Merge "Hide AccountLocked exception from end users"

author: Zuul <zuul@review.opendev.org> 2021-05-06 22:40:43 +0000
committer: Gerrit Code Review <review@openstack.org> 2021-05-06 22:40:43 +0000
commit: 63ef8f81f34a41d9e242e44658c962dc86186d80 (patch)
tree: 7b68d92f74707a35306e4f2e7c81914b738c4b82
parent: c777c4b85919eacc3dd7c4d42e24d6c55d83d359 (diff)
parent: ac2631ae33445877094cdae796fbcdce8833a626 (diff)
download: keystone-63ef8f81f34a41d9e242e44658c962dc86186d80.tar.gz
4 files changed, 16 insertions, 6 deletions
diff --git a/keystone/notifications.py b/keystone/notifications.py
index e536ebdd4..a59b1d0ba 100644
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -580,6 +580,8 @@ class CadfNotificationWrapper(object):
                                          taxonomy.OUTCOME_FAILURE,
                                          target, self.event_type,
                                          reason=audit_reason)
+                if isinstance(ex, exception.AccountLocked):
+                    raise exception.Unauthorized
                 raise
             except Exception:
                 # For authentication failure send a CADF event as well
diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
index b0fb720f1..308cc01d8 100644
--- a/keystone/tests/unit/common/test_notifications.py
+++ b/keystone/tests/unit/common/test_notifications.py
@@ -802,7 +802,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
         password = uuid.uuid4().hex
         new_password = uuid.uuid4().hex
         expected_responses = [AssertionError, AssertionError, AssertionError,
-                              exception.AccountLocked]
+                              exception.Unauthorized]
         user_ref = unit.new_user_ref(domain_id=self.domain_id,
                                      password=password)
         user_ref = PROVIDERS.identity_api.create_user(user_ref)
diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py
index 8c7fb3103..0a990024d 100644
--- a/keystone/tests/unit/identity/test_backend_sql.py
+++ b/keystone/tests/unit/identity/test_backend_sql.py
@@ -613,7 +613,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
             )
             # test locking out user after max failed attempts
             self._fail_auth_repeatedly(self.user['id'])
-            self.assertRaises(exception.AccountLocked,
+            self.assertRaises(exception.Unauthorized,
                               PROVIDERS.identity_api.authenticate,
                               user_id=self.user['id'],
                               password=uuid.uuid4().hex)
@@ -642,7 +642,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
         with self.make_request():
             # lockout user
             self._fail_auth_repeatedly(self.user['id'])
-            self.assertRaises(exception.AccountLocked,
+            self.assertRaises(exception.Unauthorized,
                               PROVIDERS.identity_api.authenticate,
                               user_id=self.user['id'],
                               password=uuid.uuid4().hex)
@@ -661,7 +661,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
             with self.make_request():
                 # lockout user
                 self._fail_auth_repeatedly(self.user['id'])
-                self.assertRaises(exception.AccountLocked,
+                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
@@ -687,7 +687,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
             with self.make_request():
                 # lockout user
                 self._fail_auth_repeatedly(self.user['id'])
-                self.assertRaises(exception.AccountLocked,
+                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
@@ -697,7 +697,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
                 # repeat failed auth the max times
                 self._fail_auth_repeatedly(self.user['id'])
                 # test user account is locked
-                self.assertRaises(exception.AccountLocked,
+                self.assertRaises(exception.Unauthorized,
                                   PROVIDERS.identity_api.authenticate,
                                   user_id=self.user['id'],
                                   password=uuid.uuid4().hex)
diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
new file mode 100644
index 000000000..bd7a06069
--- /dev/null
+++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
+    Fixed the AccountLocked exception being shown to the end user since
+    it provides some information that could be exploited by a
+    malicious user. The end user will now see Unauthorized instead of
+    AccountLocked, preventing user info oracle exploitation.
author	Zuul <zuul@review.opendev.org>	2021-05-06 22:40:43 +0000
committer	Gerrit Code Review <review@openstack.org>	2021-05-06 22:40:43 +0000
commit	63ef8f81f34a41d9e242e44658c962dc86186d80 (patch)
tree	7b68d92f74707a35306e4f2e7c81914b738c4b82
parent	c777c4b85919eacc3dd7c4d42e24d6c55d83d359 (diff)
parent	ac2631ae33445877094cdae796fbcdce8833a626 (diff)
download	keystone-63ef8f81f34a41d9e242e44658c962dc86186d80.tar.gz