Merge "Raise unauthorized if tenant disabled (bug 988920)" into stable/essex

2012-07-31 10:31:57 +00:00 · 2012-07-31 10:31:57 +00:00 · f65604db7b
parent 46b3722245 5373601bbd
commit f65604db7b
2 changed files with 58 additions and 0 deletions
--- a/keystone/service.py
+++ b/keystone/service.py
@ -280,6 +280,11 @@ class TokenController(wsgi.Application):
                if not user_ref.get('enabled', True):
                    LOG.warning('User %s is disabled' % user_id)
                    raise exception.Unauthorized()
+
+                # If the tenant is disabled don't allow them to authenticate
+                if tenant_ref and not tenant_ref.get('enabled', True):
+                    LOG.warning('Tenant %s is disabled' % tenant_id)
+                    raise exception.Unauthorized()
            except AssertionError as e:
                raise exception.Unauthorized(e.message)

@ -333,6 +338,12 @@ class TokenController(wsgi.Application):

            tenant_ref = self.identity_api.get_tenant(context=context,
                                                      tenant_id=tenant_id)
+
+            # If the tenant is disabled don't allow them to authenticate
+            if tenant_ref and not tenant_ref.get('enabled', True):
+                LOG.warning('Tenant %s is disabled' % tenant_id)
+                raise exception.Unauthorized()
+
            if tenant_ref:
                metadata_ref = self.identity_api.get_metadata(
                        context=context,
--- a/tests/test_keystoneclient.py
+++ b/tests/test_keystoneclient.py
@ -176,6 +176,53 @@ class KeystoneClientTests(object):
                          self.get_client,
                          user_ref)

+    def test_authenticate_disabled_tenant(self):
+        from keystoneclient import exceptions as client_exceptions
+
+        admin_client = self.get_client(admin=True)
+
+        tenant = {
+            'name': uuid.uuid4().hex,
+            'description': uuid.uuid4().hex,
+            'enabled': False,
+        }
+        tenant_ref = admin_client.tenants.create(
+            tenant_name=tenant['name'],
+            description=tenant['description'],
+            enabled=tenant['enabled'])
+        tenant['id'] = tenant_ref.id
+
+        user = {
+            'name': uuid.uuid4().hex,
+            'password': uuid.uuid4().hex,
+            'email': uuid.uuid4().hex,
+            'tenant_id': tenant['id'],
+        }
+        user_ref = admin_client.users.create(
+            name=user['name'],
+            password=user['password'],
+            email=user['email'],
+            tenant_id=user['tenant_id'])
+        user['id'] = user_ref.id
+
+        # password authentication
+        self.assertRaises(
+            client_exceptions.Unauthorized,
+            self._client,
+            username=user['name'],
+            password=user['password'],
+            tenant_id=tenant['id'])
+
+        # token authentication
+        client = self._client(
+            username=user['name'],
+            password=user['password'])
+        self.assertRaises(
+            client_exceptions.Unauthorized,
+            self._client,
+            token=client.auth_token,
+            tenant_id=tenant['id'])
+
    # FIXME(ja): this test should require the "keystone:admin" roled
    #            (probably the role set via --keystone_admin_role flag)
    # FIXME(ja): add a test that admin endpoint is only sent to admin user