIXME(ja): this test should require the "keystone:admin" roled
94
# (probably the role set via --keystone_admin_role flag)
95
# FIXME(ja): add a test that admin endpoint is only sent to admin user