Merge "Hide AccountLocked exception from end users" into stable/traintrain-em 16.0.2

author: Zuul <zuul@review.opendev.org> 2021-06-04 19:13:15 +0000
committer: Gerrit Code Review <review@openstack.org> 2021-06-04 19:13:15 +0000
commit: c65455965aec303b55bc76388314a2b96a2bc12c (patch)
tree: f030ddb37ebedfef4231c6858bd7ff407b65cbe4
parent: d0a91b0b9f82f5b3a1b699b70dc76d551769816b (diff)
parent: 1b573ae7d1c20e0ebfbde79bbe7538a09589c75d (diff)
download: keystone-c65455965aec303b55bc76388314a2b96a2bc12c.tar.gz
4 files changed, 16 insertions, 6 deletions
diff --git a/keystone/notifications.py b/keystone/notifications.py
index 65980b800..d96cc1661 100644
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -580,6 +580,8 @@ class CadfNotificationWrapper(object):
                                          taxonomy.OUTCOME_FAILURE,
                                          target, self.event_type,
                                          reason=audit_reason)
+                if isinstance(ex, exception.AccountLocked):
+                    raise exception.Unauthorized
                 raise
             except Exception:
                 # For authentication failure send a CADF event as well
diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
index 636abfa3b..7744925b7 100644
--- a/keystone/tests/unit/common/test_notifications.py
+++ b/keystone/tests/unit/common/test_notifications.py
@@ -802,7 +802,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
         password = uuid.uuid4().hex
         new_password = uuid.uuid4().hex
         expected_responses = [AssertionError, AssertionError, AssertionError,
-                              exception.AccountLocked]
+                              exception.Unauthorized]
         user_ref = unit.new_user_ref(domain_id=self.domain_id,
                                      password=password)
         user_ref = PROVIDERS.identity_api.create_user(user_ref)
diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py
index 97cd9572e..73ca314c4 100644
--- a/keystone/tests/unit/identity/test_backend_sql.py
+++ b/keystone/tests/unit/identity/test_backend_sql.py
@@ -576,7 +576,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
             )
             # test locking out user after max failed attempts
             self._fail_auth_repeatedly(self.user['id'])
-            self.assertRaises(exception.AccountLocked,
+            self.assertRaises(exception.Unauthorized,
                               PROVIDERS.identity_api.authenticate,
                               user_id=self.user['id'],
                               password=uuid.uuid4().hex)
@@ -605,7 +605,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
         with self.make_request():
             # lockout user
             self._fail_auth_repeatedly(self.user['id'])
-            self.assertRaises(exception.AccountLocked,
+            self.assertRaises(exception.Unauthorized,
                               PROVIDERS.identity_api.authenticate,
                               user_id=self.user['id'],
                               password=uuid.uuid4().hex)
@@ -624,7 +624,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
             with self.make_request():
                 # lockout user
                 self._fail_auth_repeatedly(self.user['id'])
-                self.assertRaises(exception.AccountLocked,
+                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
@@ -650,7 +650,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
             with self.make_request():
                 # lockout user
                 self._fail_auth_repeatedly(self.user['id'])
-                self.assertRaises(exception.AccountLocked,
+                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
@@ -660,7 +660,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
                 # repeat failed auth the max times
                 self._fail_auth_repeatedly(self.user['id'])
                 # test user account is locked
-                self.assertRaises(exception.AccountLocked,
+                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
new file mode 100644
index 000000000..bd7a06069
--- /dev/null
+++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
+    Fixed the AccountLocked exception being shown to the end user since
+    it provides some information that could be exploited by a
+    malicious user. The end user will now see Unauthorized instead of
+    AccountLocked, preventing user info oracle exploitation.
author	Zuul <zuul@review.opendev.org>	2021-06-04 19:13:15 +0000
committer	Gerrit Code Review <review@openstack.org>	2021-06-04 19:13:15 +0000
commit	c65455965aec303b55bc76388314a2b96a2bc12c (patch)
tree	f030ddb37ebedfef4231c6858bd7ff407b65cbe4
parent	d0a91b0b9f82f5b3a1b699b70dc76d551769816b (diff)
parent	1b573ae7d1c20e0ebfbde79bbe7538a09589c75d (diff)
download	keystone-c65455965aec303b55bc76388314a2b96a2bc12c.tar.gz