OpenStack Security Notes

Bug #1434034
Comment #9

Comment 9 for bug 1434034

Revision history for this message

Yukihiro KAWADA (warp-kawada) wrote on 2015-03-23: Re: Even if the user is disabled, can use the last token is validated

kawada.patch Edit (1.4 KiB, text/plain)

my solution codes:

diff --git a/keystone/token/provider.py b/keystone/token/provider.py
index fb41d4b..e4cea63 100644
--- a/keystone/token/provider.py
+++ b/keystone/token/provider.py
@@ -284,6 +284,24 @@ class Manager(manager.Manager):
             # Get the data we need from the correct location (V2 and V3 tokens
             # differ in structure, Try V3 first, fall back to V2 second)
             token_data = token.get('token', token.get('access'))
+
+ user_data = token_data['user']
+ user_ref = self.identity_api.get_user(user_data['id']) ## Y.Kawada
+
+ if not user_ref.get('enabled', True):
+ msg = _('User is disabled: %s') % user_ref['id']
+ LOG.warning(msg)
+ raise exception.Unauthorized(msg)
+
+ _token_data = token_data.get('token', token_data)
+ project_data = _token_data.get('tenant', _token_data.get('project'))
+ if project_data:
+ project_ref = self.assignment_api.get_project(project_data['id'])
+ if not project_ref.get('enabled', True):
+ msg = _('Project is disabled: %s') % project_ref['id']
+ LOG.warning(msg)
+ raise exception.Unauthorized(msg)
+
             expires_at = token_data.get('expires_at',
                                         token_data.get('expires'))

But run_test.sh reports v3_federation FAILs.