Merge "Expose auth failure details in debug mode"

This commit is contained in:
Jenkins 2012-11-20 22:12:02 +00:00 committed by Gerrit Code Review
commit 07c1aafdf2
6 changed files with 40 additions and 37 deletions

View File

@ -246,8 +246,8 @@ class Application(BaseApplication):
try:
user_token_ref = self.token_api.get_token(
context=context, token_id=context['token_id'])
except exception.TokenNotFound:
raise exception.Unauthorized()
except exception.TokenNotFound as e:
raise exception.Unauthorized(e)
creds = user_token_ref['metadata'].copy()

View File

@ -294,11 +294,11 @@ class Ec2Controller(wsgi.Application):
token_ref = self.token_api.get_token(
context=context,
token_id=context['token_id'])
except exception.TokenNotFound:
raise exception.Unauthorized()
token_user_id = token_ref['user'].get('id')
if not token_user_id == user_id:
raise exception.Forbidden()
except exception.TokenNotFound as e:
raise exception.Unauthorized(e)
if token_ref['user'].get('id') != user_id:
raise exception.Forbidden('Token belongs to another user')
def _is_admin(self, context):
"""Wrap admin assertion error return statement.
@ -324,7 +324,7 @@ class Ec2Controller(wsgi.Application):
"""
cred_ref = self.ec2_api.get_credential(context, credential_id)
if not user_id == cred_ref['user_id']:
raise exception.Forbidden()
raise exception.Forbidden('Credential belongs to another user')
def _assert_valid_user_id(self, context, user_id):
"""Ensure a valid user id.

View File

@ -54,4 +54,4 @@ class S3Controller(ec2.Ec2Controller):
signed = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip()
if not utils.auth_str_equal(credentials['signature'], signed):
raise exception.Unauthorized()
raise exception.Unauthorized('Credential signature mismatch')

View File

@ -42,8 +42,11 @@ class UserController(wsgi.Application):
token_id=token_id)
user_id_from_token = token_ref['user']['id']
if user_id_from_token != user_id or original_password is None:
raise exception.Forbidden()
if user_id_from_token != user_id:
raise exception.Forbidden('Token belongs to another user')
if original_password is None:
raise exception.ValidationError(target='user',
attribute='original password')
try:
user_ref = self.identity_api.authenticate(
@ -51,7 +54,8 @@ class UserController(wsgi.Application):
user_id=user_id_from_token,
password=original_password)[0]
if not user_ref.get('enabled', True):
raise exception.Unauthorized()
# NOTE(dolph): why can't you set a disabled user's password?
raise exception.Unauthorized('User is disabled')
except AssertionError:
raise exception.Unauthorized()

View File

@ -513,10 +513,9 @@ class TenantController(wsgi.Application):
try:
token_ref = self.token_api.get_token(context=context,
token_id=context['token_id'])
except exception.NotFound:
LOG.warning("Authentication failed. Could not find token " +
str(context['token_id']))
raise exception.Unauthorized()
except exception.NotFound as e:
LOG.warning('Authentication failed: %s' % e)
raise exception.Unauthorized(e)
user_ref = token_ref['user']
tenant_ids = self.identity_api.get_tenants_for_user(

View File

@ -484,13 +484,15 @@ class TokenController(wsgi.Application):
# If the user is disabled don't allow them to authenticate
if not user_ref.get('enabled', True):
LOG.warning('User %s is disabled' % user_ref["id"])
raise exception.Unauthorized()
msg = 'User is disabled: %s' % user_ref['id']
LOG.warning(msg)
raise exception.Unauthorized(msg)
# If the tenant is disabled don't allow them to authenticate
if tenant_ref and not tenant_ref.get('enabled', True):
LOG.warning('Tenant %s is disabled' % tenant_ref["id"])
raise exception.Unauthorized()
msg = 'Tenant is disabled: %s' % tenant_ref['id']
LOG.warning(msg)
raise exception.Unauthorized(msg)
if tenant_ref:
catalog_ref = self.catalog_api.get_catalog(
@ -562,9 +564,8 @@ class TokenController(wsgi.Application):
try:
old_token_ref = self.token_api.get_token(context=context,
token_id=old_token)
except exception.NotFound:
LOG.warning("Token not found: " + str(old_token))
raise exception.Unauthorized()
except exception.NotFound as e:
raise exception.Unauthorized(e)
user_ref = old_token_ref['user']
user_id = user_ref['id']
@ -614,9 +615,8 @@ class TokenController(wsgi.Application):
user_ref = self.identity_api.get_user_by_name(
context=context, user_name=username)
user_id = user_ref['id']
except exception.UserNotFound:
LOG.warn("User not found: %s" % user_id)
raise exception.Unauthorized()
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_tenant_id_from_auth(context, auth)
@ -627,7 +627,7 @@ class TokenController(wsgi.Application):
password=password,
tenant_id=tenant_id)
except AssertionError as e:
raise exception.Unauthorized(str(e))
raise exception.Unauthorized(e)
(user_ref, tenant_ref, metadata_ref) = auth_info
expiry = self.token_api._get_default_expire_time(context=context)
@ -651,9 +651,8 @@ class TokenController(wsgi.Application):
user_ref = self.identity_api.get_user_by_name(
context=context, user_name=username)
user_id = user_ref['id']
except exception.UserNotFound:
LOG.warn("User not found: %s" % username)
raise exception.Unauthorized()
except exception.UserNotFound as e:
raise exception.Unauthorized(e)
tenant_id = self._get_tenant_id_from_auth(context, auth)
@ -686,8 +685,8 @@ class TokenController(wsgi.Application):
tenant_ref = self.identity_api.get_tenant_by_name(
context=context, tenant_name=tenant_name)
tenant_id = tenant_ref['id']
except exception.TenantNotFound:
raise exception.Unauthorized()
except exception.TenantNotFound as e:
raise exception.Unauthorized(e)
return tenant_id
def _get_tenant_ref(self, context, user_id, tenant_id):
@ -696,15 +695,16 @@ class TokenController(wsgi.Application):
if tenant_id:
tenants = self.identity_api.get_tenants_for_user(context, user_id)
if tenant_id not in tenants:
LOG.warning('User %s is unauthorized for tenant %s'
% (user_id, tenant_id))
raise exception.Unauthorized()
msg = 'User %s is unauthorized for tenant %s' % (
user_id, tenant_id)
LOG.warning(msg)
raise exception.Unauthorized(msg)
try:
tenant_ref = self.identity_api.get_tenant(context=context,
tenant_id=tenant_id)
except exception.TenantNotFound:
exception.Unauthorized()
except exception.TenantNotFound as e:
exception.Unauthorized(e)
return tenant_ref
def _get_metadata_ref(self, context, user_id, tenant_id):