diff options
author | Zuul <zuul@review.opendev.org> | 2021-05-06 22:40:43 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2021-05-06 22:40:43 +0000 |
commit | 63ef8f81f34a41d9e242e44658c962dc86186d80 (patch) | |
tree | 7b68d92f74707a35306e4f2e7c81914b738c4b82 | |
parent | c777c4b85919eacc3dd7c4d42e24d6c55d83d359 (diff) | |
parent | ac2631ae33445877094cdae796fbcdce8833a626 (diff) | |
download | keystone-63ef8f81f34a41d9e242e44658c962dc86186d80.tar.gz |
Merge "Hide AccountLocked exception from end users"
-rw-r--r-- | keystone/notifications.py | 2 | ||||
-rw-r--r-- | keystone/tests/unit/common/test_notifications.py | 2 | ||||
-rw-r--r-- | keystone/tests/unit/identity/test_backend_sql.py | 10 | ||||
-rw-r--r-- | releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml | 8 |
4 files changed, 16 insertions, 6 deletions
diff --git a/keystone/notifications.py b/keystone/notifications.py index e536ebdd4..a59b1d0ba 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -580,6 +580,8 @@ class CadfNotificationWrapper(object): taxonomy.OUTCOME_FAILURE, target, self.event_type, reason=audit_reason) + if isinstance(ex, exception.AccountLocked): + raise exception.Unauthorized raise except Exception: # For authentication failure send a CADF event as well diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py index b0fb720f1..308cc01d8 100644 --- a/keystone/tests/unit/common/test_notifications.py +++ b/keystone/tests/unit/common/test_notifications.py @@ -802,7 +802,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest): password = uuid.uuid4().hex new_password = uuid.uuid4().hex expected_responses = [AssertionError, AssertionError, AssertionError, - exception.AccountLocked] + exception.Unauthorized] user_ref = unit.new_user_ref(domain_id=self.domain_id, password=password) user_ref = PROVIDERS.identity_api.create_user(user_ref) diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py index 8c7fb3103..0a990024d 100644 --- a/keystone/tests/unit/identity/test_backend_sql.py +++ b/keystone/tests/unit/identity/test_backend_sql.py @@ -613,7 +613,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): ) # test locking out user after max failed attempts self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, user_id=self.user['id'], password=uuid.uuid4().hex) @@ -642,7 +642,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): with self.make_request(): # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, user_id=self.user['id'], password=uuid.uuid4().hex) @@ -661,7 +661,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): with self.make_request(): # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, user_id=self.user['id'], password=uuid.uuid4().hex) @@ -687,7 +687,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): with self.make_request(): # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, user_id=self.user['id'], password=uuid.uuid4().hex) @@ -697,7 +697,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): # repeat failed auth the max times self._fail_auth_repeatedly(self.user['id']) # test user account is locked - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, user_id=self.user['id'], password=uuid.uuid4().hex) diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml new file mode 100644 index 000000000..bd7a06069 --- /dev/null +++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_] + Fixed the AccountLocked exception being shown to the end user since + it provides some information that could be exploited by a + malicious user. The end user will now see Unauthorized instead of + AccountLocked, preventing user info oracle exploitation. |