Ensure user and tenant enabled in EC2

Fixes bug 1121494. Change-Id: Icc90d581691b5aa63754e076ce983dfa2885a1dc
openstack · Feb 19, 2013 · f0b4d30 · f0b4d30
1 parent 82c87e5
commit f0b4d30
Showing 1 changed file with 17 additions and 5 deletions.
diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py
@@ -37,6 +37,7 @@
 import uuid
 
 from keystone import catalog
+from keystone.common import logging
 from keystone.common import manager
 from keystone.common import utils
 from keystone.common import wsgi
@@ -49,6 +50,7 @@
 
 
 CONF = config.CONF
+LOG = logging.getLogger(__name__)
 
 
 class Manager(manager.Manager):
@@ -117,9 +119,9 @@ def check_signature(self, creds_ref, credentials):
             credentials['host'] = hostname
             signature = signer.generate(credentials)
             if not utils.auth_str_equal(credentials.signature, signature):
-                raise exception.Unauthorized(message='Invalid EC2 signature.')
+                raise exception.Unauthorized()
         else:
-            raise exception.Unauthorized(message='EC2 signature not supplied.')
+            raise exception.Unauthorized()
 
     def authenticate(self, context, credentials=None, ec2Credentials=None):
         """Validate a signed EC2 request and provide a token.
@@ -149,7 +151,7 @@ def authenticate(self, context, credentials=None, ec2Credentials=None):
             credentials = ec2Credentials
 
         if not 'access' in credentials:
-            raise exception.Unauthorized(message='EC2 signature not supplied.')
+            raise exception.Unauthorized()
 
         creds_ref = self._get_credentials(context,
                                           credentials['access'])
@@ -161,9 +163,19 @@ def authenticate(self, context, credentials=None, ec2Credentials=None):
         tenant_ref = self.identity_api.get_tenant(
             context=context,
             tenant_id=creds_ref['tenant_id'])
+        # If the tenant is disabled don't allow them to authenticate
+        if tenant_ref and not tenant_ref.get('enabled', True):
+            msg = 'Tenant %s is disabled' % tenant_ref['id']
+            LOG.warning(msg)
+            raise exception.Unauthorized()
         user_ref = self.identity_api.get_user(
             context=context,
             user_id=creds_ref['user_id'])
+        # If the user is disabled don't allow them to authenticate
+        if not user_ref.get('enabled', True):
+            msg = 'User %s is disabled' % user_ref['id']
+            LOG.warning(msg)
+            raise exception.Unauthorized()
         metadata_ref = self.identity_api.get_metadata(
             context=context,
             user_id=user_ref['id'],
@@ -174,7 +186,7 @@ def authenticate(self, context, credentials=None, ec2Credentials=None):
         # fill out the roles in the metadata
         roles = metadata_ref.get('roles', [])
         if not roles:
-            raise exception.Unauthorized(message='User not valid for tenant.')
+            raise exception.Unauthorized()
         roles_ref = [self.identity_api.get_role(context, role_id)
                      for role_id in roles]
 
@@ -279,7 +291,7 @@ def _get_credentials(self, context, credential_id):
         creds = self.ec2_api.get_credential(context,
                                             credential_id)
         if not creds:
-            raise exception.Unauthorized(message='EC2 access key not found.')
+            raise exception.Unauthorized()
         return creds
 
     def _assert_identity(self, context, user_id):