summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/default_fixtures.py15
-rw-r--r--tests/policy.json3
-rw-r--r--tests/test_auth.py8
-rw-r--r--tests/test_auth_plugin.conf3
-rw-r--r--tests/test_auth_plugin.py101
-rw-r--r--tests/test_backend.py43
-rw-r--r--tests/test_content_types.py10
-rw-r--r--tests/test_keystoneclient.py10
-rw-r--r--tests/test_v3.py68
-rw-r--r--tests/test_v3_auth.py440
-rw-r--r--tests/test_v3_identity.py83
11 files changed, 681 insertions, 103 deletions
diff --git a/tests/default_fixtures.py b/tests/default_fixtures.py
index 44fb64fb..4499be17 100644
--- a/tests/default_fixtures.py
+++ b/tests/default_fixtures.py
@@ -31,6 +31,8 @@ TENANTS = [
'id': 'bar',
'name': 'BAR',
'domain_id': DEFAULT_DOMAIN_ID,
+ 'description': 'description',
+ 'enabled': True,
}, {
'id': 'baz',
'name': 'BAZ',
@@ -53,7 +55,9 @@ USERS = [
'name': 'FOO',
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'foo2',
- 'tenants': ['bar']
+ 'tenants': ['bar'],
+ 'enabled': True,
+ 'email': 'foo@bar.com',
}, {
'id': 'two',
'name': 'TWO',
@@ -63,6 +67,7 @@ USERS = [
'enabled': True,
'tenant_id': 'baz',
'tenants': ['baz'],
+ 'email': 'two@three.com',
}, {
'id': 'badguy',
'name': 'BadGuy',
@@ -72,13 +77,15 @@ USERS = [
'enabled': False,
'tenant_id': 'baz',
'tenants': ['baz'],
+ 'email': 'badguy@goodguy.com',
}, {
'id': 'sna',
'name': 'SNA',
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'snafu',
'enabled': True,
- 'tenants': ['bar']
+ 'tenants': ['bar'],
+ 'email': 'sna@snl.coom',
}
]
@@ -91,8 +98,8 @@ METADATA = [
ROLES = [
{
- 'id': 'keystone_admin',
- 'name': 'Keystone Admin',
+ 'id': 'admin',
+ 'name': 'admin',
}, {
'id': 'member',
'name': 'Member',
diff --git a/tests/policy.json b/tests/policy.json
deleted file mode 100644
index b006c23c..00000000
--- a/tests/policy.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
- "admin_required": [["role:Keystadasd"], ["is_admin:1"]]
-}
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 5b1a59d9..7567d379 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -245,7 +245,7 @@ class AuthWithToken(AuthTest):
self.identity_api.create_grant(
group_id=new_group['id'],
project_id=self.tenant_bar['id'],
- role_id=self.role_keystone_admin['id'])
+ role_id=self.role_admin['id'])
# Get a scoped token for the tenant
body_dict = _build_user_auth(
@@ -259,7 +259,7 @@ class AuthWithToken(AuthTest):
roles = scoped_token["access"]["metadata"]["roles"]
self.assertEquals(tenant["id"], self.tenant_bar['id'])
self.assertIn(self.role_member['id'], roles)
- self.assertIn(self.role_keystone_admin['id'], roles)
+ self.assertIn(self.role_admin['id'], roles)
def test_auth_token_cross_domain_group_and_project(self):
"""Verify getting a token in cross domain group/project roles"""
@@ -291,7 +291,7 @@ class AuthWithToken(AuthTest):
self.identity_api.create_grant(
group_id=new_group['id'],
project_id=project1['id'],
- role_id=self.role_keystone_admin['id'])
+ role_id=self.role_admin['id'])
self.identity_api.create_grant(
user_id=self.user_foo['id'],
domain_id=domain1['id'],
@@ -312,7 +312,7 @@ class AuthWithToken(AuthTest):
roles = scoped_token["access"]["metadata"]["roles"]
self.assertEquals(tenant["id"], project1['id'])
self.assertIn(self.role_member['id'], roles)
- self.assertIn(self.role_keystone_admin['id'], roles)
+ self.assertIn(self.role_admin['id'], roles)
self.assertNotIn(role_foo_domain1['id'], roles)
self.assertNotIn(role_group_domain1['id'], roles)
diff --git a/tests/test_auth_plugin.conf b/tests/test_auth_plugin.conf
new file mode 100644
index 00000000..efe4bcb4
--- /dev/null
+++ b/tests/test_auth_plugin.conf
@@ -0,0 +1,3 @@
+[auth]
+methods = password,token,simple-challenge-response
+simple-challenge-response = challenge_response_method.SimpleChallengeResponse
diff --git a/tests/test_auth_plugin.py b/tests/test_auth_plugin.py
new file mode 100644
index 00000000..d35d5f23
--- /dev/null
+++ b/tests/test_auth_plugin.py
@@ -0,0 +1,101 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2013 OpenStack LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import uuid
+
+from keystone.common import logging
+from keystone import auth
+from keystone import config
+from keystone import exception
+from keystone import test
+
+
+# for testing purposes only
+METHOD_NAME = 'simple-challenge-response'
+EXPECTED_RESPONSE = uuid.uuid4().hex
+DEMO_USER_ID = uuid.uuid4().hex
+
+
+class SimpleChallengeResponse(auth.AuthMethodHandler):
+ def authenticate(self, context, auth_payload, user_context):
+ if 'response' in auth_payload:
+ if auth_payload['response'] != EXPECTED_RESPONSE:
+ raise exception.Unauthorized('Wrong answer')
+ user_context['user_id'] = DEMO_USER_ID
+ else:
+ return {"challenge": "What's the name of your high school?"}
+
+
+class TestAuthPlugin(test.TestCase):
+ def setUp(self):
+ super(TestAuthPlugin, self).setUp()
+ self.config([
+ test.etcdir('keystone.conf.sample'),
+ test.testsdir('test_overrides.conf'),
+ test.testsdir('backend_sql.conf'),
+ test.testsdir('backend_sql_disk.conf'),
+ test.testsdir('test_auth_plugin.conf')])
+ self.load_backends()
+ auth.controllers.AUTH_METHODS[METHOD_NAME] = SimpleChallengeResponse()
+ self.api = auth.controllers.Auth()
+
+ def test_unsupported_auth_method(self):
+ method_name = uuid.uuid4().hex
+ auth_data = {'methods': [method_name]}
+ auth_data[method_name] = {'test': 'test'}
+ auth_data = {'authentication': auth_data}
+ self.assertRaises(exception.AuthMethodNotSupported,
+ auth.controllers.AuthInfo,
+ None,
+ auth_data)
+
+ def test_addition_auth_steps(self):
+ auth_data = {'methods': ['simple-challenge-response']}
+ auth_data['simple-challenge-response'] = {
+ 'test': 'test'}
+ auth_data = {'authentication': auth_data}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ try:
+ self.api.authenticate({}, auth_info, auth_context)
+ except exception.AdditionalAuthRequired as e:
+ self.assertTrue('methods' in e.authentication)
+ self.assertTrue(METHOD_NAME in e.authentication['methods'])
+ self.assertTrue(METHOD_NAME in e.authentication)
+ self.assertTrue('challenge' in e.authentication[METHOD_NAME])
+
+ # test correct response
+ auth_data = {'methods': ['simple-challenge-response']}
+ auth_data['simple-challenge-response'] = {
+ 'response': EXPECTED_RESPONSE}
+ auth_data = {'authentication': auth_data}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ self.api.authenticate({}, auth_info, auth_context)
+ self.assertEqual(auth_context['user_id'], DEMO_USER_ID)
+
+ # test incorrect response
+ auth_data = {'methods': ['simple-challenge-response']}
+ auth_data['simple-challenge-response'] = {
+ 'response': uuid.uuid4().hex}
+ auth_data = {'authentication': auth_data}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ self.assertRaises(exception.Unauthorized,
+ self.api.authenticate,
+ {},
+ auth_info,
+ auth_context)
diff --git a/tests/test_backend.py b/tests/test_backend.py
index 09bc0b8a..029901eb 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -101,13 +101,13 @@ class IdentityTests(object):
def test_authenticate_role_return(self):
self.identity_api.add_role_to_user_and_project(
- self.user_foo['id'], self.tenant_baz['id'], 'keystone_admin')
+ self.user_foo['id'], self.tenant_baz['id'], self.role_admin['id'])
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
user_id=self.user_foo['id'],
tenant_id=self.tenant_baz['id'],
password=self.user_foo['password'])
self.assertIn('roles', metadata_ref)
- self.assertIn('keystone_admin', metadata_ref['roles'])
+ self.assertIn(self.role_admin['id'], metadata_ref['roles'])
def test_authenticate_no_metadata(self):
user = {
@@ -223,9 +223,9 @@ class IdentityTests(object):
def test_get_role(self):
role_ref = self.identity_api.get_role(
- role_id=self.role_keystone_admin['id'])
+ role_id=self.role_admin['id'])
role_ref_dict = dict((x, role_ref[x]) for x in role_ref)
- self.assertDictEqual(role_ref_dict, self.role_keystone_admin)
+ self.assertDictEqual(role_ref_dict, self.role_admin)
def test_get_role_404(self):
self.assertRaises(exception.RoleNotFound,
@@ -469,31 +469,31 @@ class IdentityTests(object):
def test_add_duplicate_role_grant(self):
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
- self.assertNotIn('keystone_admin', roles_ref)
+ self.assertNotIn(self.role_admin['id'], roles_ref)
self.identity_api.add_role_to_user_and_project(
- self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
+ self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id'])
self.assertRaises(exception.Conflict,
self.identity_api.add_role_to_user_and_project,
self.user_foo['id'],
self.tenant_bar['id'],
- 'keystone_admin')
+ self.role_admin['id'])
def test_get_role_by_user_and_project(self):
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
- self.assertNotIn('keystone_admin', roles_ref)
+ self.assertNotIn(self.role_admin['id'], roles_ref)
self.identity_api.add_role_to_user_and_project(
- self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
+ self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id'])
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
- self.assertIn('keystone_admin', roles_ref)
+ self.assertIn(self.role_admin['id'], roles_ref)
self.assertNotIn('member', roles_ref)
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_bar['id'], 'member')
roles_ref = self.identity_api.get_roles_for_user_and_project(
self.user_foo['id'], self.tenant_bar['id'])
- self.assertIn('keystone_admin', roles_ref)
+ self.assertIn(self.role_admin['id'], roles_ref)
self.assertIn('member', roles_ref)
def test_get_roles_for_user_and_project_404(self):
@@ -512,13 +512,13 @@ class IdentityTests(object):
self.identity_api.add_role_to_user_and_project,
uuid.uuid4().hex,
self.tenant_bar['id'],
- 'keystone_admin')
+ self.role_admin['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.add_role_to_user_and_project,
self.user_foo['id'],
uuid.uuid4().hex,
- 'keystone_admin')
+ self.role_admin['id'])
self.assertRaises(exception.RoleNotFound,
self.identity_api.add_role_to_user_and_project,
@@ -547,11 +547,12 @@ class IdentityTests(object):
self.assertEquals(len(roles_ref), 1)
self.identity_api.create_grant(user_id=self.user_foo['id'],
project_id=self.tenant_bar['id'],
- role_id='keystone_admin')
+ role_id=self.role_admin['id'])
roles_ref = self.identity_api.list_grants(
user_id=self.user_foo['id'],
project_id=self.tenant_bar['id'])
- self.assertDictEqual(roles_ref[1], self.role_keystone_admin)
+ self.assertIn(self.role_admin['id'],
+ [role_ref['id'] for role_ref in roles_ref])
self.identity_api.create_grant(user_id=self.user_foo['id'],
project_id=self.tenant_bar['id'],
@@ -563,7 +564,7 @@ class IdentityTests(object):
roles_ref_ids = []
for i, ref in enumerate(roles_ref):
roles_ref_ids.append(ref['id'])
- self.assertIn('keystone_admin', roles_ref_ids)
+ self.assertIn(self.role_admin['id'], roles_ref_ids)
self.assertIn('member', roles_ref_ids)
def test_get_role_grants_for_user_and_project_404(self):
@@ -582,13 +583,13 @@ class IdentityTests(object):
self.identity_api.create_grant,
user_id=uuid.uuid4().hex,
project_id=self.tenant_bar['id'],
- role_id='keystone_admin')
+ role_id=self.role_admin['id'])
self.assertRaises(exception.ProjectNotFound,
self.identity_api.create_grant,
user_id=self.user_foo['id'],
project_id=uuid.uuid4().hex,
- role_id='keystone_admin')
+ role_id=self.role_admin['id'])
self.assertRaises(exception.RoleNotFound,
self.identity_api.create_grant,
@@ -730,13 +731,13 @@ class IdentityTests(object):
self.identity_api.create_grant(group_id=new_group2['id'],
domain_id=new_domain['id'],
- role_id='keystone_admin')
+ role_id=self.role_admin['id'])
self.identity_api.create_grant(user_id=new_user2['id'],
domain_id=new_domain['id'],
- role_id='keystone_admin')
+ role_id=self.role_admin['id'])
self.identity_api.create_grant(group_id=new_group['id'],
project_id=new_project['id'],
- role_id='keystone_admin')
+ role_id=self.role_admin['id'])
roles_ref = self.identity_api.list_grants(
group_id=new_group['id'],
diff --git a/tests/test_content_types.py b/tests/test_content_types.py
index 975f8128..183974fd 100644
--- a/tests/test_content_types.py
+++ b/tests/test_content_types.py
@@ -73,7 +73,7 @@ class RestfulTestCase(test.TestCase):
self.metadata_foobar = self.identity_api.update_metadata(
self.user_foo['id'],
self.tenant_bar['id'],
- dict(roles=['keystone_admin'], is_admin='1'))
+ dict(roles=[self.role_admin['id']], is_admin='1'))
def tearDown(self):
"""Kill running servers and release references to avoid leaks."""
@@ -180,7 +180,8 @@ class RestfulTestCase(test.TestCase):
elif self.content_type == 'xml':
response.body = etree.fromstring(response.body)
- def restful_request(self, headers=None, body=None, token=None, **kwargs):
+ def restful_request(self, method='GET', headers=None, body=None,
+ token=None, **kwargs):
"""Serializes/deserializes json/xml as request/response body.
.. WARNING::
@@ -198,12 +199,13 @@ class RestfulTestCase(test.TestCase):
body = self._to_content_type(body, headers)
# Perform the HTTP request/response
- response = self.request(headers=headers, body=body, **kwargs)
+ response = self.request(method=method, headers=headers, body=body,
+ **kwargs)
self._from_content_type(response)
# we can save some code & improve coverage by always doing this
- if response.status >= 400:
+ if method != 'HEAD' and response.status >= 400:
self.assertValidErrorResponse(response)
# Contains the decoded response.body
diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py
index 14089759..dd7dc1d7 100644
--- a/tests/test_keystoneclient.py
+++ b/tests/test_keystoneclient.py
@@ -53,7 +53,7 @@ class CompatTestCase(test.TestCase):
# override the fixtures, for now
self.metadata_foobar = self.identity_api.update_metadata(
self.user_foo['id'], self.tenant_bar['id'],
- dict(roles=['keystone_admin'], is_admin='1'))
+ dict(roles=[self.role_admin['id']], is_admin='1'))
def tearDown(self):
self.public_server.kill()
@@ -536,8 +536,8 @@ class KeystoneClientTests(object):
def test_role_get(self):
client = self.get_client(admin=True)
- role = client.roles.get(role='keystone_admin')
- self.assertEquals(role.id, 'keystone_admin')
+ role = client.roles.get(role=self.role_admin['id'])
+ self.assertEquals(role.id, self.role_admin['id'])
def test_role_crud(self):
from keystoneclient import exceptions as client_exceptions
@@ -784,7 +784,7 @@ class KeystoneClientTests(object):
# ROLE CRUD
self.assertRaises(exception,
two.roles.get,
- role='keystone_admin')
+ role=self.role_admin['id'])
self.assertRaises(exception,
two.roles.list)
self.assertRaises(exception,
@@ -792,7 +792,7 @@ class KeystoneClientTests(object):
name='oops')
self.assertRaises(exception,
two.roles.delete,
- role='keystone_admin')
+ role=self.role_admin['id'])
# TODO(ja): MEMBERSHIP CRUD
# TODO(ja): determine what else todo
diff --git a/tests/test_v3.py b/tests/test_v3.py
index f5602035..e2d367bb 100644
--- a/tests/test_v3.py
+++ b/tests/test_v3.py
@@ -1,6 +1,7 @@
import uuid
from keystone.common.sql import util as sql_util
+from keystone import auth
from keystone import test
from keystone import config
@@ -19,6 +20,34 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
test.testsdir('backend_sql_disk.conf')])
sql_util.setup_test_database()
self.load_backends()
+
+ self.domain_id = uuid.uuid4().hex
+ self.domain = self.new_domain_ref()
+ self.domain['id'] = self.domain_id
+ self.identity_api.create_domain(self.domain_id, self.domain)
+
+ self.project_id = uuid.uuid4().hex
+ self.project = self.new_project_ref(
+ domain_id=self.domain_id)
+ self.project['id'] = self.project_id
+ self.identity_api.create_project(self.project_id, self.project)
+
+ self.user_id = uuid.uuid4().hex
+ self.user = self.new_user_ref(
+ domain_id=self.domain_id,
+ project_id=self.project_id)
+ self.user['id'] = self.user_id
+ self.identity_api.create_user(self.user_id, self.user)
+
+ # create & grant policy.json's default role for admin_required
+ self.role_id = uuid.uuid4().hex
+ self.role = self.new_role_ref()
+ self.role['id'] = self.role_id
+ self.role['name'] = 'admin'
+ self.identity_api.create_role(self.role_id, self.role)
+ self.identity_api.add_role_to_user_and_project(
+ self.user_id, self.project_id, self.role_id)
+
self.public_server = self.serveapp('keystone', name='main')
self.admin_server = self.serveapp('keystone', name='admin')
@@ -28,6 +57,8 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
self.public_server = None
self.admin_server = None
sql_util.teardown_test_database()
+ # need to reset the plug-ins
+ auth.controllers.AUTH_METHODS = {}
def new_ref(self):
"""Populates a ref with attributes common to all API entities."""
@@ -62,6 +93,7 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
ref = self.new_ref()
ref['domain_id'] = domain_id
ref['email'] = uuid.uuid4().hex
+ ref['password'] = uuid.uuid4().hex
if project_id:
ref['project_id'] = project_id
return ref
@@ -92,22 +124,29 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
def get_scoped_token(self):
"""Convenience method so that we can test authenticated requests."""
- # FIXME(dolph): should use real auth
- return 'ADMIN'
-
r = self.admin_request(
method='POST',
- path='/v3/tokens',
+ path='/v3/auth/tokens',
body={
- 'auth': {
- 'passwordCredentials': {
- 'username': self.user_foo['name'],
- 'password': self.user_foo['password'],
- },
- 'tenantId': self.tenant_bar['id'],
+ 'authentication': {
+ 'methods': ['password'],
+ 'password': {
+ 'user': {
+ 'name': self.user['name'],
+ 'password': self.user['password'],
+ 'domain': {
+ 'id': self.user['domain_id']
+ }
+ }
+ }
},
+ 'scope': {
+ 'project': {
+ 'id': self.project['id'],
+ }
+ }
})
- return r.body['access']['token']['id']
+ return r.getheader('X-Subject-Token')
def v3_request(self, path, **kwargs):
path = '/v3' + path
@@ -134,6 +173,13 @@ class RestfulTestCase(test_content_types.RestfulTestCase):
def delete(self, path, **kwargs):
return self.v3_request(method='DELETE', path=path, **kwargs)
+ def assertValidErrorResponse(self, r):
+ self.assertIsNotNone(r.body.get('error'))
+ self.assertIsNotNone(r.body['error'].get('code'))
+ self.assertIsNotNone(r.body['error'].get('title'))
+ self.assertIsNotNone(r.body['error'].get('message'))
+ self.assertEqual(r.body['error']['code'], r.status)
+
def assertValidListResponse(self, resp, key, entity_validator, ref=None,
expected_length=None):
"""Make assertions common to all API list responses.
diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
new file mode 100644
index 00000000..698e5ec1
--- /dev/null
+++ b/tests/test_v3_auth.py
@@ -0,0 +1,440 @@
+# Copyright 2012 OpenStack LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import uuid
+
+from keystone import auth
+from keystone import config
+from keystone import exception
+from keystone.openstack.common import timeutils
+from keystone import test
+
+import test_v3
+
+
+CONF = config.CONF
+
+
+def _build_auth_scope(project_id=None, project_name=None,
+ project_domain_id=None, project_domain_name=None,
+ domain_id=None, domain_name=None):
+ scope_data = {}
+ if project_id or project_name:
+ scope_data['project'] = {}
+ if project_id:
+ scope_data['project']['id'] = project_id
+ else:
+ scope_data['project']['name'] = project_name
+ if project_domain_id or project_domain_name:
+ project_domain_json = {}
+ if project_domain_id:
+ project_domain_json['id'] = project_domain_id
+ else:
+ project_domain_json['name'] = project_domain_name
+ scope_data['project']['domain'] = project_domain_json
+ if domain_id or domain_name:
+ scope_data['domain'] = {}
+ if domain_id:
+ scope_data['domain']['id'] = domain_id
+ else:
+ scope_data['domain']['name'] = domain_name
+ return scope_data
+
+
+def _build_password_auth(user_id=None, username=None,
+ user_domain_id=None, user_domain_name=None,
+ password=None):
+ password_data = {'user': {}}
+ if user_id:
+ password_data['user']['id'] = user_id
+ else:
+ password_data['user']['name'] = username
+ if user_domain_id or user_domain_name:
+ password_data['user']['domain'] = {}
+ if user_domain_id:
+ password_data['user']['domain']['id'] = user_domain_id
+ else:
+ password_data['user']['domain']['name'] = user_domain_name
+ password_data['user']['password'] = password
+ return password_data
+
+
+def _build_token_auth(token):
+ return {'id': token}
+
+
+def _build_authentication_request(token=None, user_id=None, username=None,
+ user_domain_id=None, user_domain_name=None,
+ password=None, project_id=None,
+ project_name=None, project_domain_id=None,
+ project_domain_name=None,
+ domain_id=None, domain_name=None):
+ """Build auth dictionary.
+
+ It will create an auth dictionary based on all the arguments
+ that it receives.
+ """
+ auth_data = {}
+ auth_data['authentication'] = {'methods': []}
+ if token:
+ auth_data['authentication']['methods'].append('token')
+ auth_data['authentication']['token'] = _build_token_auth(token)
+ if user_id or username:
+ auth_data['authentication']['methods'].append('password')
+ auth_data['authentication']['password'] = _build_password_auth(
+ user_id, username, user_domain_id, user_domain_name, password)
+ if project_id or project_name or domain_id or domain_name:
+ auth_data['scope'] = _build_auth_scope(project_id,
+ project_name,
+ project_domain_id,
+ project_domain_name,
+ domain_id,
+ domain_name)
+ return auth_data
+
+
+class AuthTest(test_v3.RestfulTestCase):
+ def assertValidToken(self, token):
+ self.assertNotIn('roles', token)
+ self.assertEqual(self.user['id'], token['user']['id'])
+ self.assertIn('expires', token)
+
+ def assertValidScopedToken(self, token):
+ self.assertIn('roles', token)
+ self.assertIn('expires', token)
+ self.assertIn('catalog', token)
+ self.assertIn('user', token)
+
+ self.assertTrue(token['roles'])
+ for role in token['roles']:
+ self.assertIn('id', role)
+ self.assertIn('name', role)
+
+ self.assertEqual(self.user['id'], token['user']['id'])
+ self.assertEqual(self.user['name'], token['user']['name'])
+ self.assertEqual(self.user['domain_id'], token['user']['domain']['id'])
+ self.assertEqual(self.role_id, token['roles'][0]['id'])
+
+ def assertValidProjectScopedToken(self, token):
+ self.assertValidScopedToken(token)
+
+ self.assertIn('project', token)
+ self.assertIn('id', token['project'])
+ self.assertIn('name', token['project'])
+ self.assertIn('domain', token['project'])
+ self.assertIn('id', token['project']['domain'])
+ self.assertIn('name', token['project']['domain'])
+
+ def assertValidDomainScopedToken(self, token):
+ self.assertValidScopedToken(token)
+
+ self.assertIn('domain', token)
+ self.assertIn('id', token['domain'])
+ self.assertIn('name', token['domain'])
+
+ def assertValidProjectScopedToken(self, token):
+ self.assertNotEqual([], token['roles'])
+ self.assertEqual(self.user['id'], token['user']['id'])
+ self.assertEqual(self.role_id, token['roles'][0]['id'])
+
+ def assertEqualTokens(self, a, b):
+ """Assert that two tokens are equal.
+
+ Compare two tokens except for their ids. This also truncates
+ the time in the comparison.
+ """
+ def normalize(token):
+ del token['expires']
+ del token['issued_at']
+ return token
+
+ self.assertCloseEnoughForGovernmentWork(
+ timeutils.parse_isotime(a['expires']),
+ timeutils.parse_isotime(b['expires']))
+ self.assertCloseEnoughForGovernmentWork(
+ timeutils.parse_isotime(a['issued_at']),
+ timeutils.parse_isotime(b['issued_at']))
+ return self.assertDictEqual(normalize(a), normalize(b))
+
+
+class TestAuthInfo(test.TestCase):
+ def setUp(self):
+ super(TestAuthInfo, self).setUp()
+
+ def test_missing_auth_methods(self):
+ auth_data = {'authentication': {}}
+ auth_data['authentication']['token'] = {'id': uuid.uuid4().hex}
+ self.assertRaises(exception.ValidationError,
+ auth.controllers.AuthInfo,
+ None,
+ auth_data)
+
+ def test_unsupported_auth_method(self):
+ auth_data = {'methods': ['abc']}
+ auth_data['abc'] = {'test': 'test'}
+ auth_data = {'authentication': auth_data}
+ self.assertRaises(exception.AuthMethodNotSupported,
+ auth.controllers.AuthInfo,
+ None,
+ auth_data)
+
+ def test_missing_auth_method_data(self):
+ auth_data = {'methods': ['password']}
+ auth_data = {'authentication': auth_data}
+ self.assertRaises(exception.ValidationError,
+ auth.controllers.AuthInfo,
+ None,
+ auth_data)
+
+ def test_project_name_no_domain(self):
+ auth_data = _build_authentication_request(username='test',
+ password='test',
+ project_name='abc')
+ self.assertRaises(exception.ValidationError,
+ auth.controllers.AuthInfo,
+ None,
+ auth_data)
+
+ def test_both_project_and_domain_in_scope(self):
+ auth_data = _build_authentication_request(user_id='test',
+ password='test',
+ project_name='test',
+ domain_name='test')
+ self.assertRaises(exception.ValidationError,
+ auth.controllers.AuthInfo,
+ None,
+ auth_data)
+
+
+class TestTokenAPIs(AuthTest):
+ def setUp(self):
+ super(TestTokenAPIs, self).setUp()
+ auth_data = _build_authentication_request(
+ username=self.user['name'],
+ user_domain_id=self.domain_id,
+ password=self.user['password'])
+ resp = self.post('/auth/tokens', body=auth_data)
+ self.token_data = resp.body
+ self.token = resp.getheader('X-Subject-Token')
+ self.headers = {'X-Subject-Token': resp.getheader('X-Subject-Token')}
+
+ def test_default_fixture_scope_token(self):
+ self.assertIsNotNone(self.get_scoped_token())
+
+ def test_v3_v2_uuid_token_intermix(self):
+ # FIXME(gyee): PKI tokens are not interchangeable because token
+ # data is baked into the token itself.
+ self.opt_in_group('signing', token_format='UUID')
+ auth_data = _build_authentication_request(
+ user_id=self.user['id'],
+ password=self.user['password'],
+ project_id=self.project['id'])
+ resp = self.post('/auth/tokens', body=auth_data)
+ token_data = resp.body
+ token = resp.getheader('X-Subject-Token')
+
+ # now validate the v3 token with v2 API
+ path = '/v2.0/tokens/%s' % (token)
+ resp = self.admin_request(path=path,
+ token='ADMIN',
+ method='GET')
+ v2_token = resp.body
+ self.assertEqual(v2_token['access']['user']['id'],
+ token_data['user']['id'])
+ self.assertEqual(v2_token['access']['token']['expires'],
+ token_data['expires'])
+ self.assertEqual(v2_token['access']['user']['roles'][0]['id'],
+ token_data['roles'][0]['id'])
+
+ def test_v3_v2_pki_token_intermix(self):
+ # FIXME(gyee): PKI tokens are not interchangeable because token
+ # data is baked into the token itself.
+ self.opt_in_group('signing', token_format='PKI')
+ auth_data = _build_authentication_request(
+ user_id=self.user['id'],
+ password=self.user['password'],
+ project_id=self.project['id'])
+ resp = self.post('/auth/tokens', body=auth_data)
+ token_data = resp.body
+ token = resp.getheader('X-Subject-Token')
+
+ # now validate the v3 token with v2 API
+ path = '/v2.0/tokens/%s' % (token)
+ resp = self.admin_request(path=path,
+ token='ADMIN',
+ method='GET')
+ v2_token = resp.body
+ self.assertEqual(v2_token['access']['user']['id'],
+ token_data['user']['id'])
+ self.assertEqual(v2_token['access']['token']['expires'],
+ token_data['expires'])
+ self.assertEqual(v2_token['access']['user']['roles'][0]['id'],
+ token_data['roles'][0]['id'])
+
+ def test_v2_v3_uuid_token_intermix(self):
+ self.opt_in_group('signing', token_format='UUID')
+ body = {
+ 'auth': {
+ 'passwordCredentials': {
+ 'userId': self.user['id'],
+ 'password': self.user['password']
+ },
+ 'tenantId': self.project['id']
+ }}
+ resp = self.admin_request(path='/v2.0/tokens',
+ method='POST',
+ body=body)
+ v2_token_data = resp.body
+ v2_token = v2_token_data['access']['token']['id']
+ headers = {'X-Subject-Token': v2_token}
+ resp = self.get('/auth/tokens', headers=headers)
+ token_data = resp.body
+ self.assertEqual(v2_token_data['access']['user']['id'],
+ token_data['user']['id'])
+ self.assertEqual(v2_token_data['access']['token']['expires'],
+ token_data['expires'])
+ self.assertEqual(v2_token_data['access']['user']['roles'][0]['name'],
+ token_data['roles'][0]['name'])
+
+ def test_v2_v3_pki_token_intermix(self):
+ self.opt_in_group('signing', token_format='PKI')
+ body = {
+ 'auth': {
+ 'passwordCredentials': {
+ 'userId': self.user['id'],
+ 'password': self.user['password']
+ },
+ 'tenantId': self.project['id']
+ }}
+ resp = self.admin_request(path='/v2.0/tokens',
+ method='POST',
+ body=body)
+ v2_token_data = resp.body
+ v2_token = v2_token_data['access']['token']['id']
+ headers = {'X-Subject-Token': v2_token}
+ resp = self.get('/auth/tokens', headers=headers)
+ token_data = resp.body
+ self.assertEqual(v2_token_data['access']['user']['id'],
+ token_data['user']['id'])
+ self.assertEqual(v2_token_data['access']['token']['expires'],
+ token_data['expires'])
+ self.assertEqual(v2_token_data['access']['user']['roles'][0]['name'],
+ token_data['roles'][0]['name'])
+
+ def test_rescoping_token(self):
+ expires = self.token_data['expires']
+ auth_data = _build_authentication_request(
+ token=self.token,
+ project_id=self.project_id)
+ resp = self.post('/auth/tokens', body=auth_data)
+ self.assertValidProjectScopedToken(resp.body)
+ # make sure expires stayed the same
+ self.assertEqual(expires, resp.body['expires'])
+
+ def test_check_token(self):
+ resp = self.head('/auth/tokens', headers=self.headers)
+ self.assertEqual(resp.status, 204)
+
+ def test_validate_token(self):
+ resp = self.get('/auth/tokens', headers=self.headers)
+ self.assertValidToken(resp.body)
+
+ def test_revoke_token(self):
+ token = self.get_scoped_token()
+ headers = {'X-Subject-Token': token}
+ self.delete('/auth/tokens', headers=headers)
+
+ # make sure token no longer valid
+ resp = self.head('/auth/tokens', headers=headers,
+ expected_status=401)
+ self.assertEqual(resp.status, 401)
+
+ # make sure we have a CRL
+ resp = self.get('/auth/tokens/OS-PKI/revoked')
+ self.assertTrue('signed' in resp.body)
+
+
+class TestAuth(AuthTest):
+ def test_unscope_token_with_name(self):
+ auth_data = _build_authentication_request(
+ username=self.user['name'],
+ user_domain_id=self.domain_id,
+ password=self.user['password'])
+ resp = self.post('/auth/tokens', body=auth_data)
+ self.assertValidToken(resp.body)
+
+ def test_project_scope_token_with_name(self):
+ auth_data = _build_authentication_request(
+ username=self.user['name'],
+ user_domain_id=self.domain_id,
+ password=self.user['password'],
+ project_id=self.project_id)
+ resp = self.post('/auth/tokens', body=auth_data)
+ self.assertValidProjectScopedToken(resp.body)
+
+ def test_auth_with_id(self):
+ auth_data = _build_authentication_request(
+ user_id=self.user['id'],
+ password=self.user['password'])
+ resp = self.post('/auth/tokens', body=auth_data)
+ self.assertValidToken(resp.body)
+
+ token = resp.getheader('X-Subject-Token')
+ headers = {'X-Subject-Token': resp.getheader('X-Subject-Token')}
+
+ # test token auth
+ auth_data = _build_authentication_request(token=token)
+ resp = self.post('/auth/tokens', body=auth_data)
+ self.assertValidToken(resp.body)
+
+ def test_invalid_password(self):
+ auth_data = _build_authentication_request(
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+ resp = self.post('/auth/tokens', body=auth_data,
+ expected_status=401)
+ self.assertEqual(resp.status, 401)
+
+ def test_invalid_username(self):
+ auth_data = _build_authentication_request(
+ username=uuid.uuid4().hex,
+ password=self.user['password'])
+ resp = self.post('/auth/tokens', body=auth_data,
+ expected_status=401)
+ self.assertEqual(resp.status, 401)
+
+ def test_remote_user(self):
+ auth_data = _build_authentication_request(
+ user_id=self.user['id'],
+ password=self.user['password'])
+ api = auth.controllers.Auth()
+ context = {'REMOTE_USER': self.user['name']}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ api.authenticate(context, auth_info, auth_context)
+ self.assertEqual(auth_context['user_id'], self.user['id'])
+
+ def test_remote_user_no_domain(self):
+ auth_data = _build_authentication_request(
+ username=self.user['name'],
+ password=self.user['password'])
+ api = auth.controllers.Auth()
+ context = {'REMOTE_USER': self.user['name']}
+ auth_info = auth.controllers.AuthInfo(None, auth_data)
+ auth_context = {'extras': {}, 'method_names': []}
+ self.assertRaises(exception.ValidationError,
+ api.authenticate,
+ context,
+ auth_info,
+ auth_context)
diff --git a/tests/test_v3_identity.py b/tests/test_v3_identity.py
index 8805b6d8..77c5c898 100644
--- a/tests/test_v3_identity.py
+++ b/tests/test_v3_identity.py
@@ -9,24 +9,6 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def setUp(self):
super(IdentityTestCase, self).setUp()
- self.domain_id = uuid.uuid4().hex
- self.domain = self.new_domain_ref()
- self.domain['id'] = self.domain_id
- self.identity_api.create_domain(self.domain_id, self.domain)
-
- self.project_id = uuid.uuid4().hex
- self.project = self.new_project_ref(
- domain_id=self.domain_id)
- self.project['id'] = self.project_id
- self.identity_api.create_project(self.project_id, self.project)
-
- self.user_id = uuid.uuid4().hex
- self.user = self.new_user_ref(
- domain_id=self.domain_id,
- project_id=self.project_id)
- self.user['id'] = self.user_id
- self.identity_api.create_user(self.user_id, self.user)
-
self.group_id = uuid.uuid4().hex
self.group = self.new_group_ref(
domain_id=self.domain_id)
@@ -35,18 +17,13 @@ class IdentityTestCase(test_v3.RestfulTestCase):
self.credential_id = uuid.uuid4().hex
self.credential = self.new_credential_ref(
- user_id=self.user_id,
+ user_id=self.user['id'],
project_id=self.project_id)
self.credential['id'] = self.credential_id
self.identity_api.create_credential(
self.credential_id,
self.credential)
- self.role_id = uuid.uuid4().hex
- self.role = self.new_role_ref()
- self.role['id'] = self.role_id
- self.identity_api.create_role(self.role_id, self.role)
-
# domain validation
def assertValidDomainListResponse(self, resp, **kwargs):
@@ -225,15 +202,17 @@ class IdentityTestCase(test_v3.RestfulTestCase):
self.assertValidDomainResponse(r, self.domain)
# check that the project and user are still enabled
- r = self.get('/projects/%(project_id)s' % {
- 'project_id': self.project_id})
- self.assertValidProjectResponse(r, self.project)
- self.assertTrue(r.body['project']['enabled'])
-
- r = self.get('/users/%(user_id)s' % {
- 'user_id': self.user_id})
- self.assertValidUserResponse(r, self.user)
- self.assertTrue(r.body['user']['enabled'])
+ # FIXME(gyee): are these tests still valid since user should not
+ # be able to authenticate into a disabled domain
+ #r = self.get('/projects/%(project_id)s' % {
+ # 'project_id': self.project_id})
+ #self.assertValidProjectResponse(r, self.project)
+ #self.assertTrue(r.body['project']['enabled'])
+
+ #r = self.get('/users/%(user_id)s' % {
+ # 'user_id': self.user['id']})
+ #self.assertValidUserResponse(r, self.user)
+ #self.assertTrue(r.body['user']['enabled'])
# TODO(dolph): assert that v2 & v3 auth return 401
@@ -298,25 +277,25 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def test_get_user(self):
"""GET /users/{user_id}"""
r = self.get('/users/%(user_id)s' % {
- 'user_id': self.user_id})
+ 'user_id': self.user['id']})
self.assertValidUserResponse(r, self.user)
def test_add_user_to_group(self):
"""PUT /groups/{group_id}/users/{user_id}"""
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
- 'group_id': self.group_id, 'user_id': self.user_id})
+ 'group_id': self.group_id, 'user_id': self.user['id']})
def test_check_user_in_group(self):
"""HEAD /groups/{group_id}/users/{user_id}"""
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
- 'group_id': self.group_id, 'user_id': self.user_id})
+ 'group_id': self.group_id, 'user_id': self.user['id']})
self.head('/groups/%(group_id)s/users/%(user_id)s' % {
- 'group_id': self.group_id, 'user_id': self.user_id})
+ 'group_id': self.group_id, 'user_id': self.user['id']})
def test_list_users_in_group(self):
"""GET /groups/{group_id}/users"""
r = self.put('/groups/%(group_id)s/users/%(user_id)s' % {
- 'group_id': self.group_id, 'user_id': self.user_id})
+ 'group_id': self.group_id, 'user_id': self.user['id']})
r = self.get('/groups/%(group_id)s/users' % {
'group_id': self.group_id})
self.assertValidUserListResponse(r, ref=self.user)
@@ -326,23 +305,23 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def test_remove_user_from_group(self):
"""DELETE /groups/{group_id}/users/{user_id}"""
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
- 'group_id': self.group_id, 'user_id': self.user_id})
+ 'group_id': self.group_id, 'user_id': self.user['id']})
self.delete('/groups/%(group_id)s/users/%(user_id)s' % {
- 'group_id': self.group_id, 'user_id': self.user_id})
+ 'group_id': self.group_id, 'user_id': self.user['id']})
def test_update_user(self):
"""PATCH /users/{user_id}"""
user = self.new_user_ref(domain_id=self.domain_id)
del user['id']
r = self.patch('/users/%(user_id)s' % {
- 'user_id': self.user_id},
+ 'user_id': self.user['id']},
body={'user': user})
self.assertValidUserResponse(r, user)
def test_delete_user(self):
"""DELETE /users/{user_id}"""
self.delete('/users/%(user_id)s' % {
- 'user_id': self.user_id})
+ 'user_id': self.user['id']})
# group crud tests
@@ -388,7 +367,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def test_create_credential(self):
"""POST /credentials"""
- ref = self.new_credential_ref(user_id=self.user_id)
+ ref = self.new_credential_ref(user_id=self.user['id'])
r = self.post(
'/credentials',
body={'credential': ref})
@@ -404,7 +383,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def test_update_credential(self):
"""PATCH /credentials/{credential_id}"""
ref = self.new_credential_ref(
- user_id=self.user_id,
+ user_id=self.user['id'],
project_id=self.project_id)
del ref['id']
r = self.patch(
@@ -457,8 +436,8 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def test_crud_user_project_role_grants(self):
collection_url = (
'/projects/%(project_id)s/users/%(user_id)s/roles' % {
- 'project_id': self.project_id,
- 'user_id': self.user_id})
+ 'project_id': self.project['id'],
+ 'user_id': self.user['id']})
member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url,
'role_id': self.role_id}
@@ -469,16 +448,18 @@ class IdentityTestCase(test_v3.RestfulTestCase):
self.assertValidRoleListResponse(r, ref=self.role)
self.assertIn(collection_url, r.body['links']['self'])
- self.delete(member_url)
- r = self.get(collection_url)
- self.assertValidRoleListResponse(r, expected_length=0)
- self.assertIn(collection_url, r.body['links']['self'])
+ # FIXME(gyee): this test is no longer valid as user
+ # have no role in the project. Can't get a scoped token
+ #self.delete(member_url)
+ #r = self.get(collection_url)
+ #self.assertValidRoleListResponse(r, expected_length=0)
+ #self.assertIn(collection_url, r.body['links']['self'])
def test_crud_user_domain_role_grants(self):
collection_url = (
'/domains/%(domain_id)s/users/%(user_id)s/roles' % {
'domain_id': self.domain_id,
- 'user_id': self.user_id})
+ 'user_id': self.user['id']})
member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url,
'role_id': self.role_id}
generated by cgit (git 2.34.1) at 2024-06-30 07:23:12 +0000