Skip to content
Permalink
Browse files Browse the repository at this point in the history
Raise unauthorized if tenant disabled (bug 988920)
If the client attempts to explicitly authenticate against a disabled
tenant, keystone should return HTTP 401 Unauthorized.

Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c
  • Loading branch information
dolph authored and apevec committed Jul 30, 2012
1 parent 0b95c3c commit 5373601
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 0 deletions.
11 changes: 11 additions & 0 deletions keystone/service.py
Expand Up @@ -280,6 +280,11 @@ def authenticate(self, context, auth=None):
if not user_ref.get('enabled', True):
LOG.warning('User %s is disabled' % user_id)
raise exception.Unauthorized()

# If the tenant is disabled don't allow them to authenticate
if tenant_ref and not tenant_ref.get('enabled', True):
LOG.warning('Tenant %s is disabled' % tenant_id)
raise exception.Unauthorized()
except AssertionError as e:
raise exception.Unauthorized(e.message)

Expand Down Expand Up @@ -333,6 +338,12 @@ def authenticate(self, context, auth=None):

tenant_ref = self.identity_api.get_tenant(context=context,
tenant_id=tenant_id)

# If the tenant is disabled don't allow them to authenticate
if tenant_ref and not tenant_ref.get('enabled', True):
LOG.warning('Tenant %s is disabled' % tenant_id)
raise exception.Unauthorized()

if tenant_ref:
metadata_ref = self.identity_api.get_metadata(
context=context,
Expand Down
47 changes: 47 additions & 0 deletions tests/test_keystoneclient.py
Expand Up @@ -176,6 +176,53 @@ def test_authenticate_no_username(self):
self.get_client,
user_ref)

def test_authenticate_disabled_tenant(self):
from keystoneclient import exceptions as client_exceptions

admin_client = self.get_client(admin=True)

tenant = {
'name': uuid.uuid4().hex,
'description': uuid.uuid4().hex,
'enabled': False,
}
tenant_ref = admin_client.tenants.create(
tenant_name=tenant['name'],
description=tenant['description'],
enabled=tenant['enabled'])
tenant['id'] = tenant_ref.id

user = {
'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex,
'email': uuid.uuid4().hex,
'tenant_id': tenant['id'],
}
user_ref = admin_client.users.create(
name=user['name'],
password=user['password'],
email=user['email'],
tenant_id=user['tenant_id'])
user['id'] = user_ref.id

# password authentication
self.assertRaises(
client_exceptions.Unauthorized,
self._client,
username=user['name'],
password=user['password'],
tenant_id=tenant['id'])

# token authentication
client = self._client(
username=user['name'],
password=user['password'])
self.assertRaises(
client_exceptions.Unauthorized,
self._client,
token=client.auth_token,
tenant_id=tenant['id'])

# FIXME(ja): this test should require the "keystone:admin" roled
# (probably the role set via --keystone_admin_role flag)
# FIXME(ja): add a test that admin endpoint is only sent to admin user
Expand Down

0 comments on commit 5373601

Please sign in to comment.