diff options
| author | Jenkins <jenkins@review.openstack.org> | 2015-01-29 10:27:50 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2015-01-29 10:27:50 +0000 |
| commit | e146275e12145635c24c7c9970fb2eda650c06c4 (patch) | |
| tree | c0da4036efa2118daed68a7ebca3fbc52da4e3e2 | |
| parent | 5ccb232ddcabe0b191698d02b27012378ef2a79c (diff) | |
| parent | 3817e757d1811459f50644cd9660e7a1a6e6335e (diff) | |
| download | keystone-e146275e12145635c24c7c9970fb2eda650c06c4.tar.gz | |
Merge "Make sure scoping to the project of a disabled domain result in 401." into stable/icehouse
| -rw-r--r-- | keystone/auth/controllers.py | 4 | ||||
| -rw-r--r-- | keystone/tests/test_v3_auth.py | 31 |
2 files changed, 35 insertions, 0 deletions
diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index 902c408ae..c75d153ca 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -158,6 +158,10 @@ class AuthInfo(object): project_name, domain_ref['id']) else: project_ref = self.assignment_api.get_project(project_id) + # NOTE(morganfainberg): The _lookup_domain method will raise + # exception.Unauthorized if the domain isn't found or is + # disabled. + self._lookup_domain({'id': project_ref['domain_id']}) except exception.ProjectNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py index 531212dae..edec07803 100644 --- a/keystone/tests/test_v3_auth.py +++ b/keystone/tests/test_v3_auth.py @@ -2405,6 +2405,37 @@ class TestAuthJSON(test_v3.RestfulTestCase): r = self.post('/auth/tokens', body=auth_data) self.assertValidUnscopedTokenResponse(r) + def test_disabled_scope_project_domain_result_in_401(self): + # create a disabled domain + domain = self.new_domain_ref() + domain['enabled'] = False + self.assignment_api.create_domain(domain['id'], domain) + + # create a project in the disabled domain + project = self.new_project_ref(domain_id=domain['id']) + self.assignment_api.create_project(project['id'], project) + + # assign some role to self.user for the project in the disabled domain + self.assignment_api.add_role_to_user_and_project( + self.user['id'], + project['id'], + self.role_id) + + # user should not be able to auth with project_id + auth_data = self.build_authentication_request( + user_id=self.user['id'], + password=self.user['password'], + project_id=project['id']) + self.post('/auth/tokens', body=auth_data, expected_status=401) + + # user should not be able to auth with project_name & domain + auth_data = self.build_authentication_request( + user_id=self.user['id'], + password=self.user['password'], + project_name=project['name'], + project_domain_id=domain['id']) + self.post('/auth/tokens', body=auth_data, expected_status=401) + class TestAuthXML(TestAuthJSON): content_type = 'xml' |