Merge "Safer check for enabled in trusts"
This commit is contained in:
commit
70701f61d0
|
@ -1121,6 +1121,30 @@ class AuthWithTrust(AuthTest):
|
|||
new_trust['id'],
|
||||
validate_response['access']['trust']['id'])
|
||||
|
||||
def disable_user(self, user):
|
||||
user['enabled'] = False
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
|
||||
def test_trust_get_token_fails_if_trustor_disabled(self):
|
||||
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
|
||||
request_body = self.build_v2_token_request(self.trustee['name'],
|
||||
self.trustee['password'],
|
||||
new_trust)
|
||||
self.disable_user(self.trustor)
|
||||
self.assertRaises(
|
||||
exception.Forbidden,
|
||||
self.controller.authenticate, {}, request_body)
|
||||
|
||||
def test_trust_get_token_fails_if_trustee_disabled(self):
|
||||
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
|
||||
request_body = self.build_v2_token_request(self.trustee['name'],
|
||||
self.trustee['password'],
|
||||
new_trust)
|
||||
self.disable_user(self.trustee)
|
||||
self.assertRaises(
|
||||
exception.Unauthorized,
|
||||
self.controller.authenticate, {}, request_body)
|
||||
|
||||
|
||||
class TokenExpirationTest(AuthTest):
|
||||
|
||||
|
|
|
@ -3242,6 +3242,64 @@ class TestTrustAuth(test_v3.RestfulTestCase):
|
|||
self.head('/auth/tokens', headers=headers, expected_status=404)
|
||||
self.assertTrustTokensRevoked(trust_id)
|
||||
|
||||
def disable_user(self, user):
|
||||
user['enabled'] = False
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
|
||||
def test_trust_get_token_fails_if_trustor_disabled(self):
|
||||
ref = self.new_trust_ref(
|
||||
trustor_user_id=self.user_id,
|
||||
trustee_user_id=self.trustee_user_id,
|
||||
project_id=self.project_id,
|
||||
impersonation=False,
|
||||
expires=dict(minutes=1),
|
||||
role_ids=[self.role_id])
|
||||
|
||||
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
|
||||
|
||||
trust = self.assertValidTrustResponse(r, ref)
|
||||
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id=self.trustee_user['id'],
|
||||
password=self.trustee_user['password'],
|
||||
trust_id=trust['id'])
|
||||
self.v3_authenticate_token(auth_data, expected_status=201)
|
||||
|
||||
self.disable_user(self.user)
|
||||
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id=self.trustee_user['id'],
|
||||
password=self.trustee_user['password'],
|
||||
trust_id=trust['id'])
|
||||
self.v3_authenticate_token(auth_data, expected_status=403)
|
||||
|
||||
def test_trust_get_token_fails_if_trustee_disabled(self):
|
||||
ref = self.new_trust_ref(
|
||||
trustor_user_id=self.user_id,
|
||||
trustee_user_id=self.trustee_user_id,
|
||||
project_id=self.project_id,
|
||||
impersonation=False,
|
||||
expires=dict(minutes=1),
|
||||
role_ids=[self.role_id])
|
||||
|
||||
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
|
||||
|
||||
trust = self.assertValidTrustResponse(r, ref)
|
||||
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id=self.trustee_user['id'],
|
||||
password=self.trustee_user['password'],
|
||||
trust_id=trust['id'])
|
||||
self.v3_authenticate_token(auth_data, expected_status=201)
|
||||
|
||||
self.disable_user(self.trustee_user)
|
||||
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id=self.trustee_user['id'],
|
||||
password=self.trustee_user['password'],
|
||||
trust_id=trust['id'])
|
||||
self.v3_authenticate_token(auth_data, expected_status=401)
|
||||
|
||||
def test_delete_trust(self):
|
||||
ref = self.new_trust_ref(
|
||||
trustor_user_id=self.user_id,
|
||||
|
|
|
@ -199,16 +199,16 @@ class Auth(controller.V2Controller):
|
|||
if ('expires' in trust_ref) and (trust_ref['expires']):
|
||||
expiry = trust_ref['expires']
|
||||
if expiry < timeutils.parse_isotime(timeutils.isotime()):
|
||||
raise exception.Forbidden()()
|
||||
raise exception.Forbidden()
|
||||
user_id = trust_ref['trustor_user_id']
|
||||
trustor_user_ref = self.identity_api.get_user(
|
||||
trust_ref['trustor_user_id'])
|
||||
if not trustor_user_ref['enabled']:
|
||||
raise exception.Forbidden()()
|
||||
raise exception.Forbidden()
|
||||
trustee_user_ref = self.identity_api.get_user(
|
||||
trust_ref['trustee_user_id'])
|
||||
if not trustee_user_ref['enabled']:
|
||||
raise exception.Forbidden()()
|
||||
raise exception.Forbidden()
|
||||
|
||||
if trust_ref['impersonation'] is True:
|
||||
current_user_ref = trustor_user_ref
|
||||
|
|
|
@ -221,7 +221,9 @@ class V3TokenDataHelper(object):
|
|||
if CONF.trust.enabled and trust and 'OS-TRUST:trust' not in token_data:
|
||||
trustor_user_ref = (self.identity_api.get_user(
|
||||
trust['trustor_user_id']))
|
||||
if not trustor_user_ref['enabled']:
|
||||
try:
|
||||
self.identity_api.assert_user_enabled(trust['trustor_user_id'])
|
||||
except AssertionError:
|
||||
raise exception.Forbidden(_('Trustor is disabled.'))
|
||||
if trust['impersonation']:
|
||||
user_ref = trustor_user_ref
|
||||
|
|
Loading…
Reference in New Issue