Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Pike
openstack-keystone-doc
0001-Hide-AccountLocked-exception-from-end-user...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Hide-AccountLocked-exception-from-end-users.patch of Package openstack-keystone-doc
From e9077b4af6331973070e3f80df5984c245b57be5 Mon Sep 17 00:00:00 2001 From: Gage Hugo <gagehugo@gmail.com> Date: Tue, 27 Oct 2020 15:22:04 -0500 Subject: [PATCH] Hide AccountLocked exception from end users This change hides the AccountLocked exception from being returned to the end user to hide sensitive information that a potential malicious person could gain insight from. The notification handler catches the AccountLocked exception as before, but after sending the audit notification, it instead bubbles up Unauthorized rather than AccountLocked. Conflicts: keystone/tests/unit/identity/test_backend_sql.py Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com> Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873 Related-Bug: #1688137 (cherry picked from commit ac2631ae33445877094cdae796fbcdce8833a626) (cherry picked from commit 1b573ae7d1c20e0ebfbde79bbe7538a09589c75d) --- keystone/notifications.py | 2 ++ keystone/tests/unit/common/test_notifications.py | 2 +- keystone/tests/unit/identity/test_backend_sql.py | 10 +++++----- releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml | 8 ++++++++ 4 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml diff --git a/keystone/notifications.py b/keystone/notifications.py index 00ed4f42e..9be5fec5c 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -502,6 +502,8 @@ class CadfNotificationWrapper(object): taxonomy.OUTCOME_FAILURE, target, self.event_type, reason=audit_reason) + if isinstance(ex, exception.AccountLocked): + raise exception.Unauthorized raise except Exception: # For authentication failure send a CADF event as well diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py index 722508a27..0f618af00 100644 --- a/keystone/tests/unit/common/test_notifications.py +++ b/keystone/tests/unit/common/test_notifications.py @@ -760,7 +760,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest): password = uuid.uuid4().hex new_password = uuid.uuid4().hex expected_responses = [AssertionError, AssertionError, AssertionError, - exception.AccountLocked] + exception.Unauthorized] user_ref = unit.new_user_ref(domain_id=self.domain_id, password=password) user_ref = self.identity_api.create_user(user_ref) diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py index 5852a02c3..f9692647e 100644 --- a/keystone/tests/unit/identity/test_backend_sql.py +++ b/keystone/tests/unit/identity/test_backend_sql.py @@ -612,7 +612,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): password=self.password) # test locking out user after max failed attempts self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, self.identity_api.authenticate, self.make_request(), user_id=self.user['id'], @@ -640,7 +640,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): def test_set_enabled_unlocks_user(self): # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, self.identity_api.authenticate, self.make_request(), user_id=self.user['id'], @@ -658,7 +658,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time: # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, self.identity_api.authenticate, self.make_request(), user_id=self.user['id'], @@ -683,7 +683,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time: # lockout user self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, self.identity_api.authenticate, self.make_request(), user_id=self.user['id'], @@ -694,7 +694,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests): # repeat failed auth the max times self._fail_auth_repeatedly(self.user['id']) # test user account is locked - self.assertRaises(exception.AccountLocked, + self.assertRaises(exception.Unauthorized, self.identity_api.authenticate, self.make_request(), user_id=self.user['id'], diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml new file mode 100644 index 000000000..bd7a06069 --- /dev/null +++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_] + Fixed the AccountLocked exception being shown to the end user since + it provides some information that could be exploited by a + malicious user. The end user will now see Unauthorized instead of + AccountLocked, preventing user info oracle exploitation. -- 2.25.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor