diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py index e96575d..0ad21b2 100644 --- a/keystone/contrib/ec2/core.py +++ b/keystone/contrib/ec2/core.py @@ -111,7 +111,8 @@ class Ec2Controller(controller.V2Controller): if not utils.auth_str_equal(credentials.signature, signature): raise exception.Unauthorized(message='Invalid EC2 signature.') else: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.ValidationError(attribute='signature', + target='credentials') def authenticate(self, context, credentials=None, ec2Credentials=None): """Validate a signed EC2 request and provide a token. @@ -141,7 +142,8 @@ class Ec2Controller(controller.V2Controller): credentials = ec2Credentials if 'access' not in credentials: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.ValidationError(attribute='access', + target='credentials') creds_ref = self._get_credentials(context, credentials['access']) @@ -161,6 +163,10 @@ class Ec2Controller(controller.V2Controller): user_id=user_ref['id'], tenant_id=tenant_ref['id']) + # Validate that the auth info is valid and nothing is disabled + auth_info = (user_ref, tenant_ref, metadata_ref) + token.validate_auth_info(self, context, auth_info) + # TODO(termie): optimize this call at some point and put it into the # the return for metadata # fill out the roles in the metadata diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 6213402..ef31180 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -76,45 +76,10 @@ class Auth(controller.V2Controller): auth_token_data, auth_info = self._authenticate_local( context, auth) + core.validate_auth_info(self, context, auth_info) user_ref, tenant_ref, metadata_ref = auth_info - # If the user is disabled don't allow them to authenticate - if not user_ref.get('enabled', True): - msg = 'User is disabled: %s' % user_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - - # If the user's domain is disabled don't allow them to authenticate - # TODO(dolph): remove this check after default-domain migration - if user_ref.get('domain_id') is not None: - user_domain_ref = self.identity_api.get_domain( - context, - user_ref['domain_id']) - if user_domain_ref and not user_domain_ref.get('enabled', True): - msg = 'Domain is disabled: %s' % user_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - if tenant_ref: - # If the project is disabled don't allow them to authenticate - if not tenant_ref.get('enabled', True): - msg = 'Tenant is disabled: %s' % tenant_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - - # If the project's domain is disabled don't allow them to - # authenticate - # TODO(dolph): remove this check after default-domain migration - if tenant_ref.get('domain_id') is not None: - project_domain_ref = self.identity_api.get_domain( - context, - tenant_ref['domain_id']) - if (project_domain_ref and - not project_domain_ref.get('enabled', True)): - msg = 'Domain is disabled: %s' % project_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - catalog_ref = self.catalog_api.get_catalog( context=context, user_id=user_ref['id'], diff --git a/keystone/token/core.py b/keystone/token/core.py index 68bd94c..5f8d67f 100644 --- a/keystone/token/core.py +++ b/keystone/token/core.py @@ -20,12 +20,14 @@ import datetime from keystone.common import cms from keystone.common import dependency +from keystone.common import logging from keystone.common import manager from keystone import config from keystone import exception from keystone.openstack.common import timeutils +LOG = logging.getLogger(__name__) CONF = config.CONF config.register_int('expiration', group='token', default=86400) @@ -55,6 +57,55 @@ def default_expire_time(): return timeutils.utcnow() + expire_delta +def validate_auth_info(self, context, auth_info): + """Validate user, tenant, metadata auth_info. + + Validate the user, tenant and metadata auth_into in order to ensure + that user, tenant, or metadata information is valid and not disabled. + Consolidate the checks here to ensure consistency between token auth + and ec2 auth. + + """ + user_ref, tenant_ref, metadata_ref = auth_info + # If the user is disabled don't allow them to authenticate + if not user_ref.get('enabled', True): + msg = 'User is disabled: %s' % user_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + # If the user's domain is disabled don't allow them to authenticate + # TODO(dolph): remove this check after default-domain migration + if user_ref.get('domain_id') is not None: + user_domain_ref = self.identity_api.get_domain( + context, + user_ref['domain_id']) + if user_domain_ref and not user_domain_ref.get('enabled', True): + msg = 'Domain is disabled: %s' % user_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + if tenant_ref: + # If the project is disabled don't allow them to authenticate + if not tenant_ref.get('enabled', True): + msg = 'Tenant is disabled: %s' % tenant_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + # If the project's domain is disabled don't allow them to + # authenticate + # TODO(dolph): remove this check after default-domain migration + if tenant_ref.get('domain_id') is not None: + project_domain_ref = self.identity_api.get_domain( + context, + tenant_ref['domain_id']) + if (project_domain_ref and + not project_domain_ref.get('enabled', True)): + msg = 'Domain is disabled: %s' % project_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + return + + @dependency.provider('token_api') class Manager(manager.Manager): """Default pivot point for the Token backend.