def test_v1_auth(self):
"""Test v1 auth code paths"""
def fake_do_request(cls, url, method, headers=None, body=None):
if url.find("2.0") != -1:
self.fail("Invalid v1.0 token path (%s)" % url)
headers = headers or {}
resp = webob.Response()
if (headers.get('X-Auth-User') != 'user1' or
headers.get('X-Auth-Key') != 'pass'):
resp.status = 401
else:
resp.status = 200
return FakeResponse(resp), ""
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
unauthorized_creds = [
{
'username': '******',
'auth_url': 'http://localhost/badauthurl/',
'password': '******'
}, # wrong username
{
'username': '******',
'auth_url': 'http://localhost/badauthurl/',
'password': '******'
}, # bad password...
]
for creds in unauthorized_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
except exception.NotAuthorized:
continue # Expected
self.fail("Failed to raise NotAuthorized when supplying bad "
"credentials: %r" % creds)
good_creds = [
{
'username': '******',
'auth_url': 'http://localhost/redirect/',
'password': '******'
}
]
for creds in good_creds:
plugin = auth.KeystoneStrategy(creds)
self.assertTrue(plugin.authenticate() is None)
def test_invalid_auth_url(self):
"""
Test invalid auth URL returns a 404/400 in authenticate().
'404' if an attempt is made to access an invalid url on a
server, '400' if an attempt is made to access a url on a
non-existent server.
"""
bad_creds = [
{
'username': '******',
'auth_url': 'http://localhost/badauthurl/',
'password': '******'
}, # v1 Keystone
{
'username': '******',
'auth_url': 'http://localhost/badauthurl/v2.0/',
'password': '******',
'tenant': 'tenant1'
} # v2 Keystone
]
for creds in bad_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
except exception.AuthUrlNotFound:
continue # Expected if web server running
except exception.AuthBadRequest:
continue # Expected if no web server running
self.fail("Failed to raise Exception when supplying bad "
"credentials: %r" % creds)
def test_required_creds(self):
"""
Test that plugin created without required
credential pieces raises an exception
"""
bad_creds = [
{}, # missing everything
{
'username': '******',
'password': '******'
}, # missing auth_url
{
'password': '******',
'auth_url': 'http://localhost/v1'
}, # missing username
{
'username': '******',
'auth_url': 'http://localhost/v1'
}, # missing password
{
'username': '******',
'password': '******',
'auth_url': 'http://localhost/v2.0/'
} # v2.0: missing tenant
]
for creds in bad_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
except exception.MissingCredentialError:
continue # Expected
self.fail("Failed to raise correct exception when supplying bad "
"credentials: %r" % creds)
def test_invalid_auth_url_v1(self):
"""
Test that a 400 during authenticate raises exception.AuthBadRequest
"""
def fake_do_request(*args, **kwargs):
resp = webob.Response()
resp.status = 400
return FakeResponse(resp), ""
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
bad_creds = {
'username': '******',
'auth_url': 'http://localhost/badauthurl/',
'password': '******',
'strategy': 'keystone',
'region': 'RegionOne'
}
plugin = auth.KeystoneStrategy(bad_creds)
self.assertRaises(exception.AuthBadRequest, plugin.authenticate)
def test_v2_auth(self):
"""Test v2 auth code paths"""
mock_token = None
def fake_do_request(cls, url, method, headers=None, body=None):
if (not url.rstrip('/').endswith('v2.0/tokens') or
url.count("2.0") != 1):
self.fail("Invalid v2.0 token path (%s)" % url)
creds = json.loads(body)['auth']
username = creds['passwordCredentials']['username']
password = creds['passwordCredentials']['password']
tenant = creds['tenantName']
resp = webob.Response()
if (username != 'user1' or password != 'pass' or
tenant != 'tenant-ok'):
resp.status = 401
else:
resp.status = 200
body = mock_token.token
return FakeResponse(resp), json.dumps(body)
mock_token = V2Token()
mock_token.add_service('image', ['RegionOne'])
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
unauthorized_creds = [
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'tenant-ok',
'strategy': 'keystone',
'region': 'RegionOne'
}, # wrong username
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'tenant-ok',
'strategy': 'keystone',
'region': 'RegionOne'
}, # bad password...
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'carterhayes',
'strategy': 'keystone',
'region': 'RegionOne'
}, # bad tenant...
]
for creds in unauthorized_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
self.fail("Failed to raise NotAuthenticated when supplying "
"bad credentials: %r" % creds)
except exception.NotAuthenticated:
continue # Expected
no_region_creds = {
'username': '******',
'tenant': 'tenant-ok',
'auth_url': 'http://localhost/redirect/v2.0/',
'password': '******',
'strategy': 'keystone'
}
plugin = auth.KeystoneStrategy(no_region_creds)
self.assertTrue(plugin.authenticate() is None)
self.assertEquals(plugin.management_url, 'http://localhost:9292')
# Add another image service, with a different region
mock_token.add_service('image', ['RegionTwo'])
try:
plugin = auth.KeystoneStrategy(no_region_creds)
plugin.authenticate()
self.fail("Failed to raise RegionAmbiguity when no region present "
"and multiple regions exist: %r" % no_region_creds)
except exception.RegionAmbiguity:
pass # Expected
wrong_region_creds = {
'username': '******',
'tenant': 'tenant-ok',
'auth_url': 'http://localhost/redirect/v2.0/',
'password': '******',
'strategy': 'keystone',
'region': 'NonExistantRegion'
}
try:
plugin = auth.KeystoneStrategy(wrong_region_creds)
plugin.authenticate()
self.fail("Failed to raise NoServiceEndpoint when supplying "
"wrong region: %r" % wrong_region_creds)
except exception.NoServiceEndpoint:
pass # Expected
no_strategy_creds = {
'username': '******',
'tenant': 'tenant-ok',
'auth_url': 'http://localhost/redirect/v2.0/',
'password': '******',
'region': 'RegionOne'
}
try:
plugin = auth.KeystoneStrategy(no_strategy_creds)
plugin.authenticate()
self.fail("Failed to raise MissingCredentialError when "
"supplying no strategy: %r" % no_strategy_creds)
except exception.MissingCredentialError:
pass # Expected
bad_strategy_creds = {
'username': '******',
'tenant': 'tenant-ok',
'auth_url': 'http://localhost/redirect/v2.0/',
'password': '******',
'region': 'RegionOne',
'strategy': 'keypebble'
}
try:
plugin = auth.KeystoneStrategy(bad_strategy_creds)
plugin.authenticate()
self.fail("Failed to raise BadAuthStrategy when supplying "
"bad auth strategy: %r" % bad_strategy_creds)
except exception.BadAuthStrategy:
pass # Expected
mock_token = V2Token()
mock_token.add_service('image', ['RegionOne', 'RegionTwo'])
good_creds = [
{
'username': '******',
'auth_url': 'http://localhost/v2.0/',
'password': '******',
'tenant': 'tenant-ok',
'strategy': 'keystone',
'region': 'RegionOne'
}, # auth_url with trailing '/'
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'tenant-ok',
'strategy': 'keystone',
'region': 'RegionOne'
}, # auth_url without trailing '/'
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'tenant-ok',
'strategy': 'keystone',
'region': 'RegionTwo'
} # Second region
]
for creds in good_creds:
plugin = auth.KeystoneStrategy(creds)
self.assertTrue(plugin.authenticate() is None)
self.assertEquals(plugin.management_url, 'http://localhost:9292')
ambiguous_region_creds = {
'username': '******',
'auth_url': 'http://localhost/v2.0/',
'password': '******',
'tenant': 'tenant-ok',
'strategy': 'keystone',
'region': 'RegionOne'
}
mock_token = V2Token()
# Add two identical services
mock_token.add_service('image', ['RegionOne'])
mock_token.add_service('image', ['RegionOne'])
try:
plugin = auth.KeystoneStrategy(ambiguous_region_creds)
plugin.authenticate()
self.fail("Failed to raise RegionAmbiguity when "
"non-unique regions exist: %r" % ambiguous_region_creds)
except exception.RegionAmbiguity:
pass
mock_token = V2Token()
mock_token.add_service('bad-image', ['RegionOne'])
good_creds = {
'username': '******',
'auth_url': 'http://localhost/v2.0/',
'password': '******',
'tenant': 'tenant-ok',
'strategy': 'keystone',
'region': 'RegionOne'
}
try:
plugin = auth.KeystoneStrategy(good_creds)
plugin.authenticate()
self.fail("Failed to raise NoServiceEndpoint when bad service "
"type encountered")
except exception.NoServiceEndpoint:
pass
mock_token = V2Token()
mock_token.add_service_no_type()
try:
plugin = auth.KeystoneStrategy(good_creds)
plugin.authenticate()
self.fail("Failed to raise NoServiceEndpoint when bad service "
"type encountered")
except exception.NoServiceEndpoint:
pass
try:
plugin = auth.KeystoneStrategy(good_creds,
configure_via_auth=False)
plugin.authenticate()
except exception.NoServiceEndpoint:
self.fail("NoServiceEndpoint was raised when authenticate "
"should not check for endpoint.")
def test_v1_auth(self):
"""Test v1 auth code paths"""
def fake_do_request(cls, url, method, headers=None, body=None):
if url.find("2.0") != -1:
self.fail("Invalid v1.0 token path (%s)" % url)
headers = headers or {}
resp = webob.Response()
if (headers.get('X-Auth-User') != 'user1' or
headers.get('X-Auth-Key') != 'pass'):
resp.status = 401
else:
resp.status = 200
resp.headers.update({"x-image-management-url": "example.com"})
return FakeResponse(resp), ""
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
unauthorized_creds = [
{
'username': '******',
'auth_url': 'http://localhost/badauthurl/',
'strategy': 'keystone',
'region': 'RegionOne',
'password': '******'
}, # wrong username
{
'username': '******',
'auth_url': 'http://localhost/badauthurl/',
'strategy': 'keystone',
'region': 'RegionOne',
'password': '******'
}, # bad password...
]
for creds in unauthorized_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
self.fail("Failed to raise NotAuthenticated when supplying "
"bad credentials: %r" % creds)
except exception.NotAuthenticated:
continue # Expected
no_strategy_creds = {
'username': '******',
'auth_url': 'http://localhost/redirect/',
'password': '******',
'region': 'RegionOne'
}
try:
plugin = auth.KeystoneStrategy(no_strategy_creds)
plugin.authenticate()
self.fail("Failed to raise MissingCredentialError when "
"supplying no strategy: %r" % no_strategy_creds)
except exception.MissingCredentialError:
pass # Expected
good_creds = [
{
'username': '******',
'auth_url': 'http://localhost/redirect/',
'password': '******',
'strategy': 'keystone',
'region': 'RegionOne'
}
]
for creds in good_creds:
plugin = auth.KeystoneStrategy(creds)
self.assertTrue(plugin.authenticate() is None)
self.assertEqual(plugin.management_url, "example.com")
# Assert it does not update management_url via auth response
for creds in good_creds:
plugin = auth.KeystoneStrategy(creds, configure_via_auth=False)
self.assertTrue(plugin.authenticate() is None)
self.assertTrue(plugin.management_url is None)
def test_v2_auth(self):
"""Test v2 auth code paths"""
def fake_do_request(cls, url, method, headers=None, body=None):
if (not url.rstrip('/').endswith('v2.0/tokens')
or url.count("2.0") != 1):
self.fail("Invalid v2.0 token path (%s)" % url)
creds = json.loads(body)['auth']
username = creds['passwordCredentials']['username']
password = creds['passwordCredentials']['password']
tenant = creds['tenantName']
resp = webob.Response()
if (username != 'user1' or password != 'pass'
or tenant != 'tenant-ok'):
resp.status = 401
else:
resp.status = 200
# Mock up a token to satisfy v2 auth
body = {
"access": {
"token": {
"expires": "2010-11-23T16:40:53.321584",
"id": "5c7f8799-2e54-43e4-851b-31f81871b6c",
"tenant": {
"id": "1",
"name": "tenant-ok"
}
},
"serviceCatalog": [{
"endpoints": [{
"region": "RegionOne",
"adminURL": "http://localhost:9292",
"internalURL": "http://localhost:9292",
"publicURL": "http://localhost:9292"
}],
"type":
"image",
"name":
"glance"
}],
"user": {
"id":
"2",
"roles": [{
"tenantId": "1",
"id": "1",
"name": "Admin"
}],
"name":
"joeadmin"
}
}
}
return FakeResponse(resp), json.dumps(body)
self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request)
unauthorized_creds = [
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'tenant-ok'
}, # wrong username
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'tenant-ok'
}, # bad password...
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'carterhayes'
}, # bad tenant...
]
for creds in unauthorized_creds:
try:
plugin = auth.KeystoneStrategy(creds)
plugin.authenticate()
except exception.NotAuthorized:
continue # Expected
self.fail("Failed to raise NotAuthorized when supplying bad "
"credentials: %r" % creds)
good_creds = [
{
'username': '******',
'auth_url': 'http://localhost/v2.0/',
'password': '******',
'tenant': 'tenant-ok'
}, # auth_url with trailing '/'
{
'username': '******',
'auth_url': 'http://localhost/v2.0',
'password': '******',
'tenant': 'tenant-ok'
} # auth_url without trailing '/'
]
for creds in good_creds:
plugin = auth.KeystoneStrategy(creds)
self.assertTrue(plugin.authenticate() is None)
