diff options
author | Dolph Mathews <dolph.mathews@gmail.com> | 2012-11-14 11:59:26 -0600 |
---|---|---|
committer | Dolph Mathews <dolph.mathews@gmail.com> | 2012-11-15 11:26:10 -0600 |
commit | c7066a9fed611dc32e7c5fb490c61121cc5b68a5 (patch) | |
tree | 1aaecbef59a6f90cbddb78eb1e50ee5db42ae194 /tests/test_exception.py | |
parent | ac2d5b85b16da31ebf4833b6264961c567125249 (diff) | |
download | keystone-c7066a9fed611dc32e7c5fb490c61121cc5b68a5.tar.gz keystone-c7066a9fed611dc32e7c5fb490c61121cc5b68a5.tar.xz keystone-c7066a9fed611dc32e7c5fb490c61121cc5b68a5.zip |
Expose authn/z failure info to API in debug mode
This allows us to raise exceptions with very specific messages:
raise Unauthorized('User name not recognized')
In debug mode, this feedback would be exposed to the API user; without
debug mode, these details are suppressed.
Change-Id: I05c5dce3b1e2ba1123450b302e10b8ba3c265557
Diffstat (limited to 'tests/test_exception.py')
-rw-r--r-- | tests/test_exception.py | 73 |
1 files changed, 66 insertions, 7 deletions
diff --git a/tests/test_exception.py b/tests/test_exception.py index 1cbc5810..eb67098b 100644 --- a/tests/test_exception.py +++ b/tests/test_exception.py @@ -16,12 +16,16 @@ import uuid +from keystone import config from keystone.common import wsgi from keystone import exception from keystone.openstack.common import jsonutils from keystone import test +CONF = config.CONF + + class ExceptionTestCase(test.TestCase): def setUp(self): pass @@ -54,7 +58,7 @@ class ExceptionTestCase(test.TestCase): """ for cls in [x for x in exception.__dict__.values() if callable(x)]: - if cls is not exception.Error: + if cls is not exception.Error and isinstance(cls, exception.Error): self.assertValidJsonRendering(cls(message='Overriden.')) def test_validation_error(self): @@ -65,14 +69,69 @@ class ExceptionTestCase(test.TestCase): self.assertIn(target, str(e)) self.assertIn(attribute, str(e)) - def test_forbidden_action(self): - action = uuid.uuid4().hex - e = exception.ForbiddenAction(action=action) - self.assertValidJsonRendering(e) - self.assertIn(action, str(e)) - def test_not_found(self): target = uuid.uuid4().hex e = exception.NotFound(target=target) self.assertValidJsonRendering(e) self.assertIn(target, str(e)) + + +class SecurityErrorTestCase(ExceptionTestCase): + """Tests whether security-related info is exposed to the API user.""" + def test_unauthorized_exposure(self): + CONF.debug = False + + risky_info = uuid.uuid4().hex + e = exception.Unauthorized(message=risky_info) + self.assertValidJsonRendering(e) + self.assertNotIn(risky_info, str(e)) + + def test_unauthroized_exposure_in_debug(self): + CONF.debug = True + + risky_info = uuid.uuid4().hex + e = exception.Unauthorized(message=risky_info) + self.assertValidJsonRendering(e) + self.assertIn(risky_info, str(e)) + + def test_foribdden_exposure(self): + CONF.debug = False + + risky_info = uuid.uuid4().hex + e = exception.Forbidden(message=risky_info) + self.assertValidJsonRendering(e) + self.assertNotIn(risky_info, str(e)) + + def test_forbidden_exposure_in_Debug(self): + CONF.debug = True + + risky_info = uuid.uuid4().hex + e = exception.Forbidden(message=risky_info) + self.assertValidJsonRendering(e) + self.assertIn(risky_info, str(e)) + + def test_forbidden_action_exposure(self): + CONF.debug = False + + risky_info = uuid.uuid4().hex + + e = exception.ForbiddenAction(message=risky_info) + self.assertValidJsonRendering(e) + self.assertNotIn(risky_info, str(e)) + + e = exception.ForbiddenAction(action=risky_info) + self.assertValidJsonRendering(e) + self.assertIn(risky_info, str(e)) + + def test_forbidden_action_exposure_in_debug(self): + CONF.debug = True + + risky_info = uuid.uuid4().hex + + e = exception.ForbiddenAction(message=risky_info) + self.assertValidJsonRendering(e) + self.assertIn(risky_info, str(e)) + + e = exception.ForbiddenAction(action=risky_info) + self.assertValidJsonRendering(e) + self.assertIn(risky_info, str(e)) |