Merge "Safer check for enabled in trusts"

2014-09-19 02:43:13 +00:00 · 2014-09-19 02:43:13 +00:00 · 70701f61d0
parent b7a24065cb 948d51025f
commit 70701f61d0
4 changed files with 88 additions and 4 deletions
--- a/keystone/tests/test_auth.py
+++ b/keystone/tests/test_auth.py
@ -1121,6 +1121,30 @@ class AuthWithTrust(AuthTest):
            new_trust['id'],
            validate_response['access']['trust']['id'])

+    def disable_user(self, user):
+        user['enabled'] = False
+        self.identity_api.update_user(user['id'], user)
+
+    def test_trust_get_token_fails_if_trustor_disabled(self):
+        new_trust = self.create_trust(self.sample_data, self.trustor['name'])
+        request_body = self.build_v2_token_request(self.trustee['name'],
+                                                   self.trustee['password'],
+                                                   new_trust)
+        self.disable_user(self.trustor)
+        self.assertRaises(
+            exception.Forbidden,
+            self.controller.authenticate, {}, request_body)
+
+    def test_trust_get_token_fails_if_trustee_disabled(self):
+        new_trust = self.create_trust(self.sample_data, self.trustor['name'])
+        request_body = self.build_v2_token_request(self.trustee['name'],
+                                                   self.trustee['password'],
+                                                   new_trust)
+        self.disable_user(self.trustee)
+        self.assertRaises(
+            exception.Unauthorized,
+            self.controller.authenticate, {}, request_body)
+

 class TokenExpirationTest(AuthTest):

--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@ -3242,6 +3242,64 @@ class TestTrustAuth(test_v3.RestfulTestCase):
        self.head('/auth/tokens', headers=headers, expected_status=404)
        self.assertTrustTokensRevoked(trust_id)

+    def disable_user(self, user):
+        user['enabled'] = False
+        self.identity_api.update_user(user['id'], user)
+
+    def test_trust_get_token_fails_if_trustor_disabled(self):
+        ref = self.new_trust_ref(
+            trustor_user_id=self.user_id,
+            trustee_user_id=self.trustee_user_id,
+            project_id=self.project_id,
+            impersonation=False,
+            expires=dict(minutes=1),
+            role_ids=[self.role_id])
+
+        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
+
+        trust = self.assertValidTrustResponse(r, ref)
+
+        auth_data = self.build_authentication_request(
+            user_id=self.trustee_user['id'],
+            password=self.trustee_user['password'],
+            trust_id=trust['id'])
+        self.v3_authenticate_token(auth_data, expected_status=201)
+
+        self.disable_user(self.user)
+
+        auth_data = self.build_authentication_request(
+            user_id=self.trustee_user['id'],
+            password=self.trustee_user['password'],
+            trust_id=trust['id'])
+        self.v3_authenticate_token(auth_data, expected_status=403)
+
+    def test_trust_get_token_fails_if_trustee_disabled(self):
+        ref = self.new_trust_ref(
+            trustor_user_id=self.user_id,
+            trustee_user_id=self.trustee_user_id,
+            project_id=self.project_id,
+            impersonation=False,
+            expires=dict(minutes=1),
+            role_ids=[self.role_id])
+
+        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
+
+        trust = self.assertValidTrustResponse(r, ref)
+
+        auth_data = self.build_authentication_request(
+            user_id=self.trustee_user['id'],
+            password=self.trustee_user['password'],
+            trust_id=trust['id'])
+        self.v3_authenticate_token(auth_data, expected_status=201)
+
+        self.disable_user(self.trustee_user)
+
+        auth_data = self.build_authentication_request(
+            user_id=self.trustee_user['id'],
+            password=self.trustee_user['password'],
+            trust_id=trust['id'])
+        self.v3_authenticate_token(auth_data, expected_status=401)
+
    def test_delete_trust(self):
        ref = self.new_trust_ref(
            trustor_user_id=self.user_id,
--- a/keystone/token/controllers.py
+++ b/keystone/token/controllers.py
@ -199,16 +199,16 @@ class Auth(controller.V2Controller):
            if ('expires' in trust_ref) and (trust_ref['expires']):
                expiry = trust_ref['expires']
                if expiry < timeutils.parse_isotime(timeutils.isotime()):
-                    raise exception.Forbidden()()
+                    raise exception.Forbidden()
            user_id = trust_ref['trustor_user_id']
            trustor_user_ref = self.identity_api.get_user(
                trust_ref['trustor_user_id'])
            if not trustor_user_ref['enabled']:
-                raise exception.Forbidden()()
+                raise exception.Forbidden()
            trustee_user_ref = self.identity_api.get_user(
                trust_ref['trustee_user_id'])
            if not trustee_user_ref['enabled']:
-                raise exception.Forbidden()()
+                raise exception.Forbidden()

            if trust_ref['impersonation'] is True:
                current_user_ref = trustor_user_ref
--- a/keystone/token/providers/common.py
+++ b/keystone/token/providers/common.py
@ -221,7 +221,9 @@ class V3TokenDataHelper(object):
        if CONF.trust.enabled and trust and 'OS-TRUST:trust' not in token_data:
            trustor_user_ref = (self.identity_api.get_user(
                                trust['trustor_user_id']))
-            if not trustor_user_ref['enabled']:
+            try:
+                self.identity_api.assert_user_enabled(trust['trustor_user_id'])
+            except AssertionError:
                raise exception.Forbidden(_('Trustor is disabled.'))
            if trust['impersonation']:
                user_ref = trustor_user_ref