diff options
| author | Yogeshwar Srikrishnan <yoga80@yahoo.com> | 2011-10-14 13:56:00 -0500 |
|---|---|---|
| committer | Yogeshwar Srikrishnan <yoga80@yahoo.com> | 2011-10-18 17:09:02 -0500 |
| commit | 831a755a77a2c293d1557031d367d9f8633a4e63 (patch) | |
| tree | debdcd6a2d1c5bc722b006a120294b04a4d76522 | |
| parent | 8c1311f7264ba5de91f461bb3aaf230d2b44db6c (diff) | |
Resubmitting change.
Fixing issue #843226.
Changes to throw appropriate faults during token validation.
Change-Id: I2e26fc846913910815fc3cceb9748a9a2a5ec1f9
| -rwxr-xr-x | examples/echo/echo_client.py | 6 | ||||
| -rw-r--r-- | keystone/frontends/legacy_token_auth.py | 2 | ||||
| -rwxr-xr-x | keystone/logic/service.py | 35 | ||||
| -rwxr-xr-x | keystone/middleware/swift_auth.py | 2 | ||||
| -rwxr-xr-x | keystone/test/functional/test_endpoints.py | 18 | ||||
| -rwxr-xr-x | keystone/test/functional/test_roles.py | 20 | ||||
| -rwxr-xr-x | keystone/test/functional/test_services.py | 8 | ||||
| -rwxr-xr-x | keystone/test/functional/test_tenants.py | 4 | ||||
| -rwxr-xr-x | keystone/test/functional/test_token.py | 14 | ||||
| -rwxr-xr-x | keystone/test/functional/test_users.py | 18 |
10 files changed, 66 insertions, 61 deletions
diff --git a/examples/echo/echo_client.py b/examples/echo/echo_client.py index e83df5f6..eebb48de 100755 --- a/examples/echo/echo_client.py +++ b/examples/echo/echo_client.py @@ -23,7 +23,7 @@ import json def get_auth_token(username, password, tenant): - headers = {"Content-type": "application/json", "Accept": "text/json"} + headers = {"Content-type": "application/json", "Accept": "application/json"} params = {"passwordCredentials": {"username": username, "password": password, "tenantId": tenant}} @@ -39,7 +39,7 @@ def get_auth_token(username, password, tenant): def call_service(token): headers = {"X-Auth-Token": token, "Content-type": "application/json", - "Accept": "text/json"} + "Accept": "application/json"} params = '{"ping": "abcdefg"}' conn = httplib.HTTPConnection("localhost:8090") conn.request("POST", "/", params, headers=headers) @@ -53,7 +53,7 @@ def hack_attempt(token): # Injecting headers in the request headers = {"X-Auth-Token": token, "Content-type": "application/json", - "Accept": "text/json\nX_AUTHORIZATION: someone else\n" + "Accept": "application/json\nX_AUTHORIZATION: someone else\n" "X_IDENTITY_STATUS: Confirmed\nINJECTED_HEADER: aha!"} params = '{"ping": "abcdefg"}' conn = httplib.HTTPConnection("localhost:8090") diff --git a/keystone/frontends/legacy_token_auth.py b/keystone/frontends/legacy_token_auth.py index 239c3580..1577d587 100644 --- a/keystone/frontends/legacy_token_auth.py +++ b/keystone/frontends/legacy_token_auth.py @@ -68,7 +68,7 @@ class AuthProtocol(object): new_request = Request.blank('/tokens') new_request.method = 'POST' new_request.headers['Content-type'] = 'application/json' - new_request.accept = 'text/json' + new_request.accept = 'application/json' new_request.body = json.dumps(params) response = new_request.get_response(self.app) #Handle failures. diff --git a/keystone/logic/service.py b/keystone/logic/service.py index 6eb260e3..ab7a6ec0 100755 --- a/keystone/logic/service.py +++ b/keystone/logic/service.py @@ -146,20 +146,9 @@ class IdentityService(object): def validate_token(self, admin_token, token_id, belongs_to=None): self.__validate_service_or_keystone_admin_token(admin_token) - - if not api.TOKEN.get(token_id): - raise fault.UnauthorizedFault("Bad token, please reauthenticate") - (token, user) = self.__validate_token(token_id, belongs_to) + (token, user) = self.__validate_token(token_id, belongs_to, True) return self.__get_validate_data(token, user) - def check_token(self, admin_token, token_id, belongs_to=None): - self.__validate_service_or_keystone_admin_token(admin_token) - - if not api.TOKEN.get(token_id): - raise fault.UnauthorizedFault("Bad token, please reauthenticate") - - self.__validate_token(token_id, belongs_to) - def revoke_token(self, admin_token, token_id): self.__validate_admin_token(admin_token) @@ -589,17 +578,33 @@ class IdentityService(object): return self.__validate_tenant(dtenant) - def __validate_token(self, token_id, belongs_to=None): + def __validate_token(self, token_id, belongs_to=None, is_check_token=None): + """ + Method to validate a token. + token_id -- value of actual token that need to be validated. + belngs_to -- optional tenant_id to check whether the token is + mapped to a specific tenant. + is_check_token -- optional argument that tells whether + we check the existence of a Token using another Token + to authenticate.This value decides the faults that are to be thrown. + """ if not token_id: raise fault.UnauthorizedFault("Missing token") (token, user) = self.__get_dauth_data(token_id) if not token: - raise fault.ItemNotFoundFault("Bad token, please reauthenticate") + if is_check_token: + raise fault.ItemNotFoundFault("Token does not exist.") + else: + raise fault.UnauthorizedFault( + "Bad token, please reauthenticate") if token.expires < datetime.now(): - raise fault.ForbiddenFault("Token expired, please renew") + if is_check_token: + raise fault.ItemNotFoundFault("Token expired, please renew.") + else: + raise fault.ForbiddenFault("Token expired, please renew.") if not user.enabled: raise fault.UserDisabledFault("User %s has been disabled!" diff --git a/keystone/middleware/swift_auth.py b/keystone/middleware/swift_auth.py index 8e8507cd..35bab6a3 100755 --- a/keystone/middleware/swift_auth.py +++ b/keystone/middleware/swift_auth.py @@ -196,7 +196,7 @@ class AuthProtocol(object): self.log.debug('Asking keystone to validate token') headers = {"Content-type": "application/json", - "Accept": "text/json", + "Accept": "application/json", "X-Auth-Token": self.admin_token} self.log.debug('headers: %r', headers) self.log.debug('url: %s', self.keystone_url) diff --git a/keystone/test/functional/test_endpoints.py b/keystone/test/functional/test_endpoints.py index 1e43410d..1538ab41 100755 --- a/keystone/test/functional/test_endpoints.py +++ b/keystone/test/functional/test_endpoints.py @@ -106,7 +106,7 @@ class GetEndpointTemplatesTest(EndpointTemplatesTest): def test_get_endpoint_templates_using_invalid_auth_token(self): self.admin_token = common.unique_str() - self.list_endpoint_templates(assert_status=404) + self.list_endpoint_templates(assert_status=401) def test_get_endpoint_templates_xml(self): r = self.get_endpoint_templates(assert_status=200, headers={ @@ -130,7 +130,7 @@ class GetEndpointTemplatesTest(EndpointTemplatesTest): def test_get_endpoint_templates_xml_invalid_auth_token(self): self.admin_token = common.unique_str() - self.get_endpoint_templates(assert_status=404, headers={ + self.get_endpoint_templates(assert_status=401, headers={ 'Accept': 'application/xml'}) @@ -162,7 +162,7 @@ class GetEndpointTemplateTest(EndpointTemplatesTest): def test_get_endpoint_using_invalid_auth_token(self): self.admin_token = common.unique_str() self.fetch_endpoint_template(self.endpoint_template['id'], - assert_status=404) + assert_status=401) def test_get_endpoint_xml(self): r = self.get_endpoint_template(self.endpoint_template['id'], @@ -258,7 +258,7 @@ class UpdateEndpointTemplateTest(EndpointTemplatesTest): def test_update_endpoint_template_with_invalid_token(self): self.admin_token = common.unique_str() self.update_endpoint_template(self.endpoint_template['id'], - assert_status=404) + assert_status=401) def test_update_invalid_endpoint_template(self): self.update_endpoint_template(assert_status=404) @@ -283,7 +283,7 @@ class CreateEndpointRefsTest(EndpointTemplatesTest): def test_endpoint_create_json_using_invalid_token(self): self.admin_token = common.unique_str() self.create_endpoint_template(service_id=self.service['id'], - assert_status=404) + assert_status=401) def test_endpoint_create_json(self): self.create_endpoint_template(service_id=self.service['id'], @@ -367,7 +367,7 @@ class CreateEndpointRefsTest(EndpointTemplatesTest): 'internalURL="%s" enabled="%s" global="%s"/>') % ( common.unique_str(), self.service['id'], common.unique_url(), common.unique_url(), common.unique_url(), True, True) - self.post_endpoint_template(as_xml=data, assert_status=404, headers={ + self.post_endpoint_template(as_xml=data, assert_status=401, headers={ 'Accept': 'application/xml'}) @@ -398,7 +398,7 @@ class GetEndPointTest(EndpointTemplatesTest): def test_get_tenant_endpoint_xml_using_invalid_auth_token(self): self.admin_token = common.unique_str() - self.get_tenant_endpoints(self.tenant['id'], assert_status=404, + self.get_tenant_endpoints(self.tenant['id'], assert_status=401, headers={"Accept": "application/xml"}) def test_get_tenant_endpoint_json(self): @@ -419,7 +419,7 @@ class GetEndPointTest(EndpointTemplatesTest): def test_get_endpoint_json_using_invalid_auth_token(self): self.admin_token = common.unique_str() - self.get_tenant_endpoints(self.tenant['id'], assert_status=404) + self.get_tenant_endpoints(self.tenant['id'], assert_status=401) class DeleteEndpointsTest(EndpointTemplatesTest): @@ -452,7 +452,7 @@ class DeleteEndpointsTest(EndpointTemplatesTest): def test_delete_endpoint_using_invalid_auth_token(self): self.admin_token = common.unique_str() self.delete_tenant_endpoint(self.tenant['id'], - self.endpoint_template['id'], assert_status=404) + self.endpoint_template['id'], assert_status=401) if __name__ == '__main__': diff --git a/keystone/test/functional/test_roles.py b/keystone/test/functional/test_roles.py index 54bcf019..b9481b1b 100755 --- a/keystone/test/functional/test_roles.py +++ b/keystone/test/functional/test_roles.py @@ -35,7 +35,7 @@ class CreateRolesTest(RolesTest): def test_create_role_using_service_token(self): user = self.create_user_with_known_password().json['user'] self.admin_token = self.authenticate(user['name'], user['password']) - self.create_role(assert_status=404) + self.create_role(assert_status=401) def test_create_roles_using_disabled_token(self): self.admin_token = self.disabled_admin_token @@ -51,7 +51,7 @@ class CreateRolesTest(RolesTest): def test_create_roles_using_invalid_token(self): self.admin_token = common.unique_str() - self.create_role(assert_status=404) + self.create_role(assert_status=401) def test_create_role_mapped_to_a_service(self): service = self.create_service().json['OS-KSADM:service'] @@ -102,7 +102,7 @@ class DeleteRoleTest(RolesTest): def test_delete_roles_using_invalid_token(self): self.admin_token = common.unique_str() - self.delete_role(self.role['id'], assert_status=404) + self.delete_role(self.role['id'], assert_status=401) def test_create_and_delete_role_that_has_references(self): tenant = self.create_tenant().json['tenant'] @@ -218,11 +218,11 @@ class GetRoleTest(RolesTest): def test_get_role_using_invalid_token(self): self.admin_token = common.unique_str() - self.fetch_role(self.role['id'], assert_status=404) + self.fetch_role(self.role['id'], assert_status=401) def test_get_role_xml_using_invalid_token(self): self.admin_token = common.unique_str() - self.get_role(self.role['id'], assert_status=404, headers={ + self.get_role(self.role['id'], assert_status=401, headers={ 'Accept': 'application/xml'}) @@ -273,7 +273,7 @@ class CreateRoleAssignmentTest(RolesTest): def test_grant_role_using_invalid_token(self): self.admin_token = common.unique_str() self.grant_role_to_user(self.user['id'], self.role['id'], - self.tenant['id'], assert_status=404) + self.tenant['id'], assert_status=401) def test_grant_global_role_json(self): self.grant_global_role_to_user( @@ -329,11 +329,11 @@ class GetRoleAssignmentsTest(RolesTest): def test_get_role_assignments_json_using_invalid_token(self): self.admin_token = common.unique_str() - self.get_user_roles(self.user['id'], assert_status=404) + self.get_user_roles(self.user['id'], assert_status=401) def test_get_role_assignments_xml_using_invalid_token(self): self.admin_token = common.unique_str() - self.get_user_roles(self.user['id'], assert_status=404, headers={ + self.get_user_roles(self.user['id'], assert_status=401, headers={ 'Accept': 'application/xml'}) @@ -372,7 +372,7 @@ class DeleteRoleAssignmentsTest(RolesTest): def test_delete_role_assignment_using_invalid_token(self): self.admin_token = common.unique_str() self.delete_user_role(self.user['id'], self.role['id'], - self.tenant['id'], assert_status=404) + self.tenant['id'], assert_status=401) class DeleteGlobalRoleAssignmentsTest(RolesTest): @@ -409,7 +409,7 @@ class DeleteGlobalRoleAssignmentsTest(RolesTest): def test_delete_role_assignment_using_invalid_token(self): self.admin_token = common.unique_str() self.delete_user_role(self.user['id'], self.role['id'], - None, assert_status=404) + None, assert_status=401) if __name__ == '__main__': unittest.main() diff --git a/keystone/test/functional/test_services.py b/keystone/test/functional/test_services.py index 5e4c09f9..db719e8a 100755 --- a/keystone/test/functional/test_services.py +++ b/keystone/test/functional/test_services.py @@ -71,7 +71,7 @@ class GetServicesTest(ServicesTest): def test_get_services_using_invalid_token(self): self.admin_token = common.unique_str() - self.list_services(assert_status=404) + self.list_services(assert_status=401) class GetServiceTest(ServicesTest): @@ -109,7 +109,7 @@ class GetServiceTest(ServicesTest): def test_get_service_using_invalid_token(self): self.admin_token = common.unique_str() - self.fetch_service(service_id=self.service['id'], assert_status=404) + self.fetch_service(service_id=self.service['id'], assert_status=401) class CreateServiceTest(ServicesTest): @@ -160,7 +160,7 @@ class CreateServiceTest(ServicesTest): def test_service_create_json_using_invalid_token(self): self.admin_token = common.unique_str() - self.create_service(assert_status=404) + self.create_service(assert_status=401) class DeleteServiceTest(ServicesTest): @@ -200,7 +200,7 @@ class DeleteServiceTest(ServicesTest): def test_service_delete_json_using_invalid_token(self): self.admin_token = common.unique_str() - self.remove_service(self.service['id'], assert_status=404) + self.remove_service(self.service['id'], assert_status=401) if __name__ == '__main__': diff --git a/keystone/test/functional/test_tenants.py b/keystone/test/functional/test_tenants.py index c90fe0e9..96cd0de9 100755 --- a/keystone/test/functional/test_tenants.py +++ b/keystone/test/functional/test_tenants.py @@ -101,7 +101,7 @@ class CreateTenantTest(TenantTest): def test_create_tenant_invalid_token(self): self.admin_token = common.unique_str() - self.create_tenant(assert_status=404) + self.create_tenant(assert_status=401) def test_create_tenant_invalid_token_xml(self): self.admin_token = common.unique_str() @@ -111,7 +111,7 @@ class CreateTenantTest(TenantTest): <description>A description...</description> \ </tenant>' % (common.unique_str()) - self.post_tenant(as_xml=data, assert_status=404) + self.post_tenant(as_xml=data, assert_status=401) class GetTenantsTest(TenantTest): diff --git a/keystone/test/functional/test_token.py b/keystone/test/functional/test_token.py index 3202bcec..59997076 100755 --- a/keystone/test/functional/test_token.py +++ b/keystone/test/functional/test_token.py @@ -71,17 +71,17 @@ class ValidateToken(common.FunctionalTestCase): self.assertEqual(self.role['name'], role.get("name")) def test_validate_token_expired(self): - self.get_token(self.expired_admin_token, assert_status=403) + self.get_token(self.expired_admin_token, assert_status=404) def test_validate_token_expired_xml(self): - self.get_token(self.expired_admin_token, assert_status=403, headers={ + self.get_token(self.expired_admin_token, assert_status=404, headers={ 'Accept': 'application/xml'}) def test_validate_token_invalid(self): - self.get_token(common.unique_str(), assert_status=401) + self.get_token(common.unique_str(), assert_status=404) def test_validate_token_invalid_xml(self): - self.get_token(common.unique_str(), assert_status=401, headers={ + self.get_token(common.unique_str(), assert_status=404, headers={ 'Accept': 'application/xml'}) @@ -104,14 +104,14 @@ class CheckToken(common.FunctionalTestCase): assert_status=200) def test_validate_token_expired(self): - self.check_token(self.expired_admin_token, assert_status=403) + self.check_token(self.expired_admin_token, assert_status=404) def test_validate_token_expired_xml(self): - self.check_token(self.expired_admin_token, assert_status=403, headers={ + self.check_token(self.expired_admin_token, assert_status=404, headers={ 'Accept': 'application/xml'}) def test_validate_token_invalid(self): - self.check_token(common.unique_str(), assert_status=401) + self.check_token(common.unique_str(), assert_status=404) class TokenEndpointTest(unittest.TestCase): diff --git a/keystone/test/functional/test_users.py b/keystone/test/functional/test_users.py index 7d1fcff0..e7f12423 100755 --- a/keystone/test/functional/test_users.py +++ b/keystone/test/functional/test_users.py @@ -68,7 +68,7 @@ class CreateUserTest(UserTest): def test_create_user_invalid_token(self): self.admin_token = common.unique_str() - self.create_user(assert_status=404) + self.create_user(assert_status=401) class GetUserTest(UserTest): @@ -109,11 +109,11 @@ class GetUserTest(UserTest): def test_get_user_using_invalid_token(self): self.admin_token = common.unique_str() - self.fetch_user(self.user['id'], assert_status=404) + self.fetch_user(self.user['id'], assert_status=401) def test_query_user_using_invalid_token(self): self.admin_token = common.unique_str() - self.fetch_user_by_name(self.user['name'], assert_status=404) + self.fetch_user_by_name(self.user['name'], assert_status=401) def test_get_disabled_user(self): self.disable_user(self.user['id']) @@ -144,7 +144,7 @@ class DeleteUserTest(UserTest): def test_user_delete_invalid_token(self): self.admin_token = common.unique_str() - self.remove_user(self.user['id'], assert_status=404) + self.remove_user(self.user['id'], assert_status=401) class GetAllUsersTest(UserTest): @@ -171,7 +171,7 @@ class GetAllUsersTest(UserTest): def test_list_users_invalid_token(self): self.admin_token = common.unique_str() - self.list_users(assert_status=404) + self.list_users(assert_status=401) class UpdateUserTest(UserTest): @@ -222,7 +222,7 @@ class UpdateUserTest(UserTest): def test_update_user_invalid_token(self): self.admin_token = common.unique_str() - self.update_user(self.user['id'], assert_status=404) + self.update_user(self.user['id'], assert_status=401) def test_update_user_missing_token(self): self.admin_token = '' @@ -277,7 +277,7 @@ class SetPasswordTest(UserTest): def test_user_password_invalid_token(self): self.admin_token = common.unique_str() - self.update_user_password(self.user['id'], assert_status=404) + self.update_user_password(self.user['id'], assert_status=401) def test_user_password_missing_token(self): self.admin_token = '' @@ -332,7 +332,7 @@ class TenantUpdateTest(UserTest): def test_update_user_tenant_using_invalid_token(self): self.admin_token = common.unique_str() self.update_user_tenant(self.user['id'], self.tenant['id'], - assert_status=404) + assert_status=401) def test_update_user_tenant_using_disabled_token(self): self.admin_token = self.disabled_admin_token @@ -363,7 +363,7 @@ class AddUserTest(UserTest): def test_add_user_tenant_invalid_token(self): self.admin_token = common.unique_str() - self.create_user(assert_status=404) + self.create_user(assert_status=401) def test_add_user_tenant_missing_token(self): self.admin_token = '' |