File 0001-Hide-AccountLocked-exception-from-end-users.patch of Package openstack-keystone-doc
From 902b023d4142499c0463c2989a1142dd5e15adce Mon Sep 17 00:00:00 2001
From: Gage Hugo <gagehugo@gmail.com>
Date: Tue, 27 Oct 2020 15:22:04 -0500
Subject: [PATCH] Hide AccountLocked exception from end users
This change hides the AccountLocked exception from being returned
to the end user to hide sensitive information that a potential
malicious person could gain insight from.
The notification handler catches the AccountLocked exception as
before, but after sending the audit notification, it instead
bubbles up Unauthorized rather than AccountLocked.
Conflicts:
keystone/tests/unit/identity/test_backend_sql.py
Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873
Related-Bug: #1688137
(cherry picked from commit ac2631ae33445877094cdae796fbcdce8833a626)
(cherry picked from commit 1b573ae7d1c20e0ebfbde79bbe7538a09589c75d)
---
keystone/notifications.py | 2 ++
keystone/tests/unit/common/test_notifications.py | 2 +-
keystone/tests/unit/identity/test_backend_sql.py | 10 +++++-----
releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml | 8 ++++++++
4 files changed, 16 insertions(+), 6 deletions(-)
create mode 100644 releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
diff --git a/keystone/notifications.py b/keystone/notifications.py
index 9b83716ac..feb9fcacd 100644
--- a/keystone/notifications.py
+++ b/keystone/notifications.py
@@ -534,6 +534,8 @@ class CadfNotificationWrapper(object):
taxonomy.OUTCOME_FAILURE,
target, self.event_type,
reason=audit_reason)
+ if isinstance(ex, exception.AccountLocked):
+ raise exception.Unauthorized
raise
except Exception:
# For authentication failure send a CADF event as well
diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
index 86dbc8246..ceff5ed1c 100644
--- a/keystone/tests/unit/common/test_notifications.py
+++ b/keystone/tests/unit/common/test_notifications.py
@@ -768,7 +768,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
password = uuid.uuid4().hex
new_password = uuid.uuid4().hex
expected_responses = [AssertionError, AssertionError, AssertionError,
- exception.AccountLocked]
+ exception.Unauthorized]
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py
index e05cabd24..3b1cf7cd0 100644
--- a/keystone/tests/unit/identity/test_backend_sql.py
+++ b/keystone/tests/unit/identity/test_backend_sql.py
@@ -578,7 +578,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
)
# test locking out user after max failed attempts
self._fail_auth_repeatedly(self.user['id'])
- self.assertRaises(exception.AccountLocked,
+ self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
@@ -607,7 +607,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
def test_set_enabled_unlocks_user(self):
# lockout user
self._fail_auth_repeatedly(self.user['id'])
- self.assertRaises(exception.AccountLocked,
+ self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
@@ -626,7 +626,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time:
# lockout user
self._fail_auth_repeatedly(self.user['id'])
- self.assertRaises(exception.AccountLocked,
+ self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
@@ -652,7 +652,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time:
# lockout user
self._fail_auth_repeatedly(self.user['id'])
- self.assertRaises(exception.AccountLocked,
+ self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
@@ -663,7 +663,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
# repeat failed auth the max times
self._fail_auth_repeatedly(self.user['id'])
# test user account is locked
- self.assertRaises(exception.AccountLocked,
+ self.assertRaises(exception.Unauthorized,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
new file mode 100644
index 000000000..bd7a06069
--- /dev/null
+++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+ - |
+ [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
+ Fixed the AccountLocked exception being shown to the end user since
+ it provides some information that could be exploited by a
+ malicious user. The end user will now see Unauthorized instead of
+ AccountLocked, preventing user info oracle exploitation.
--
2.25.1
