Attempt to scope only to enabled projects

Filter out the disabled projects from the list of projects that
authentication backend will attempt to scope to.

Tests has been updated, the backend will no longer attempts to
scope to disabled projects.

Change-Id: I0fcdcd2ce72cd6580a2985d637c4bbabc60e4377
Closes-Bug: #1223079

2 files changed, 17 insertions, 25 deletions

diff --git a/openstack_auth/backend.py b/openstack_auth/backend.py
index 9ad57df..65bfc83 100644
--- a/openstack_auth/backend.py
+++ b/openstack_auth/backend.py
@@ -135,6 +135,9 @@ class KeystoneBackend(object):
             msg = _('Unable to retrieve authorized projects.')
             raise exceptions.KeystoneAuthException(msg)
 
+        # Attempt to scope only to enabled projects
+        projects = [project for project in projects if project.enabled]
+
         # Abort if there are no projects for this user
         if not projects:
             msg = _('You are not authorized for any projects.')
diff --git a/openstack_auth/tests/tests.py b/openstack_auth/tests/tests.py
index 46dd8e9..2c0c040 100644
--- a/openstack_auth/tests/tests.py
+++ b/openstack_auth/tests/tests.py
@@ -148,17 +148,16 @@ class OpenStackAuthTestsV2(OpenStackAuthTestsMixin, test.TestCase):
     def test_login(self):
         self._login()
 
-    def test_login_with_disabled_tenants(self):
-        # Test to validate that authentication will try to get
-        # scoped token if the first project is disabled.
-        tenants = [self.data.tenant_one, self.data.tenant_two]
+    def test_login_with_disabled_tenant(self):
+        # Test to validate that authentication will not try to get
+        # scoped token for disabled project.
+        tenants = [self.data.tenant_two, self.data.tenant_one]
         user = self.data.user
         unscoped = self.data.unscoped_access_info
 
         form_data = self.get_form_data(user)
         self._mock_unscoped_client_list_tenants(user, tenants)
-        self._mock_client_token_auth_failure(unscoped, self.data.tenant_one.id)
-        self._mock_scoped_client_for_tenant(unscoped, self.data.tenant_two.id)
+        self._mock_scoped_client_for_tenant(unscoped, self.data.tenant_one.id)
         self.mox.ReplayAll()
 
         url = reverse('login')
@@ -180,14 +179,11 @@ class OpenStackAuthTestsV2(OpenStackAuthTestsMixin, test.TestCase):
                          self.client.session['services_region'])
 
     def test_no_enabled_tenants(self):
-        tenants = [self.data.tenant_one, self.data.tenant_two]
+        tenants = [self.data.tenant_two]
         user = self.data.user
-        unscoped = self.data.unscoped_access_info
 
         form_data = self.get_form_data(user)
         self._mock_unscoped_client_list_tenants(user, tenants)
-        self._mock_client_token_auth_failure(unscoped, self.data.tenant_one.id)
-        self._mock_client_token_auth_failure(unscoped, self.data.tenant_two.id)
         self.mox.ReplayAll()
 
         url = reverse('login')
@@ -200,8 +196,7 @@ class OpenStackAuthTestsV2(OpenStackAuthTestsMixin, test.TestCase):
         response = self.client.post(url, form_data)
         self.assertTemplateUsed(response, 'auth/login.html')
         self.assertContains(response,
-                            'Unable to authenticate to any available'
-                            ' projects.')
+                            'You are not authorized for any projects.')
 
     def test_no_tenants(self):
         user = self.data.user
@@ -523,16 +518,16 @@ class OpenStackAuthTestsV3(OpenStackAuthTestsMixin, test.TestCase):
         response = self.client.post(url, form_data)
         self.assertRedirects(response, settings.LOGIN_REDIRECT_URL)
 
-    def test_login_with_disabled_projects(self):
-        projects = [self.data.project_one, self.data.project_two]
+    def test_login_with_disabled_project(self):
+        # Test to validate that authentication will not try to get
+        # scoped token for disabled project.
+        projects = [self.data.project_two, self.data.project_one]
         user = self.data.user
         unscoped = self.data.unscoped_access_info
 
         form_data = self.get_form_data(user)
         self._mock_unscoped_client_list_projects(user, projects)
-        self._mock_client_token_auth_failure(unscoped,
-                                             self.data.project_one.id)
-        self._mock_scoped_client_for_tenant(unscoped, self.data.project_two.id)
+        self._mock_scoped_client_for_tenant(unscoped, self.data.project_one.id)
         self.mox.ReplayAll()
 
         url = reverse('login')
@@ -546,17 +541,12 @@ class OpenStackAuthTestsV3(OpenStackAuthTestsMixin, test.TestCase):
         self.assertRedirects(response, settings.LOGIN_REDIRECT_URL)
 
     def test_no_enabled_projects(self):
-        projects = [self.data.project_one, self.data.project_two]
+        projects = [self.data.project_two]
         user = self.data.user
-        unscoped = self.data.unscoped_access_info
 
         form_data = self.get_form_data(user)
 
         self._mock_unscoped_client_list_projects(user, projects)
-        self._mock_client_token_auth_failure(unscoped,
-                                             self.data.project_one.id)
-        self._mock_client_token_auth_failure(unscoped,
-                                             self.data.project_two.id)
         self.mox.ReplayAll()
 
         url = reverse('login')
@@ -569,8 +559,7 @@ class OpenStackAuthTestsV3(OpenStackAuthTestsMixin, test.TestCase):
         response = self.client.post(url, form_data)
         self.assertTemplateUsed(response, 'auth/login.html')
         self.assertContains(response,
-                            'Unable to authenticate to any available'
-                            ' projects.')
+                            'You are not authorized for any projects.')
 
     def test_no_projects(self):
         user = self.data.user