1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
From: Nathanael Burton <nathanael.i.burton.work@gmail.com>
Date: Tue, 19 Feb 2013 15:27:04 +0000 (-0600)
Subject: Ensure user and tenant enabled in EC2
X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff_plain;h=f0b4d300db5cc61d4f079f8bce9da8e8bea1081a
Ensure user and tenant enabled in EC2
Fixes bug 1121494.
Change-Id: Icc90d581691b5aa63754e076ce983dfa2885a1dc
---
diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py
index 064474c..ffc0eee 100644
--- a/keystone/contrib/ec2/core.py
+++ b/keystone/contrib/ec2/core.py
@@ -37,6 +37,7 @@ glance to list images needed to perform the requested task.
import uuid
from keystone import catalog
+from keystone.common import logging
from keystone.common import manager
from keystone.common import utils
from keystone.common import wsgi
@@ -49,6 +50,7 @@ from keystone import token
CONF = config.CONF
+LOG = logging.getLogger(__name__)
class Manager(manager.Manager):
@@ -117,9 +119,9 @@ class Ec2Controller(wsgi.Application):
credentials['host'] = hostname
signature = signer.generate(credentials)
if not utils.auth_str_equal(credentials.signature, signature):
- raise exception.Unauthorized(message='Invalid EC2 signature.')
+ raise exception.Unauthorized()
else:
- raise exception.Unauthorized(message='EC2 signature not supplied.')
+ raise exception.Unauthorized()
def authenticate(self, context, credentials=None, ec2Credentials=None):
"""Validate a signed EC2 request and provide a token.
@@ -149,7 +151,7 @@ class Ec2Controller(wsgi.Application):
credentials = ec2Credentials
if not 'access' in credentials:
- raise exception.Unauthorized(message='EC2 signature not supplied.')
+ raise exception.Unauthorized()
creds_ref = self._get_credentials(context,
credentials['access'])
@@ -161,9 +163,19 @@ class Ec2Controller(wsgi.Application):
tenant_ref = self.identity_api.get_tenant(
context=context,
tenant_id=creds_ref['tenant_id'])
+ # If the tenant is disabled don't allow them to authenticate
+ if tenant_ref and not tenant_ref.get('enabled', True):
+ msg = 'Tenant %s is disabled' % tenant_ref['id']
+ LOG.warning(msg)
+ raise exception.Unauthorized()
user_ref = self.identity_api.get_user(
context=context,
user_id=creds_ref['user_id'])
+ # If the user is disabled don't allow them to authenticate
+ if not user_ref.get('enabled', True):
+ msg = 'User %s is disabled' % user_ref['id']
+ LOG.warning(msg)
+ raise exception.Unauthorized()
metadata_ref = self.identity_api.get_metadata(
context=context,
user_id=user_ref['id'],
@@ -174,7 +186,7 @@ class Ec2Controller(wsgi.Application):
# fill out the roles in the metadata
roles = metadata_ref.get('roles', [])
if not roles:
- raise exception.Unauthorized(message='User not valid for tenant.')
+ raise exception.Unauthorized()
roles_ref = [self.identity_api.get_role(context, role_id)
for role_id in roles]
@@ -279,7 +291,7 @@ class Ec2Controller(wsgi.Application):
creds = self.ec2_api.get_credential(context,
credential_id)
if not creds:
- raise exception.Unauthorized(message='EC2 access key not found.')
+ raise exception.Unauthorized()
return creds
def _assert_identity(self, context, user_id):
|
GitWeb