Make sure scoping to the project of a disabled domain result in 401.
Addresses the problem where we check for the validity of the scoped project, we did not subsequently making sure its domain is also enabled. Change-Id: I24e539aea9bb0ef0a22727fd9c1fb5d9d2ad1353 Closes-Bug: 1315556
This commit is contained in:
parent
93bc881553
commit
5db0ce63f3
|
@ -158,6 +158,10 @@ class AuthInfo(object):
|
|||
project_name, domain_ref['id'])
|
||||
else:
|
||||
project_ref = self.assignment_api.get_project(project_id)
|
||||
# NOTE(morganfainberg): The _lookup_domain method will raise
|
||||
# exception.Unauthorized if the domain isn't found or is
|
||||
# disabled.
|
||||
self._lookup_domain({'id': project_ref['domain_id']})
|
||||
except exception.ProjectNotFound as e:
|
||||
LOG.exception(e)
|
||||
raise exception.Unauthorized(e)
|
||||
|
|
|
@ -2301,6 +2301,37 @@ class TestAuthJSON(test_v3.RestfulTestCase):
|
|||
r = self.post('/auth/tokens', body=auth_data)
|
||||
self.assertValidUnscopedTokenResponse(r)
|
||||
|
||||
def test_disabled_scope_project_domain_result_in_401(self):
|
||||
# create a disabled domain
|
||||
domain = self.new_domain_ref()
|
||||
domain['enabled'] = False
|
||||
self.assignment_api.create_domain(domain['id'], domain)
|
||||
|
||||
# create a project in the disabled domain
|
||||
project = self.new_project_ref(domain_id=domain['id'])
|
||||
self.assignment_api.create_project(project['id'], project)
|
||||
|
||||
# assign some role to self.user for the project in the disabled domain
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
self.user['id'],
|
||||
project['id'],
|
||||
self.role_id)
|
||||
|
||||
# user should not be able to auth with project_id
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id=self.user['id'],
|
||||
password=self.user['password'],
|
||||
project_id=project['id'])
|
||||
self.post('/auth/tokens', body=auth_data, expected_status=401)
|
||||
|
||||
# user should not be able to auth with project_name & domain
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id=self.user['id'],
|
||||
password=self.user['password'],
|
||||
project_name=project['name'],
|
||||
project_domain_id=domain['id'])
|
||||
self.post('/auth/tokens', body=auth_data, expected_status=401)
|
||||
|
||||
|
||||
class TestAuthXML(TestAuthJSON):
|
||||
content_type = 'xml'
|
||||
|
|
Loading…
Reference in New Issue