diff options
author | Jenkins <jenkins@review.openstack.org> | 2012-11-20 22:12:02 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2012-11-20 22:12:02 +0000 |
commit | 07c1aafdf20db6d6d7c0d3e15074bc02e2f1d2aa (patch) | |
tree | 0079233bf49c436afe744149d621d6e08923bd82 | |
parent | d8aa7fd3429dce76670c5e91df76c106a96ae0cf (diff) | |
parent | 01fccdb1ccc7f7e42b6487b42b6946db98fb8c44 (diff) | |
download | keystone-07c1aafdf20db6d6d7c0d3e15074bc02e2f1d2aa.tar.gz |
Merge "Expose auth failure details in debug mode"grizzly-1
-rw-r--r-- | keystone/common/wsgi.py | 4 | ||||
-rw-r--r-- | keystone/contrib/ec2/core.py | 12 | ||||
-rw-r--r-- | keystone/contrib/s3/core.py | 2 | ||||
-rw-r--r-- | keystone/contrib/user_crud/core.py | 10 | ||||
-rw-r--r-- | keystone/identity/core.py | 7 | ||||
-rw-r--r-- | keystone/service.py | 42 |
6 files changed, 40 insertions, 37 deletions
diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py index 39529bc92..8d886902d 100644 --- a/keystone/common/wsgi.py +++ b/keystone/common/wsgi.py @@ -246,8 +246,8 @@ class Application(BaseApplication): try: user_token_ref = self.token_api.get_token( context=context, token_id=context['token_id']) - except exception.TokenNotFound: - raise exception.Unauthorized() + except exception.TokenNotFound as e: + raise exception.Unauthorized(e) creds = user_token_ref['metadata'].copy() diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py index 064474c7a..d9e9eaaea 100644 --- a/keystone/contrib/ec2/core.py +++ b/keystone/contrib/ec2/core.py @@ -294,11 +294,11 @@ class Ec2Controller(wsgi.Application): token_ref = self.token_api.get_token( context=context, token_id=context['token_id']) - except exception.TokenNotFound: - raise exception.Unauthorized() - token_user_id = token_ref['user'].get('id') - if not token_user_id == user_id: - raise exception.Forbidden() + except exception.TokenNotFound as e: + raise exception.Unauthorized(e) + + if token_ref['user'].get('id') != user_id: + raise exception.Forbidden('Token belongs to another user') def _is_admin(self, context): """Wrap admin assertion error return statement. @@ -324,7 +324,7 @@ class Ec2Controller(wsgi.Application): """ cred_ref = self.ec2_api.get_credential(context, credential_id) if not user_id == cred_ref['user_id']: - raise exception.Forbidden() + raise exception.Forbidden('Credential belongs to another user') def _assert_valid_user_id(self, context, user_id): """Ensure a valid user id. diff --git a/keystone/contrib/s3/core.py b/keystone/contrib/s3/core.py index e9d9f97bf..56e10ca43 100644 --- a/keystone/contrib/s3/core.py +++ b/keystone/contrib/s3/core.py @@ -54,4 +54,4 @@ class S3Controller(ec2.Ec2Controller): signed = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip() if not utils.auth_str_equal(credentials['signature'], signed): - raise exception.Unauthorized() + raise exception.Unauthorized('Credential signature mismatch') diff --git a/keystone/contrib/user_crud/core.py b/keystone/contrib/user_crud/core.py index 67aecdb92..7d4c1ea63 100644 --- a/keystone/contrib/user_crud/core.py +++ b/keystone/contrib/user_crud/core.py @@ -42,8 +42,11 @@ class UserController(wsgi.Application): token_id=token_id) user_id_from_token = token_ref['user']['id'] - if user_id_from_token != user_id or original_password is None: - raise exception.Forbidden() + if user_id_from_token != user_id: + raise exception.Forbidden('Token belongs to another user') + if original_password is None: + raise exception.ValidationError(target='user', + attribute='original password') try: user_ref = self.identity_api.authenticate( @@ -51,7 +54,8 @@ class UserController(wsgi.Application): user_id=user_id_from_token, password=original_password)[0] if not user_ref.get('enabled', True): - raise exception.Unauthorized() + # NOTE(dolph): why can't you set a disabled user's password? + raise exception.Unauthorized('User is disabled') except AssertionError: raise exception.Unauthorized() diff --git a/keystone/identity/core.py b/keystone/identity/core.py index 107dcaa94..3a9da3e46 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -513,10 +513,9 @@ class TenantController(wsgi.Application): try: token_ref = self.token_api.get_token(context=context, token_id=context['token_id']) - except exception.NotFound: - LOG.warning("Authentication failed. Could not find token " + - str(context['token_id'])) - raise exception.Unauthorized() + except exception.NotFound as e: + LOG.warning('Authentication failed: %s' % e) + raise exception.Unauthorized(e) user_ref = token_ref['user'] tenant_ids = self.identity_api.get_tenants_for_user( diff --git a/keystone/service.py b/keystone/service.py index 21d9303c4..90b44562f 100644 --- a/keystone/service.py +++ b/keystone/service.py @@ -484,13 +484,15 @@ class TokenController(wsgi.Application): # If the user is disabled don't allow them to authenticate if not user_ref.get('enabled', True): - LOG.warning('User %s is disabled' % user_ref["id"]) - raise exception.Unauthorized() + msg = 'User is disabled: %s' % user_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) # If the tenant is disabled don't allow them to authenticate if tenant_ref and not tenant_ref.get('enabled', True): - LOG.warning('Tenant %s is disabled' % tenant_ref["id"]) - raise exception.Unauthorized() + msg = 'Tenant is disabled: %s' % tenant_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) if tenant_ref: catalog_ref = self.catalog_api.get_catalog( @@ -562,9 +564,8 @@ class TokenController(wsgi.Application): try: old_token_ref = self.token_api.get_token(context=context, token_id=old_token) - except exception.NotFound: - LOG.warning("Token not found: " + str(old_token)) - raise exception.Unauthorized() + except exception.NotFound as e: + raise exception.Unauthorized(e) user_ref = old_token_ref['user'] user_id = user_ref['id'] @@ -614,9 +615,8 @@ class TokenController(wsgi.Application): user_ref = self.identity_api.get_user_by_name( context=context, user_name=username) user_id = user_ref['id'] - except exception.UserNotFound: - LOG.warn("User not found: %s" % user_id) - raise exception.Unauthorized() + except exception.UserNotFound as e: + raise exception.Unauthorized(e) tenant_id = self._get_tenant_id_from_auth(context, auth) @@ -627,7 +627,7 @@ class TokenController(wsgi.Application): password=password, tenant_id=tenant_id) except AssertionError as e: - raise exception.Unauthorized(str(e)) + raise exception.Unauthorized(e) (user_ref, tenant_ref, metadata_ref) = auth_info expiry = self.token_api._get_default_expire_time(context=context) @@ -651,9 +651,8 @@ class TokenController(wsgi.Application): user_ref = self.identity_api.get_user_by_name( context=context, user_name=username) user_id = user_ref['id'] - except exception.UserNotFound: - LOG.warn("User not found: %s" % username) - raise exception.Unauthorized() + except exception.UserNotFound as e: + raise exception.Unauthorized(e) tenant_id = self._get_tenant_id_from_auth(context, auth) @@ -686,8 +685,8 @@ class TokenController(wsgi.Application): tenant_ref = self.identity_api.get_tenant_by_name( context=context, tenant_name=tenant_name) tenant_id = tenant_ref['id'] - except exception.TenantNotFound: - raise exception.Unauthorized() + except exception.TenantNotFound as e: + raise exception.Unauthorized(e) return tenant_id def _get_tenant_ref(self, context, user_id, tenant_id): @@ -696,15 +695,16 @@ class TokenController(wsgi.Application): if tenant_id: tenants = self.identity_api.get_tenants_for_user(context, user_id) if tenant_id not in tenants: - LOG.warning('User %s is unauthorized for tenant %s' - % (user_id, tenant_id)) - raise exception.Unauthorized() + msg = 'User %s is unauthorized for tenant %s' % ( + user_id, tenant_id) + LOG.warning(msg) + raise exception.Unauthorized(msg) try: tenant_ref = self.identity_api.get_tenant(context=context, tenant_id=tenant_id) - except exception.TenantNotFound: - exception.Unauthorized() + except exception.TenantNotFound as e: + exception.Unauthorized(e) return tenant_ref def _get_metadata_ref(self, context, user_id, tenant_id): |