Make sure scoping to the project of a disabled domain result in 401.

Addresses the problem where we check for the validity of the scoped project, we did not subsequently making sure its domain is also enabled. Change-Id: I24e539aea9bb0ef0a22727fd9c1fb5d9d2ad1353 Closes-Bug: 1315556
2014-05-19 12:14:38 -07:00 · 2014-05-19 12:14:38 -07:00 · 5db0ce63f3
parent 93bc881553
commit 5db0ce63f3
2 changed files with 35 additions and 0 deletions
--- a/keystone/auth/controllers.py
+++ b/keystone/auth/controllers.py
@ -158,6 +158,10 @@ class AuthInfo(object):
                    project_name, domain_ref['id'])
            else:
                project_ref = self.assignment_api.get_project(project_id)
+                # NOTE(morganfainberg): The _lookup_domain method will raise
+                # exception.Unauthorized if the domain isn't found or is
+                # disabled.
+                self._lookup_domain({'id': project_ref['domain_id']})
        except exception.ProjectNotFound as e:
            LOG.exception(e)
            raise exception.Unauthorized(e)
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -2301,6 +2301,37 @@ class TestAuthJSON(test_v3.RestfulTestCase):
        r = self.post('/auth/tokens', body=auth_data)
        self.assertValidUnscopedTokenResponse(r)

+    def test_disabled_scope_project_domain_result_in_401(self):
+        # create a disabled domain
+        domain = self.new_domain_ref()
+        domain['enabled'] = False
+        self.assignment_api.create_domain(domain['id'], domain)
+
+        # create a project in the disabled domain
+        project = self.new_project_ref(domain_id=domain['id'])
+        self.assignment_api.create_project(project['id'], project)
+
+        # assign some role to self.user for the project in the disabled domain
+        self.assignment_api.add_role_to_user_and_project(
+            self.user['id'],
+            project['id'],
+            self.role_id)
+
+        # user should not be able to auth with project_id
+        auth_data = self.build_authentication_request(
+            user_id=self.user['id'],
+            password=self.user['password'],
+            project_id=project['id'])
+        self.post('/auth/tokens', body=auth_data, expected_status=401)
+
+        # user should not be able to auth with project_name & domain
+        auth_data = self.build_authentication_request(
+            user_id=self.user['id'],
+            password=self.user['password'],
+            project_name=project['name'],
+            project_domain_id=domain['id'])
+        self.post('/auth/tokens', body=auth_data, expected_status=401)
+

 class TestAuthXML(TestAuthJSON):
    content_type = 'xml'