summaryrefslogtreecommitdiffstats
path: root/tests/test_v3_auth.py
diff options
context:
space:
mode:
authorAdam Young <ayoung@redhat.com>2013-07-12 10:23:38 -0400
committerJamie Lennox <jamielennox@gmail.com>2013-07-17 12:45:52 +1000
commit88c319e6bce98082f9a90b8b27726793d5366326 (patch)
tree867ae6600cec6cfd50885eaf86d17dfb27cd1a16 /tests/test_v3_auth.py
parent3a56c8a68d0f033266f98963261a6d724e506966 (diff)
downloadkeystone-88c319e6bce98082f9a90b8b27726793d5366326.tar.gz
keystone-88c319e6bce98082f9a90b8b27726793d5366326.tar.xz
keystone-88c319e6bce98082f9a90b8b27726793d5366326.zip
Pluggable Remote User
Select the code to handle REMOTE_USER based on a config file option Fixes the REMOTE_USER logic to get the domain name from REALM, which is the least surprise option. Disregards the auth_data passed in, as we should be using REMOTE_USER to get the user name. External Plugin is now executed in conjunction with the auth methods, as opposed to in place of them. DocImpact blueprint pluggable-remote-user Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c
Diffstat (limited to 'tests/test_v3_auth.py')
-rw-r--r--tests/test_v3_auth.py97
1 files changed, 90 insertions, 7 deletions
diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
index 8c4e4a8c..7255d3fc 100644
--- a/tests/test_v3_auth.py
+++ b/tests/test_v3_auth.py
@@ -746,6 +746,43 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
project_id=self.projectA['id']))
+class TestAuthExternalDisabled(test_v3.RestfulTestCase):
+ def config_files(self):
+ list = self._config_file_list[:]
+ list.append('auth_plugin_external_disabled.conf')
+ return list
+
+ def test_remote_user_disabled(self):
+ auth_data = self.build_authentication_request()['auth']
+ api = auth.controllers.Auth()
+ context = {'REMOTE_USER': '%s@%s' % (self.user['name'],
+ self.domain['id'])}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ self.assertRaises(exception.Unauthorized,
+ api.authenticate,
+ context,
+ auth_info,
+ auth_context)
+
+
+class TestAuthExternalDomain(test_v3.RestfulTestCase):
+ def config_files(self):
+ list = self._config_file_list[:]
+ list.append('auth_plugin_external_domain.conf')
+ return list
+
+ def test_remote_user_with_realm(self):
+ auth_data = self.build_authentication_request()['auth']
+ api = auth.controllers.Auth()
+ context = {'REMOTE_USER': '%s@%s' %
+ (self.user['name'], self.domain['name'])}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ api.authenticate(context, auth_info, auth_context)
+ self.assertEqual(auth_context['user_id'], self.user['id'])
+
+
class TestAuthJSON(test_v3.RestfulTestCase):
content_type = 'json'
@@ -1156,26 +1193,72 @@ class TestAuthJSON(test_v3.RestfulTestCase):
password=uuid.uuid4().hex)
self.post('/auth/tokens', body=auth_data, expected_status=401)
- def test_remote_user(self):
+ def test_remote_user_no_realm(self):
+ CONF.auth.methods = 'external'
+ api = auth.controllers.Auth()
+ auth_data = self.build_authentication_request()['auth']
+ context = {'REMOTE_USER': self.default_domain_user['name']}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ api.authenticate(context, auth_info, auth_context)
+ self.assertEqual(auth_context['user_id'],
+ self.default_domain_user['id'])
+
+ def test_remote_user_no_domain(self):
+ auth_data = self.build_authentication_request()['auth']
+ api = auth.controllers.Auth()
+ context = {'REMOTE_USER': self.user['name']}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ self.assertRaises(exception.Unauthorized,
+ api.authenticate,
+ context,
+ auth_info,
+ auth_context)
+
+ def test_remote_user_and_password(self):
+ #both REMOTE_USER and password methods must pass.
+ #note that they do not have to match
auth_data = self.build_authentication_request(
- user_id=self.user['id'],
+ user_domain_id=self.domain['id'],
+ username=self.user['name'],
password=self.user['password'])['auth']
api = auth.controllers.Auth()
- context = {'REMOTE_USER': self.user['name']}
+ context = {'REMOTE_USER': self.default_domain_user['name']}
auth_info = auth.controllers.AuthInfo(None, auth_data)
auth_context = {'extras': {}, 'method_names': []}
api.authenticate(context, auth_info, auth_context)
- self.assertEqual(auth_context['user_id'], self.user['id'])
- def test_remote_user_no_domain(self):
+ def test_remote_user_and_explicit_external(self):
+ #both REMOTE_USER and password methods must pass.
+ #note that they do not have to match
auth_data = self.build_authentication_request(
+ user_domain_id=self.domain['id'],
username=self.user['name'],
password=self.user['password'])['auth']
+ auth_data['identity']['methods'] = ["password", "external"]
+ auth_data['identity']['external'] = {}
api = auth.controllers.Auth()
- context = {'REMOTE_USER': self.user['name']}
+ context = {}
auth_info = auth.controllers.AuthInfo(None, auth_data)
auth_context = {'extras': {}, 'method_names': []}
- self.assertRaises(exception.ValidationError,
+ self.assertRaises(exception.Unauthorized,
+ api.authenticate,
+ context,
+ auth_info,
+ auth_context)
+
+ def test_remote_user_bad_password(self):
+ #both REMOTE_USER and password methods must pass.
+ auth_data = self.build_authentication_request(
+ user_domain_id=self.domain['id'],
+ username=self.user['name'],
+ password='badpassword')['auth']
+ api = auth.controllers.Auth()
+ context = {'REMOTE_USER': self.default_domain_user['name']}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ self.assertRaises(exception.Unauthorized,
api.authenticate,
context,
auth_info,
generated by cgit (git 2.34.1) at 2024-06-17 01:16:47 +0000