Hide AccountLocked exception from end users

This change hides the AccountLocked exception from being returned
to the end user to hide sensitive information that a potential
malicious person could gain insight from.

The notification handler catches the AccountLocked exception as
before, but after sending the audit notification, it instead
bubbles up Unauthorized rather than AccountLocked.

Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>

Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873
Related-Bug: #1688137
(cherry picked from commit ac2631ae33)
This commit is contained in:
Gage Hugo 2020-10-27 15:22:04 -05:00
parent f47e635b80
commit f510c806de
4 changed files with 16 additions and 6 deletions

View File

@ -580,6 +580,8 @@ class CadfNotificationWrapper(object):
taxonomy.OUTCOME_FAILURE, taxonomy.OUTCOME_FAILURE,
target, self.event_type, target, self.event_type,
reason=audit_reason) reason=audit_reason)
if isinstance(ex, exception.AccountLocked):
raise exception.Unauthorized
raise raise
except Exception: except Exception:
# For authentication failure send a CADF event as well # For authentication failure send a CADF event as well

View File

@ -802,7 +802,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
password = uuid.uuid4().hex password = uuid.uuid4().hex
new_password = uuid.uuid4().hex new_password = uuid.uuid4().hex
expected_responses = [AssertionError, AssertionError, AssertionError, expected_responses = [AssertionError, AssertionError, AssertionError,
exception.AccountLocked] exception.Unauthorized]
user_ref = unit.new_user_ref(domain_id=self.domain_id, user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password) password=password)
user_ref = PROVIDERS.identity_api.create_user(user_ref) user_ref = PROVIDERS.identity_api.create_user(user_ref)

View File

@ -613,7 +613,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
) )
# test locking out user after max failed attempts # test locking out user after max failed attempts
self._fail_auth_repeatedly(self.user['id']) self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked, self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate, PROVIDERS.identity_api.authenticate,
user_id=self.user['id'], user_id=self.user['id'],
password=uuid.uuid4().hex) password=uuid.uuid4().hex)
@ -642,7 +642,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request(): with self.make_request():
# lockout user # lockout user
self._fail_auth_repeatedly(self.user['id']) self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked, self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate, PROVIDERS.identity_api.authenticate,
user_id=self.user['id'], user_id=self.user['id'],
password=uuid.uuid4().hex) password=uuid.uuid4().hex)
@ -661,7 +661,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request(): with self.make_request():
# lockout user # lockout user
self._fail_auth_repeatedly(self.user['id']) self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked, self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate, PROVIDERS.identity_api.authenticate,
user_id=self.user['id'], user_id=self.user['id'],
password=uuid.uuid4().hex) password=uuid.uuid4().hex)
@ -687,7 +687,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with self.make_request(): with self.make_request():
# lockout user # lockout user
self._fail_auth_repeatedly(self.user['id']) self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked, self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate, PROVIDERS.identity_api.authenticate,
user_id=self.user['id'], user_id=self.user['id'],
password=uuid.uuid4().hex) password=uuid.uuid4().hex)
@ -697,7 +697,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
# repeat failed auth the max times # repeat failed auth the max times
self._fail_auth_repeatedly(self.user['id']) self._fail_auth_repeatedly(self.user['id'])
# test user account is locked # test user account is locked
self.assertRaises(exception.AccountLocked, self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate, PROVIDERS.identity_api.authenticate,
user_id=self.user['id'], user_id=self.user['id'],
password=uuid.uuid4().hex) password=uuid.uuid4().hex)

View File

@ -0,0 +1,8 @@
---
fixes:
- |
[`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
Fixed the AccountLocked exception being shown to the end user since
it provides some information that could be exploited by a
malicious user. The end user will now see Unauthorized instead of
AccountLocked, preventing user info oracle exploitation.