diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-02-20 11:34:35 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-02-20 11:34:35 +0000 |
| commit | f48dd0fc98391737a456e701e425d95f3892626a (patch) | |
| tree | a0a2f564bd90b61f26f9a68ef38f21f7b34a740f | |
| parent | 8945567b5ec39c7f32f27aec4eccf230cc86646c (diff) | |
| parent | 7402f5ef994599653bdbb3ed5ff1a2b8c3e72b9f (diff) | |
| download | keystone-f48dd0fc98391737a456e701e425d95f3892626a.tar.gz | |
Merge "Ensure user and tenant enabled in EC2" into stable/essexessex-eol
| -rw-r--r-- | AUTHORS | 1 | ||||
| -rw-r--r-- | keystone/contrib/ec2/core.py | 22 |
2 files changed, 18 insertions, 5 deletions
@@ -75,6 +75,7 @@ Maru Newby <mnewby@internap.com> Michael Basnight <mbasnight@gmail.com> Michael Still <mikal@stillhq.com> Monty Taylor <mordred@inaugust.com> +Nathanael Burton <nathanael.i.burton.work@gmail.com> Pádraig Brady <P@draigBrady.com> Paul Voccio <paul@substation9.com> Peng Yong <ppyy@pubyun.com> diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py index 11107eb52..488ec887b 100644 --- a/keystone/contrib/ec2/core.py +++ b/keystone/contrib/ec2/core.py @@ -43,12 +43,14 @@ from keystone import identity from keystone import policy from keystone import service from keystone import token +from keystone.common import logging from keystone.common import manager from keystone.common import utils from keystone.common import wsgi CONF = config.CONF +LOG = logging.getLogger(__name__) class Manager(manager.Manager): @@ -112,9 +114,9 @@ class Ec2Controller(wsgi.Application): credentials['host'] = hostname signature = signer.generate(credentials) if not utils.auth_str_equal(credentials.signature, signature): - raise exception.Unauthorized(message='Invalid EC2 signature.') + raise exception.Unauthorized() else: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.Unauthorized() def authenticate(self, context, credentials=None, ec2Credentials=None): @@ -145,7 +147,7 @@ class Ec2Controller(wsgi.Application): credentials = ec2Credentials if not 'access' in credentials: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.Unauthorized() creds_ref = self._get_credentials(context, credentials['access']) @@ -157,9 +159,19 @@ class Ec2Controller(wsgi.Application): tenant_ref = self.identity_api.get_tenant( context=context, tenant_id=creds_ref['tenant_id']) + # If the tenant is disabled don't allow them to authenticate + if tenant_ref and not tenant_ref.get('enabled', True): + msg = 'Tenant %s is disabled' % tenant_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized() user_ref = self.identity_api.get_user( context=context, user_id=creds_ref['user_id']) + # If the user is disabled don't allow them to authenticate + if not user_ref.get('enabled', True): + msg = 'User %s is disabled' % user_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized() metadata_ref = self.identity_api.get_metadata( context=context, user_id=user_ref['id'], @@ -170,7 +182,7 @@ class Ec2Controller(wsgi.Application): # fill out the roles in the metadata roles = metadata_ref.get('roles', []) if not roles: - raise exception.Unauthorized(message='User not valid for tenant.') + raise exception.Unauthorized() roles_ref = [self.identity_api.get_role(context, role_id) for role_id in roles] @@ -275,7 +287,7 @@ class Ec2Controller(wsgi.Application): creds = self.ec2_api.get_credential(context, credential_id) if not creds: - raise exception.Unauthorized(message='EC2 access key not found.') + raise exception.Unauthorized() return creds def _assert_identity(self, context, user_id): |