diff options
author | Joe Gordon <jogo@cloudscaling.com> | 2013-03-08 15:34:25 -0800 |
---|---|---|
committer | Joe Gordon <jogo@cloudscaling.com> | 2013-05-16 18:45:52 +0000 |
commit | 3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6 (patch) | |
tree | 4ba4f702a1a454c7d921450041377fa3755d143b /tests/test_content_types.py | |
parent | 96a816f50d2ab9fdf88af4489d51f24188a555a4 (diff) | |
download | keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.tar.gz keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.tar.xz keystone-3c3f5dc8973a28fcded50bdb65b7cd77cd772cc6.zip |
Move auth_token middleware from admin user to an RBAC policy
Before this patch auth_token middleware required admin user credentials
stored in assorted config files. With this patch only non-admin user
credentials are needed. The revocation_list and validate_token commands
use an policy.json rule, to only allow these commands if you are in have the
service role.
Rule used:
"service_role": [["role:service"]],
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
Added the policy wrapper on the validate functions.
Fixes bug 1153789
Change-Id: I43986e26b16aa5213ad2536a0d07d942bf3dbbbb
Diffstat (limited to 'tests/test_content_types.py')
-rw-r--r-- | tests/test_content_types.py | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/tests/test_content_types.py b/tests/test_content_types.py index 9e989c7a..8f7e9c61 100644 --- a/tests/test_content_types.py +++ b/tests/test_content_types.py @@ -232,8 +232,10 @@ class RestfulTestCase(test.TestCase): self.assertValidResponseHeaders(response) return response - def get_scoped_token(self): + def get_scoped_token(self, tenant_id=None): """Convenience method so that we can test authenticated requests.""" + if not tenant_id: + tenant_id = self.tenant_bar['id'] r = self.public_request( method='POST', path='/v2.0/tokens', @@ -243,7 +245,7 @@ class RestfulTestCase(test.TestCase): 'username': self.user_foo['name'], 'password': self.user_foo['password'], }, - 'tenantId': self.tenant_bar['id'], + 'tenantId': tenant_id, }, }) return self._get_token_id(r) @@ -405,6 +407,18 @@ class CoreApiTests(object): token=token) self.assertValidAuthenticationResponse(r) + def test_validate_token_service_role(self): + self.metadata_foobar = self.identity_api.update_metadata( + self.user_foo['id'], + self.tenant_service['id'], + dict(roles=[self.role_service['id']])) + + token = self.get_scoped_token(tenant_id='service') + r = self.admin_request( + path='/v2.0/tokens/%s' % token, + token=token) + self.assertValidAuthenticationResponse(r) + def test_validate_token_belongs_to(self): token = self.get_scoped_token() path = ('/v2.0/tokens/%s?belongsTo=%s' % (token, |