From 4c639648850a2b7e6dd409e765d238f80cae1047 Mon Sep 17 00:00:00 2001 From: Gage Hugo Date: Thu, 26 Jul 2018 14:07:44 -0500 Subject: [PATCH] Hide AccountLocked exception from end users This change hides the AccountLocked exception from being returned to the end user to hide sensitive information that a potential malicious person could gain information from. The notification handler catches the AccountLocked exception as before, but after sending the audit notification, it instead bubbles up Unauthorized rather than AccountLocked. Co-Authored-By: Samuel de Medeiros Queiroz Change-Id: I730d57f6547b8e263c1c4d379454a199e781b552 --- keystone/notifications.py | 2 ++ keystone/tests/unit/common/test_notifications.py | 2 +- keystone/tests/unit/identity/test_backend_sql.py | 10 +++++----- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/keystone/notifications.py b/keystone/notifications.py index 3a32865c0..12f254798 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -528,6 +528,8 @@ class CadfNotificationWrapper(object): taxonomy.OUTCOME_FAILURE, target, self.event_type, reason=audit_reason) + if isinstance(ex, exception.AccountLocked): + raise exception.Unauthorized raise except Exception: # For authentication failure send a CADF event as well diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py index 90eb0f090..9d355f076 100644 --- a/keystone/tests/unit/common/test_notifications.py +++ b/keystone/tests/unit/common/test_notifications.py @@ -768,7 +768,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest): password = uuid.uuid4().hex new_password = uuid.uuid4().hex expected_responses = [AssertionError, AssertionError, AssertionError, - exception.AccountLocked] + exception.Unauthorized] user_ref = unit.new_user_ref(domain_id=self.domain_id, password=password) user_ref = PROVIDERS.identity_api.create_user(user_ref) diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py index e05cabd24..3b1cf7cd0 100644 --- a/keystone/tests/unit/identity/test_backend_sql.py +++ b/keystone/tests/unit/identity/test_backend_sql.py @@ -578,7 +578,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): ) # test locking out user after max failed attempts self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, self.make_request(), user_id=self.user['id'], @@ -607,7 +607,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): def test_set_enabled_unlocks_user(self): # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, self.make_request(), user_id=self.user['id'], @@ -626,7 +626,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time: # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, self.make_request(), user_id=self.user['id'], @@ -652,7 +652,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time: # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, self.make_request(), user_id=self.user['id'], @@ -663,7 +663,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): # repeat failed auth the max times self._fail_auth_repeatedly(self.user['id']) # test user account is locked - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, PROVIDERS.identity_api.authenticate, self.make_request(), user_id=self.user['id'], -- 2.17.1