Permalink
Browse files

Raise unauthorized if tenant disabled (bug 988920)

If the client attempts to explicitly authenticate against a disabled
tenant, keystone should return HTTP 401 Unauthorized.

Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c
  • Loading branch information...
dolph committed Jul 16, 2012
1 parent 4b97716 commit 4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685
Showing with 60 additions and 1 deletion.
  1. +13 −1 keystone/service.py
  2. +47 −0 tests/test_keystoneclient.py
View
@@ -20,7 +20,6 @@
from keystone import catalog
from keystone.common import logging
-from keystone.common import utils
from keystone.common import wsgi
from keystone import exception
from keystone import identity
@@ -284,6 +283,11 @@ def authenticate(self, context, auth=None):
if not user_ref.get('enabled', True):
LOG.warning('User %s is disabled' % user_id)
raise exception.Unauthorized()
+
+ # If the tenant is disabled don't allow them to authenticate
+ if tenant_ref and not tenant_ref.get('enabled', True):
+ LOG.warning('Tenant %s is disabled' % tenant_id)
+ raise exception.Unauthorized()
except AssertionError as e:
raise exception.Unauthorized(e.message)
@@ -354,6 +358,14 @@ def authenticate(self, context, auth=None):
tenant_ref = None
metadata_ref = {}
catalog_ref = {}
+ except exception.MetadataNotFound:
+ metadata_ref = {}
+ catalog_ref = {}
+
+ # If the tenant is disabled don't allow them to authenticate
+ if tenant_ref and not tenant_ref.get('enabled', True):
+ LOG.warning('Tenant %s is disabled' % tenant_id)
+ raise exception.Unauthorized()
token_ref = self.token_api.create_token(
context, token_id, dict(id=token_id,
@@ -180,6 +180,53 @@ def test_authenticate_no_username(self):
self.get_client,
user_ref)
+ def test_authenticate_disabled_tenant(self):
+ from keystoneclient import exceptions as client_exceptions
+
+ admin_client = self.get_client(admin=True)
+
+ tenant = {
+ 'name': uuid.uuid4().hex,
+ 'description': uuid.uuid4().hex,
+ 'enabled': False,
+ }
+ tenant_ref = admin_client.tenants.create(
+ tenant_name=tenant['name'],
+ description=tenant['description'],
+ enabled=tenant['enabled'])
+ tenant['id'] = tenant_ref.id
+
+ user = {
+ 'name': uuid.uuid4().hex,
+ 'password': uuid.uuid4().hex,
+ 'email': uuid.uuid4().hex,
+ 'tenant_id': tenant['id'],
+ }
+ user_ref = admin_client.users.create(
+ name=user['name'],
+ password=user['password'],
+ email=user['email'],
+ tenant_id=user['tenant_id'])
+ user['id'] = user_ref.id
+
+ # password authentication
+ self.assertRaises(
+ client_exceptions.Unauthorized,
+ self._client,
+ username=user['name'],
+ password=user['password'],
+ tenant_id=tenant['id'])
+
+ # token authentication
+ client = self._client(
+ username=user['name'],
+ password=user['password'])
+ self.assertRaises(
+ client_exceptions.Unauthorized,
+ self._client,
+ token=client.auth_token,
+ tenant_id=tenant['id'])
+
# FIXME(ja): this test should require the "keystone:admin" roled
# (probably the role set via --keystone_admin_role flag)
# FIXME(ja): add a test that admin endpoint is only sent to admin user

0 comments on commit 4ebfdfa

Please sign in to comment.