Merge "Expose auth failure details in debug mode"

openstack · Nov 20, 2012 · 07c1aaf · 07c1aaf
2 parents d8aa7fd + 01fccdb
commit 07c1aaf
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 37 deletions.
diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py
@@ -246,8 +246,8 @@ def assert_admin(self, context):
             try:
                 user_token_ref = self.token_api.get_token(
                     context=context, token_id=context['token_id'])
-            except exception.TokenNotFound:
-                raise exception.Unauthorized()
+            except exception.TokenNotFound as e:
+                raise exception.Unauthorized(e)
 
             creds = user_token_ref['metadata'].copy()
 

diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py
@@ -294,11 +294,11 @@ def _assert_identity(self, context, user_id):
             token_ref = self.token_api.get_token(
                 context=context,
                 token_id=context['token_id'])
-        except exception.TokenNotFound:
-            raise exception.Unauthorized()
-        token_user_id = token_ref['user'].get('id')
-        if not token_user_id == user_id:
-            raise exception.Forbidden()
+        except exception.TokenNotFound as e:
+            raise exception.Unauthorized(e)
+
+        if token_ref['user'].get('id') != user_id:
+            raise exception.Forbidden('Token belongs to another user')
 
     def _is_admin(self, context):
         """Wrap admin assertion error return statement.
@@ -324,7 +324,7 @@ def _assert_owner(self, context, user_id, credential_id):
         """
         cred_ref = self.ec2_api.get_credential(context, credential_id)
         if not user_id == cred_ref['user_id']:
-            raise exception.Forbidden()
+            raise exception.Forbidden('Credential belongs to another user')
 
     def _assert_valid_user_id(self, context, user_id):
         """Ensure a valid user id.

diff --git a/keystone/contrib/s3/core.py b/keystone/contrib/s3/core.py
@@ -54,4 +54,4 @@ def check_signature(self, creds_ref, credentials):
         signed = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip()
 
         if not utils.auth_str_equal(credentials['signature'], signed):
-            raise exception.Unauthorized()
+            raise exception.Unauthorized('Credential signature mismatch')
diff --git a/keystone/contrib/user_crud/core.py b/keystone/contrib/user_crud/core.py
@@ -42,16 +42,20 @@ def set_user_password(self, context, user_id, user):
                                              token_id=token_id)
         user_id_from_token = token_ref['user']['id']
 
-        if user_id_from_token != user_id or original_password is None:
-            raise exception.Forbidden()
+        if user_id_from_token != user_id:
+            raise exception.Forbidden('Token belongs to another user')
+        if original_password is None:
+            raise exception.ValidationError(target='user',
+                                            attribute='original password')
 
         try:
             user_ref = self.identity_api.authenticate(
                 context=context,
                 user_id=user_id_from_token,
                 password=original_password)[0]
             if not user_ref.get('enabled', True):
-                raise exception.Unauthorized()
+                # NOTE(dolph): why can't you set a disabled user's password?
+                raise exception.Unauthorized('User is disabled')
         except AssertionError:
             raise exception.Unauthorized()
 

diff --git a/keystone/identity/core.py b/keystone/identity/core.py
@@ -513,10 +513,9 @@ def get_tenants_for_token(self, context, **kw):
         try:
             token_ref = self.token_api.get_token(context=context,
                                                  token_id=context['token_id'])
-        except exception.NotFound:
-            LOG.warning("Authentication failed. Could not find token " +
-                        str(context['token_id']))
-            raise exception.Unauthorized()
+        except exception.NotFound as e:
+            LOG.warning('Authentication failed: %s' % e)
+            raise exception.Unauthorized(e)
 
         user_ref = token_ref['user']
         tenant_ids = self.identity_api.get_tenants_for_user(

diff --git a/keystone/service.py b/keystone/service.py
@@ -484,13 +484,15 @@ def authenticate(self, context, auth=None):
 
         # If the user is disabled don't allow them to authenticate
         if not user_ref.get('enabled', True):
-            LOG.warning('User %s is disabled' % user_ref["id"])
-            raise exception.Unauthorized()
+            msg = 'User is disabled: %s' % user_ref['id']
+            LOG.warning(msg)
+            raise exception.Unauthorized(msg)
 
         # If the tenant is disabled don't allow them to authenticate
         if tenant_ref and not tenant_ref.get('enabled', True):
-            LOG.warning('Tenant %s is disabled' % tenant_ref["id"])
-            raise exception.Unauthorized()
+            msg = 'Tenant is disabled: %s' % tenant_ref['id']
+            LOG.warning(msg)
+            raise exception.Unauthorized(msg)
 
         if tenant_ref:
             catalog_ref = self.catalog_api.get_catalog(
@@ -562,9 +564,8 @@ def _authenticate_token(self, context, auth):
         try:
             old_token_ref = self.token_api.get_token(context=context,
                                                      token_id=old_token)
-        except exception.NotFound:
-            LOG.warning("Token not found: " + str(old_token))
-            raise exception.Unauthorized()
+        except exception.NotFound as e:
+            raise exception.Unauthorized(e)
 
         user_ref = old_token_ref['user']
         user_id = user_ref['id']
@@ -614,9 +615,8 @@ def _authenticate_local(self, context, auth):
                 user_ref = self.identity_api.get_user_by_name(
                     context=context, user_name=username)
                 user_id = user_ref['id']
-            except exception.UserNotFound:
-                LOG.warn("User not found: %s" % user_id)
-                raise exception.Unauthorized()
+            except exception.UserNotFound as e:
+                raise exception.Unauthorized(e)
 
         tenant_id = self._get_tenant_id_from_auth(context, auth)
 
@@ -627,7 +627,7 @@ def _authenticate_local(self, context, auth):
                 password=password,
                 tenant_id=tenant_id)
         except AssertionError as e:
-            raise exception.Unauthorized(str(e))
+            raise exception.Unauthorized(e)
         (user_ref, tenant_ref, metadata_ref) = auth_info
 
         expiry = self.token_api._get_default_expire_time(context=context)
@@ -651,9 +651,8 @@ def _authenticate_external(self, context, auth):
             user_ref = self.identity_api.get_user_by_name(
                 context=context, user_name=username)
             user_id = user_ref['id']
-        except exception.UserNotFound:
-            LOG.warn("User not found: %s" % username)
-            raise exception.Unauthorized()
+        except exception.UserNotFound as e:
+            raise exception.Unauthorized(e)
 
         tenant_id = self._get_tenant_id_from_auth(context, auth)
 
@@ -686,8 +685,8 @@ def _get_tenant_id_from_auth(self, context, auth):
                 tenant_ref = self.identity_api.get_tenant_by_name(
                     context=context, tenant_name=tenant_name)
                 tenant_id = tenant_ref['id']
-            except exception.TenantNotFound:
-                raise exception.Unauthorized()
+            except exception.TenantNotFound as e:
+                raise exception.Unauthorized(e)
         return tenant_id
 
     def _get_tenant_ref(self, context, user_id, tenant_id):
@@ -696,15 +695,16 @@ def _get_tenant_ref(self, context, user_id, tenant_id):
         if tenant_id:
             tenants = self.identity_api.get_tenants_for_user(context, user_id)
             if tenant_id not in tenants:
-                LOG.warning('User %s is unauthorized for tenant %s'
-                            % (user_id, tenant_id))
-                raise exception.Unauthorized()
+                msg = 'User %s is unauthorized for tenant %s' % (
+                    user_id, tenant_id)
+                LOG.warning(msg)
+                raise exception.Unauthorized(msg)
 
             try:
                 tenant_ref = self.identity_api.get_tenant(context=context,
                                                           tenant_id=tenant_id)
-            except exception.TenantNotFound:
-                exception.Unauthorized()
+            except exception.TenantNotFound as e:
+                exception.Unauthorized(e)
         return tenant_ref
 
     def _get_metadata_ref(self, context, user_id, tenant_id):