Attempt to scope only to enabled projects

Filter out the disabled projects from the list of projects that authentication backend will attempt to scope to. Tests has been updated, the backend will no longer attempts to scope to disabled projects. Change-Id: I0fcdcd2ce72cd6580a2985d637c4bbabc60e4377 Closes-Bug: #1223079
2014-12-18 17:03:17 -08:00 · 2014-12-18 17:03:17 -08:00 · 7f062dbf43
parent b1538c90fa
commit 7f062dbf43
2 changed files with 17 additions and 25 deletions
--- a/openstack_auth/backend.py
+++ b/openstack_auth/backend.py
@ -135,6 +135,9 @@ class KeystoneBackend(object):
            msg = _('Unable to retrieve authorized projects.')
            raise exceptions.KeystoneAuthException(msg)

+        # Attempt to scope only to enabled projects
+        projects = [project for project in projects if project.enabled]
+
        # Abort if there are no projects for this user
        if not projects:
            msg = _('You are not authorized for any projects.')
--- a/openstack_auth/tests/tests.py
+++ b/openstack_auth/tests/tests.py
@ -148,17 +148,16 @@ class OpenStackAuthTestsV2(OpenStackAuthTestsMixin, test.TestCase):
    def test_login(self):
        self._login()

-    def test_login_with_disabled_tenants(self):
-        # Test to validate that authentication will try to get
-        # scoped token if the first project is disabled.
-        tenants = [self.data.tenant_one, self.data.tenant_two]
+    def test_login_with_disabled_tenant(self):
+        # Test to validate that authentication will not try to get
+        # scoped token for disabled project.
+        tenants = [self.data.tenant_two, self.data.tenant_one]
        user = self.data.user
        unscoped = self.data.unscoped_access_info

        form_data = self.get_form_data(user)
        self._mock_unscoped_client_list_tenants(user, tenants)
-        self._mock_client_token_auth_failure(unscoped, self.data.tenant_one.id)
-        self._mock_scoped_client_for_tenant(unscoped, self.data.tenant_two.id)
+        self._mock_scoped_client_for_tenant(unscoped, self.data.tenant_one.id)
        self.mox.ReplayAll()

        url = reverse('login')
@ -180,14 +179,11 @@ class OpenStackAuthTestsV2(OpenStackAuthTestsMixin, test.TestCase):
                         self.client.session['services_region'])

    def test_no_enabled_tenants(self):
-        tenants = [self.data.tenant_one, self.data.tenant_two]
+        tenants = [self.data.tenant_two]
        user = self.data.user
-        unscoped = self.data.unscoped_access_info

        form_data = self.get_form_data(user)
        self._mock_unscoped_client_list_tenants(user, tenants)
-        self._mock_client_token_auth_failure(unscoped, self.data.tenant_one.id)
-        self._mock_client_token_auth_failure(unscoped, self.data.tenant_two.id)
        self.mox.ReplayAll()

        url = reverse('login')
@ -200,8 +196,7 @@ class OpenStackAuthTestsV2(OpenStackAuthTestsMixin, test.TestCase):
        response = self.client.post(url, form_data)
        self.assertTemplateUsed(response, 'auth/login.html')
        self.assertContains(response,
-                            'Unable to authenticate to any available'
-                            ' projects.')
+                            'You are not authorized for any projects.')

    def test_no_tenants(self):
        user = self.data.user
@ -523,16 +518,16 @@ class OpenStackAuthTestsV3(OpenStackAuthTestsMixin, test.TestCase):
        response = self.client.post(url, form_data)
        self.assertRedirects(response, settings.LOGIN_REDIRECT_URL)

-    def test_login_with_disabled_projects(self):
-        projects = [self.data.project_one, self.data.project_two]
+    def test_login_with_disabled_project(self):
+        # Test to validate that authentication will not try to get
+        # scoped token for disabled project.
+        projects = [self.data.project_two, self.data.project_one]
        user = self.data.user
        unscoped = self.data.unscoped_access_info

        form_data = self.get_form_data(user)
        self._mock_unscoped_client_list_projects(user, projects)
-        self._mock_client_token_auth_failure(unscoped,
-                                             self.data.project_one.id)
-        self._mock_scoped_client_for_tenant(unscoped, self.data.project_two.id)
+        self._mock_scoped_client_for_tenant(unscoped, self.data.project_one.id)
        self.mox.ReplayAll()

        url = reverse('login')
@ -546,17 +541,12 @@ class OpenStackAuthTestsV3(OpenStackAuthTestsMixin, test.TestCase):
        self.assertRedirects(response, settings.LOGIN_REDIRECT_URL)

    def test_no_enabled_projects(self):
-        projects = [self.data.project_one, self.data.project_two]
+        projects = [self.data.project_two]
        user = self.data.user
-        unscoped = self.data.unscoped_access_info

        form_data = self.get_form_data(user)

        self._mock_unscoped_client_list_projects(user, projects)
-        self._mock_client_token_auth_failure(unscoped,
-                                             self.data.project_one.id)
-        self._mock_client_token_auth_failure(unscoped,
-                                             self.data.project_two.id)
        self.mox.ReplayAll()

        url = reverse('login')
@ -569,8 +559,7 @@ class OpenStackAuthTestsV3(OpenStackAuthTestsMixin, test.TestCase):
        response = self.client.post(url, form_data)
        self.assertTemplateUsed(response, 'auth/login.html')
        self.assertContains(response,
-                            'Unable to authenticate to any available'
-                            ' projects.')
+                            'You are not authorized for any projects.')

    def test_no_projects(self):
        user = self.data.user