diff options
author | Guang Yee <guang.yee@hp.com> | 2013-03-19 19:14:47 -0700 |
---|---|---|
committer | Guang Yee <guang.yee@hp.com> | 2013-03-19 19:14:47 -0700 |
commit | 550973b64a64a546ae0c0e94c49af05bd2d64175 (patch) | |
tree | 5c799cf29e42c0c0bfb34dbd2adbfc8a67e2be45 /tests/test_v3_auth.py | |
parent | 5cb8e1f2e5e12cf7e8c6bce91af53b901f6254a9 (diff) | |
download | keystone-550973b64a64a546ae0c0e94c49af05bd2d64175.tar.gz keystone-550973b64a64a546ae0c0e94c49af05bd2d64175.tar.xz keystone-550973b64a64a546ae0c0e94c49af05bd2d64175.zip |
Prohibit V3 V2 token intermix for resource in non-default domain (bug 1157430)
Change-Id: Ibe9019684b45651a9679311a3bacdad41b4116f5
Diffstat (limited to 'tests/test_v3_auth.py')
-rw-r--r-- | tests/test_v3_auth.py | 220 |
1 files changed, 211 insertions, 9 deletions
diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py index 092980e7..b2602bdc 100644 --- a/tests/test_v3_auth.py +++ b/tests/test_v3_auth.py @@ -113,7 +113,7 @@ class TestTokenAPIs(test_v3.RestfulTestCase): CONF.signing.keyfile) self.assertEqual(token_signed, token_id) - def test_v3_v2_unscoped_uuid_token_intermix(self): + def test_v3_v2_intermix_non_default_domain_failed(self): self.opt_in_group('signing', token_format='UUID') auth_data = self.build_authentication_request( user_id=self.user['id'], @@ -126,6 +126,59 @@ class TestTokenAPIs(test_v3.RestfulTestCase): path = '/v2.0/tokens/%s' % (token) resp = self.admin_request(path=path, token='ADMIN', + method='GET', + expected_status=401) + + def test_v3_v2_intermix_domain_scoped_token_failed(self): + self.opt_in_group('signing', token_format='UUID') + # grant the domain role to user + path = '/domains/%s/users/%s/roles/%s' % ( + self.domain['id'], self.user['id'], self.role['id']) + self.put(path=path) + auth_data = self.build_authentication_request( + user_id=self.user['id'], + password=self.user['password'], + domain_id=self.domain['id']) + resp = self.post('/auth/tokens', body=auth_data) + token_data = resp.body + token = resp.getheader('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + resp = self.admin_request(path=path, + token='ADMIN', + method='GET', + expected_status=401) + + def test_v3_v2_intermix_non_default_project_failed(self): + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + project_id=self.project['id']) + resp = self.post('/auth/tokens', body=auth_data) + token_data = resp.body + token = resp.getheader('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + resp = self.admin_request(path=path, + token='ADMIN', + method='GET', + expected_status=401) + + def test_v3_v2_unscoped_uuid_token_intermix(self): + self.opt_in_group('signing', token_format='UUID') + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password']) + resp = self.post('/auth/tokens', body=auth_data) + token_data = resp.body + token = resp.getheader('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + resp = self.admin_request(path=path, + token='ADMIN', method='GET') v2_token = resp.body self.assertEqual(v2_token['access']['user']['id'], @@ -138,8 +191,8 @@ class TestTokenAPIs(test_v3.RestfulTestCase): def test_v3_v2_unscoped_pki_token_intermix(self): self.opt_in_group('signing', token_format='PKI') auth_data = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password']) + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password']) resp = self.post('/auth/tokens', body=auth_data) token_data = resp.body token = resp.getheader('X-Subject-Token') @@ -162,9 +215,9 @@ class TestTokenAPIs(test_v3.RestfulTestCase): # data is baked into the token itself. self.opt_in_group('signing', token_format='UUID') auth_data = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'], - project_id=self.project['id']) + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + project_id=self.default_domain_project['id']) resp = self.post('/auth/tokens', body=auth_data) token_data = resp.body token = resp.getheader('X-Subject-Token') @@ -189,9 +242,9 @@ class TestTokenAPIs(test_v3.RestfulTestCase): # data is baked into the token itself. self.opt_in_group('signing', token_format='PKI') auth_data = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'], - project_id=self.project['id']) + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + project_id=self.default_domain_project['id']) resp = self.post('/auth/tokens', body=auth_data) token_data = resp.body token = resp.getheader('X-Subject-Token') @@ -1091,6 +1144,155 @@ class TestTrustAuth(TestAuthInfo): trust_id=trust['id']) self.post('/auth/tokens', body=auth_data, expected_status=401) + def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self): + ref = self.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.default_domain_user_id, + project_id=self.project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + del ref['id'] + + r = self.post('/trusts', body={'trust': ref}) + trust = self.assertValidTrustResponse(r) + + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + trust_id=trust['id']) + r = self.post('/auth/tokens', body=auth_data) + self.assertValidProjectTrustScopedTokenResponse( + r, self.default_domain_user) + + token = r.getheader('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + resp = self.admin_request(path=path, + token='ADMIN', + method='GET', + expected_status=401) + + def test_v3_v2_intermix_trustor_not_in_default_domaini_failed(self): + ref = self.new_trust_ref( + trustor_user_id=self.default_domain_user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.default_domain_project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + del ref['id'] + + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + project_id=self.default_domain_project_id) + r = self.post('/auth/tokens', body=auth_data) + token = r.getheader('X-Subject-Token') + + r = self.post('/trusts', body={'trust': ref}, token=token) + trust = self.assertValidTrustResponse(r) + + auth_data = self.build_authentication_request( + user_id=self.trustee_user['id'], + password=self.trustee_user['password'], + trust_id=trust['id']) + r = self.post('/auth/tokens', body=auth_data) + self.assertValidProjectTrustScopedTokenResponse( + r, self.trustee_user) + token = r.getheader('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + resp = self.admin_request(path=path, + token='ADMIN', + method='GET', + expected_status=401) + + def test_v3_v2_intermix_project_not_in_default_domaini_failed(self): + # create a trustee in default domain to delegate stuff to + trustee_user_id = uuid.uuid4().hex + trustee_user = self.new_user_ref(domain_id=test_v3.DEFAULT_DOMAIN_ID) + trustee_user['id'] = trustee_user_id + self.identity_api.create_user(trustee_user_id, trustee_user) + + ref = self.new_trust_ref( + trustor_user_id=self.default_domain_user_id, + trustee_user_id=trustee_user_id, + project_id=self.project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + del ref['id'] + + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + project_id=self.default_domain_project_id) + r = self.post('/auth/tokens', body=auth_data) + token = r.getheader('X-Subject-Token') + + r = self.post('/trusts', body={'trust': ref}, token=token) + trust = self.assertValidTrustResponse(r) + + auth_data = self.build_authentication_request( + user_id=trustee_user['id'], + password=trustee_user['password'], + trust_id=trust['id']) + r = self.post('/auth/tokens', body=auth_data) + self.assertValidProjectTrustScopedTokenResponse( + r, trustee_user) + token = r.getheader('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + resp = self.admin_request(path=path, + token='ADMIN', + method='GET', + expected_status=401) + + def test_v3_v2_intermix(self): + # create a trustee in default domain to delegate stuff to + trustee_user_id = uuid.uuid4().hex + trustee_user = self.new_user_ref(domain_id=test_v3.DEFAULT_DOMAIN_ID) + trustee_user['id'] = trustee_user_id + self.identity_api.create_user(trustee_user_id, trustee_user) + + ref = self.new_trust_ref( + trustor_user_id=self.default_domain_user_id, + trustee_user_id=trustee_user_id, + project_id=self.default_domain_project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + del ref['id'] + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + project_id=self.default_domain_project_id) + r = self.post('/auth/tokens', body=auth_data) + token = r.getheader('X-Subject-Token') + + r = self.post('/trusts', body={'trust': ref}, token=token) + trust = self.assertValidTrustResponse(r) + + auth_data = self.build_authentication_request( + user_id=trustee_user['id'], + password=trustee_user['password'], + trust_id=trust['id']) + r = self.post('/auth/tokens', body=auth_data) + self.assertValidProjectTrustScopedTokenResponse( + r, trustee_user) + token = r.getheader('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + resp = self.admin_request(path=path, + token='ADMIN', + method='GET', + expected_status=200) + def test_exercise_trust_scoped_token_without_impersonation(self): ref = self.new_trust_ref( trustor_user_id=self.user_id, |