Merge "Hide AccountLocked exception from end users" into stable/ussuri

This commit is contained in:
Zuul 2021-06-04 17:17:17 +00:00 committed by Gerrit Code Review
commit 2cf2912fd4
4 changed files with 16 additions and 6 deletions

View File

@ -580,6 +580,8 @@ class CadfNotificationWrapper(object):
taxonomy.OUTCOME_FAILURE,
target, self.event_type,
reason=audit_reason)
if isinstance(ex, exception.AccountLocked):
raise exception.Unauthorized
raise
except Exception:
# For authentication failure send a CADF event as well

View File

@ -802,7 +802,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
password = uuid.uuid4().hex
new_password = uuid.uuid4().hex
expected_responses = [AssertionError, AssertionError, AssertionError,
exception.AccountLocked]
exception.Unauthorized]
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
user_ref = PROVIDERS.identity_api.create_user(user_ref)

View File

@ -576,7 +576,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
)
# test locking out user after max failed attempts
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -605,7 +605,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request():
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -624,7 +624,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request():
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -650,7 +650,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request():
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -660,7 +660,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
# repeat failed auth the max times
self._fail_auth_repeatedly(self.user['id'])
# test user account is locked
self.assertRaises(exception.AccountLocked,
self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
user_id=self.user['id'],
password=uuid.uuid4().hex)

View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
Fixed the AccountLocked exception being shown to the end user since
it provides some information that could be exploited by a
malicious user. The end user will now see Unauthorized instead of
AccountLocked, preventing user info oracle exploitation.