diff options
| author | guang-yee <guang.yee@hp.com> | 2014-05-19 12:14:38 -0700 |
|---|---|---|
| committer | Dolph Mathews <dolph.mathews@gmail.com> | 2014-11-20 08:10:53 -0600 |
| commit | 3817e757d1811459f50644cd9660e7a1a6e6335e (patch) | |
| tree | 8ffc429d61757e574e23b5f3ec2952c01bccfdee | |
| parent | 9aec35a9d4d154546f5c456cece6055de5c179f5 (diff) | |
| download | keystone-3817e757d1811459f50644cd9660e7a1a6e6335e.tar.gz | |
Make sure scoping to the project of a disabled domain result in 401.
Addresses the problem where we check for the validity of the scoped project,
we did not subsequently making sure its domain is also enabled.
Change-Id: I24e539aea9bb0ef0a22727fd9c1fb5d9d2ad1353
Closes-Bug: 1315556
(cherry picked from commit 5db0ce63f33f6d4aec43143ae6e6fa62ad5c9025)
| -rw-r--r-- | keystone/auth/controllers.py | 4 | ||||
| -rw-r--r-- | keystone/tests/test_v3_auth.py | 31 |
2 files changed, 35 insertions, 0 deletions
diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index 902c408ae..c75d153ca 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -158,6 +158,10 @@ class AuthInfo(object): project_name, domain_ref['id']) else: project_ref = self.assignment_api.get_project(project_id) + # NOTE(morganfainberg): The _lookup_domain method will raise + # exception.Unauthorized if the domain isn't found or is + # disabled. + self._lookup_domain({'id': project_ref['domain_id']}) except exception.ProjectNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py index 531212dae..edec07803 100644 --- a/keystone/tests/test_v3_auth.py +++ b/keystone/tests/test_v3_auth.py @@ -2405,6 +2405,37 @@ class TestAuthJSON(test_v3.RestfulTestCase): r = self.post('/auth/tokens', body=auth_data) self.assertValidUnscopedTokenResponse(r) + def test_disabled_scope_project_domain_result_in_401(self): + # create a disabled domain + domain = self.new_domain_ref() + domain['enabled'] = False + self.assignment_api.create_domain(domain['id'], domain) + + # create a project in the disabled domain + project = self.new_project_ref(domain_id=domain['id']) + self.assignment_api.create_project(project['id'], project) + + # assign some role to self.user for the project in the disabled domain + self.assignment_api.add_role_to_user_and_project( + self.user['id'], + project['id'], + self.role_id) + + # user should not be able to auth with project_id + auth_data = self.build_authentication_request( + user_id=self.user['id'], + password=self.user['password'], + project_id=project['id']) + self.post('/auth/tokens', body=auth_data, expected_status=401) + + # user should not be able to auth with project_name & domain + auth_data = self.build_authentication_request( + user_id=self.user['id'], + password=self.user['password'], + project_name=project['name'], + project_domain_id=domain['id']) + self.post('/auth/tokens', body=auth_data, expected_status=401) + class TestAuthXML(TestAuthJSON): content_type = 'xml' |