Add TLS Support for LDAP

Fixes Bug1040115 added several test cases, also provides a full ldap regression suite. Also added supplemental (simple) verification for CACERTFILE and CACERTDIR added a TLS disable option when ldaps URLs are used and did full regression tests using ldaps URLs and with TLS addresses ayoung's comments addresses dolphm's and Mouad's comments addresses gyee's doc request and bknudson's comments Change-Id: I639f2853df0ce5c10ae85b06214b26430d872aca
author: Brad Topol <btopol@us.ibm.com> 2013-03-25 15:23:15 -0500
committer: Brad Topol <btopol@us.ibm.com> 2013-04-09 00:54:51 -0500
commit: e4ec12e8118b92cbad9e2f287f111b6be8bb2705 (patch)
tree: 9d7af8cc9861c20baf073ae4de60cecfbb0f926f /tests/_ldap_tls_livetest.py
parent: 89d35004411e1eec9b1af97f589f06ae871aca02 (diff)
download: keystone-e4ec12e8118b92cbad9e2f287f111b6be8bb2705.tar.gz
keystone-e4ec12e8118b92cbad9e2f287f111b6be8bb2705.tar.xz
keystone-e4ec12e8118b92cbad9e2f287f111b6be8bb2705.zip
1 files changed, 118 insertions, 0 deletions
diff --git a/tests/_ldap_tls_livetest.py b/tests/_ldap_tls_livetest.py
new file mode 100644
index 00000000..8503e51a
--- /dev/null
+++ b/tests/_ldap_tls_livetest.py
@@ -0,0 +1,118 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2013 OpenStack LLC
+# Copyright 2013 IBM Corp.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import ldap
+import ldap.modlist
+import nose.exc
+import subprocess
+
+from keystone.common import ldap as ldap_common
+from keystone import config
+from keystone import exception
+from keystone.identity.backends import ldap as identity_ldap
+from keystone import identity
+from keystone import test
+
+import default_fixtures
+import _ldap_livetest
+
+
+CONF = config.CONF
+
+
+def create_object(dn, attrs):
+    conn = ldap.initialize(CONF.ldap.url)
+    conn.simple_bind_s(CONF.ldap.user, CONF.ldap.password)
+    ldif = ldap.modlist.addModlist(attrs)
+    conn.add_s(dn, ldif)
+    conn.unbind_s()
+
+
+class LiveTLSLDAPIdentity(_ldap_livetest.LiveLDAPIdentity):
+
+    def _set_config(self):
+        self.config([test.etcdir('keystone.conf.sample'),
+                     test.testsdir('test_overrides.conf'),
+                     test.testsdir('backend_tls_liveldap.conf')])
+
+    def test_tls_certfile_demand_option(self):
+        CONF.ldap.use_tls = True
+        CONF.ldap.tls_cacertdir = None
+        CONF.ldap.tls_req_cert = 'demand'
+        self.identity_api = identity.backends.ldap.Identity()
+
+        user = {'id': 'fake1',
+                'name': 'fake1',
+                'password': 'fakepass1',
+                'tenants': ['bar']}
+        self.identity_api.create_user('fake1', user)
+        user_ref = self.identity_api.get_user('fake1')
+        self.assertEqual(user_ref['id'], 'fake1')
+
+        user['password'] = 'fakepass2'
+        self.identity_api.update_user('fake1', user)
+
+        self.identity_api.delete_user('fake1')
+        self.assertRaises(exception.UserNotFound, self.identity_api.get_user,
+                          'fake1')
+
+    def test_tls_certdir_demand_option(self):
+        CONF.ldap.use_tls = True
+        CONF.ldap.tls_cacertfile = None
+        CONF.ldap.tls_req_cert = 'demand'
+        self.identity_api = identity.backends.ldap.Identity()
+
+        user = {'id': 'fake1',
+                'name': 'fake1',
+                'password': 'fakepass1',
+                'tenants': ['bar']}
+        self.identity_api.create_user('fake1', user)
+        user_ref = self.identity_api.get_user('fake1')
+        self.assertEqual(user_ref['id'], 'fake1')
+
+        user['password'] = 'fakepass2'
+        self.identity_api.update_user('fake1', user)
+
+        self.identity_api.delete_user('fake1')
+        self.assertRaises(exception.UserNotFound, self.identity_api.get_user,
+                          'fake1')
+
+    def test_tls_bad_certfile(self):
+        CONF.ldap.use_tls = True
+        CONF.ldap.tls_req_cert = 'demand'
+        CONF.ldap.tls_cacertfile = '/etc/keystone/ssl/certs/mythicalcert.pem'
+        CONF.ldap.tls_cacertdir = None
+        self.identity_api = identity.backends.ldap.Identity()
+
+        user = {'id': 'fake1',
+                'name': 'fake1',
+                'password': 'fakepass1',
+                'tenants': ['bar']}
+        self.assertRaises(IOError, self.identity_api.create_user, 'fake', user)
+
+    def test_tls_bad_certdir(self):
+        CONF.ldap.use_tls = True
+        CONF.ldap.tls_cacertfile = None
+        CONF.ldap.tls_req_cert = 'demand'
+        CONF.ldap.tls_cacertdir = '/etc/keystone/ssl/mythicalcertdir'
+        self.identity_api = identity.backends.ldap.Identity()
+
+        user = {'id': 'fake1',
+                'name': 'fake1',
+                'password': 'fakepass1',
+                'tenants': ['bar']}
+        self.assertRaises(IOError, self.identity_api.create_user, 'fake', user)
author	Brad Topol <btopol@us.ibm.com>	2013-03-25 15:23:15 -0500
committer	Brad Topol <btopol@us.ibm.com>	2013-04-09 00:54:51 -0500
commit	e4ec12e8118b92cbad9e2f287f111b6be8bb2705 (patch)
tree	9d7af8cc9861c20baf073ae4de60cecfbb0f926f /tests/_ldap_tls_livetest.py
parent	89d35004411e1eec9b1af97f589f06ae871aca02 (diff)
download	keystone-e4ec12e8118b92cbad9e2f287f111b6be8bb2705.tar.gz keystone-e4ec12e8118b92cbad9e2f287f111b6be8bb2705.tar.xz keystone-e4ec12e8118b92cbad9e2f287f111b6be8bb2705.zip