def setUp(self): self.useFixture(database.Database()) super(TestCaseWithBootstrap, self).setUp() self.config_fixture = self.useFixture(config_fixture.Config(CONF)) CONF(args=[], project='keystone') self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys)) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_receipts', CONF.fernet_receipts.max_active_keys)) self.bootstrapper = bootstrap.Bootstrapper() self.addCleanup(provider_api.ProviderAPIs._clear_registry_instances) self.addCleanup(self.clean_default_domain) self.bootstrapper.admin_password = '******' self.bootstrapper.admin_username = '******' self.bootstrapper.project_name = 'admin' self.bootstrapper.admin_role_name = 'admin' self.bootstrapper.service_name = 'keystone' self.bootstrapper.public_url = 'http://localhost/identity/' self.bootstrapper.immutable_roles = True try: PROVIDERS.resource_api.create_domain( default_fixtures.ROOT_DOMAIN['id'], default_fixtures.ROOT_DOMAIN) except exception.Conflict: pass self.bootstrapper.bootstrap()
def config_overrides(self): # NOTE(morganfainberg): enforce config_overrides can only ever be # called a single time. assert self.__config_overrides_called is False self.__config_overrides_called = True signing_certfile = 'examples/pki/certs/signing_cert.pem' signing_keyfile = 'examples/pki/private/signing_key.pem' self.useFixture(self._policy_fixture()) self.config_fixture.config( # TODO(morganfainberg): Make Cache Testing a separate test case # in tempest, and move it out of the base unit tests. group='cache', backend='dogpile.cache.memory', enabled=True, proxies=['oslo_cache.testing.CacheIsolatingProxy']) self.config_fixture.config( group='catalog', driver='sql', template_file=dirs.tests('default_catalog.templates')) self.config_fixture.config(group='signing', certfile=signing_certfile, keyfile=signing_keyfile, ca_certs='examples/pki/certs/cacert.pem') self.config_fixture.config(group='saml', certfile=signing_certfile, keyfile=signing_keyfile) self.config_fixture.config(default_log_levels=[ 'amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'routes.middleware=INFO', 'stevedore.extension=INFO', 'keystone.notifications=INFO', 'keystone.identity.backends.ldap.common=INFO', ]) # NOTE(notmorgan): Set password rounds low here to ensure speedy # tests. This is explicitly set because the tests here are not testing # the integrity of the password hashing, just that the correct form # of hashing has been used. Note that 4 is the lowest for bcrypt # allowed in the `[identity] password_hash_rounds` setting self.config_fixture.config(group='identity', password_hash_rounds=4) self.config_fixture.config(crypt_strength=1000) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys)) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_receipts', CONF.fernet_receipts.max_active_keys))
def setUp(self): super(TestFernetCredentialProvider, self).setUp() self.provider = credential_fernet.Provider() self.useFixture(database.Database()) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS))
def test_rotation(self): # Initializing a key repository results in this many keys. We don't # support max_active_keys being set any lower. min_active_keys = 2 # Simulate every rotation strategy up to "rotating once a week while # maintaining a year's worth of keys." for max_active_keys in six.moves.range(min_active_keys, 52 + 1): self.config_fixture.config(group='fernet_tokens', max_active_keys=max_active_keys) # Ensure that resetting the key repository always results in 2 # active keys. self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) self.assertEqual(min_active_keys, self.key_repository_size) # Rotate the keys just enough times to fully populate the key # repository. for rotation in six.moves.range(max_active_keys - min_active_keys): fernet_utils.rotate_keys() self.assertEqual(max_active_keys, self.key_repository_size) # Rotate an additional number of times to ensure that we maintain # the desired number of active keys. for rotation in six.moves.range(10): fernet_utils.rotate_keys() self.assertEqual(self.key_repository_size, max_active_keys)
def test_rotation_disk_write_fail(self): # Init the key repository self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys ) ) # Make sure that the init key repository contains 2 keys self.assertRepositoryState(expected_size=2) key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys ) # Simulate the disk full situation mock_open = mock.mock_open() file_handle = mock_open() file_handle.flush.side_effect = IOError('disk full') with mock.patch('keystone.common.fernet_utils.open', mock_open): self.assertRaises(IOError, key_utils.rotate_keys) # Assert that the key repository is unchanged self.assertEqual(self.key_repository_size, 2)
def setUp(self): super(TestTokenProvider, self).setUp() self.useFixture(database.Database()) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys)) self.load_backends()
def setUp(self): super(V2CredentialEc2TestCase, self).setUp() self.user_id = self.user_foo['id'] self.project_id = self.tenant_bar['id'] self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS))
def test_non_numeric_files(self): self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1') with open(evil_file, 'w'): pass keys = fernet_utils.load_keys() self.assertEqual(2, len(keys)) self.assertTrue(len(keys[0]))
def config_overrides(self): super(FernetSqlRevokeTests, self).config_overrides() self.config_fixture.config(group='token', provider='fernet', revoke_by_id=False) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys))
def config_overrides(self): # NOTE(morganfainberg): enforce config_overrides can only ever be # called a single time. assert self.__config_overrides_called is False self.__config_overrides_called = True signing_certfile = 'examples/pki/certs/signing_cert.pem' signing_keyfile = 'examples/pki/private/signing_key.pem' self.useFixture(self._policy_fixture()) self.config_fixture.config( # TODO(morganfainberg): Make Cache Testing a separate test case # in tempest, and move it out of the base unit tests. group='cache', backend='dogpile.cache.memory', enabled=True, proxies=['oslo_cache.testing.CacheIsolatingProxy']) self.config_fixture.config( group='catalog', driver='sql', template_file=dirs.tests('default_catalog.templates')) self.config_fixture.config( group='kvs', backends=[ ('keystone.tests.unit.test_kvs.' 'KVSBackendForcedKeyMangleFixture'), 'keystone.tests.unit.test_kvs.KVSBackendFixture']) self.config_fixture.config( group='signing', certfile=signing_certfile, keyfile=signing_keyfile, ca_certs='examples/pki/certs/cacert.pem') self.config_fixture.config( group='saml', certfile=signing_certfile, keyfile=signing_keyfile) self.config_fixture.config( default_log_levels=[ 'amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'routes.middleware=INFO', 'stevedore.extension=INFO', 'keystone.notifications=INFO', 'keystone.identity.backends.ldap.common=INFO', ]) self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys ) )
def setUp(self): super(CredentialBaseTestCase, self).setUp() self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS ) )
def setUp(self): super(TestTokenFormatter, self).setUp() self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys ) )
def test_rotation(self): # Initializing a key repository results in this many keys. We don't # support max_active_keys being set any lower. min_active_keys = 2 # Simulate every rotation strategy up to "rotating once a week while # maintaining a year's worth of keys." for max_active_keys in range(min_active_keys, 52 + 1): self.config_fixture.config(group='fernet_receipts', max_active_keys=max_active_keys) # Ensure that resetting the key repository always results in 2 # active keys. self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_receipts', CONF.fernet_receipts.max_active_keys)) # Validate the initial repository state. self.assertRepositoryState(expected_size=min_active_keys) # The repository should be initialized with a staged key (0) and a # primary key (1). The next key is just auto-incremented. exp_keys = [0, 1] next_key_number = exp_keys[-1] + 1 # keep track of next key self.assertEqual(exp_keys, self.keys) # Rotate the keys just enough times to fully populate the key # repository. key_utils = fernet_utils.FernetUtils( CONF.fernet_receipts.key_repository, CONF.fernet_receipts.max_active_keys, 'fernet_receipts') for rotation in range(max_active_keys - min_active_keys): key_utils.rotate_keys() self.assertRepositoryState(expected_size=rotation + 3) exp_keys.append(next_key_number) next_key_number += 1 self.assertEqual(exp_keys, self.keys) # We should have a fully populated key repository now. self.assertEqual(max_active_keys, self.key_repository_size) # Rotate an additional number of times to ensure that we maintain # the desired number of active keys. key_utils = fernet_utils.FernetUtils( CONF.fernet_receipts.key_repository, CONF.fernet_receipts.max_active_keys, 'fernet_receipts') for rotation in range(10): key_utils.rotate_keys() self.assertRepositoryState(expected_size=max_active_keys) exp_keys.pop(1) exp_keys.append(next_key_number) next_key_number += 1 self.assertEqual(exp_keys, self.keys)
def setUp(self): super(TestCredentialAccessToken, self).setUp() self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS ) ) self.base_url = 'http://localhost/v3'
def config_overrides(self): super(FernetAuthTokenTests, self).config_overrides() self.config_fixture.config(group='token', provider='fernet') self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys ) )
def setUp(self): super(TestFernetTokenProvider, self).setUp() self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys ) ) self.provider = fernet.Provider()
def setUp(self): super(TestCredentialTrustScoped, self).setUp() self.trustee_user = unit.new_user_ref(domain_id=self.domain_id) password = self.trustee_user['password'] self.trustee_user = self.identity_api.create_user(self.trustee_user) self.trustee_user['password'] = password self.trustee_user_id = self.trustee_user['id'] self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS))
def test_non_numeric_files(self): self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) evil_file = os.path.join(CONF.fernet_tokens.key_repository, '99.bak') with open(evil_file, 'w'): pass fernet_utils.rotate_keys() self.assertTrue(os.path.isfile(evil_file)) keys = 0 for x in os.listdir(CONF.fernet_tokens.key_repository): if x == '99.bak': continue keys += 1 self.assertEqual(3, keys)
def test_non_numeric_files(self): self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys)) evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1') with open(evil_file, 'w'): pass key_utils = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens') keys = key_utils.load_keys() self.assertEqual(2, len(keys)) self.assertValidFernetKey(keys)
def setUp(self): # Make sure the expand and data migration repos are fully # upgraded, since the contract phase is only run after these are # upgraded. super().setUp() self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS ) ) self.expand() self.migrate()
def config_overrides(self): super(CertSetupTestCase, self).config_overrides() ca_certs = os.path.join(CERTDIR, 'ca.pem') ca_key = os.path.join(CERTDIR, 'cakey.pem') self.config_fixture.config( group='signing', certfile=os.path.join(CERTDIR, 'signing_cert.pem'), ca_certs=ca_certs, ca_key=ca_key, keyfile=os.path.join(KEYDIR, 'signing_key.pem')) self.config_fixture.config(group='token', provider='fernet') self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys))
def setUp(self): self.useFixture(database.Database()) super(SqlCredential, self).setUp() self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', credential_provider.MAX_ACTIVE_KEYS)) self.credentials = [] for _ in range(3): self.credentials.append(self._create_credential_with_user_id()) self.user_credentials = [] for _ in range(3): cred = self._create_credential_with_user_id(self.user_foo['id']) self.user_credentials.append(cred) self.credentials.append(cred)
def setUp(self): super(IdentityTestCase, self).setUp() self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS)) self.group = unit.new_group_ref(domain_id=self.domain_id) self.group = self.identity_api.create_group(self.group) self.group_id = self.group['id'] self.credential = unit.new_credential_ref(user_id=self.user['id'], project_id=self.project_id) self.credential_api.create_credential(self.credential['id'], self.credential)
def test_debug_message_not_logged_when_loading_fernet_credential_key(self): self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', CONF.fernet_tokens.max_active_keys)) logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG)) fernet_utilities = fernet_utils.FernetUtils( CONF.credential.key_repository, credential_fernet.MAX_ACTIVE_KEYS) fernet_utilities.load_keys() debug_message = ( 'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] ' 'max_active_keys = %(max)d`; perhaps there have not been enough ' 'key rotations to reach `max_active_keys` yet?') % { 'dir': CONF.credential.key_repository, 'max': credential_fernet.MAX_ACTIVE_KEYS } self.assertNotIn(debug_message, logging_fixture.output)
def setUp(self): super(V2CredentialEc2Controller, self).setUp() self.useFixture(database.Database()) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS)) self.load_backends() self.load_fixtures(default_fixtures) self.user_id = self.user_foo['id'] self.project_id = self.tenant_bar['id'] self.controller = controllers.Ec2Controller() self.blob, tmp_ref = unit.new_ec2_credential( user_id=self.user_id, project_id=self.project_id) self.creds_ref = ( controllers.Ec2Controller._convert_v3_to_ec2_credential(tmp_ref))
def setUp(self): super(SqlCredential, self).setUp() self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', credential_provider.MAX_ACTIVE_KEYS)) self.credentials = [] self.user_credentials = [] # setup 3 credentials with random user ids for _ in range(3): cred = self._create_credential_with_user_id() self.user_credentials.append(cred) self.credentials.append(cred) # setup 3 credentials with specific user ids for _ in range(3): cred = self._create_credential_with_user_id(self.user_foo['id']) self.user_credentials.append(cred) self.credentials.append(cred)
def test_debug_message_logged_when_loading_fernet_token_keys(self): self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys)) logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG)) fernet_utilities = fernet_utils.FernetUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens') fernet_utilities.load_keys() expected_debug_message = ( 'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] ' 'max_active_keys = %(max)d`; perhaps there have not been enough ' 'key rotations to reach `max_active_keys` yet?') % { 'dir': CONF.fernet_tokens.key_repository, 'max': CONF.fernet_tokens.max_active_keys } self.assertIn(expected_debug_message, logging_fixture.output)
def setUp(self): self.useFixture(database.Database()) super(TestCaseWithBootstrap, self).setUp() self.config_fixture = self.useFixture(config_fixture.Config(CONF)) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys)) self.bootstrapper = bootstrap.Bootstrapper() self.addCleanup(provider_api.ProviderAPIs._clear_registry_instances) self.addCleanup(self.clean_default_domain) self.bootstrapper.admin_password = '******' self.bootstrapper.admin_username = '******' self.bootstrapper.project_name = 'admin' self.bootstrapper.admin_role_name = 'admin' self.bootstrapper.service_name = 'keystone' self.bootstrapper.public_url = 'http://localhost/identity/' self.bootstrapper.bootstrap()
def test_rotation_disk_write_fail(self): # Init the key repository self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'fernet_tokens', CONF.fernet_tokens.max_active_keys ) ) # Make sure that the init key repository contains 2 keys self.assertRepositoryState(expected_size=2) key_utils = token_utils.TokenUtils( CONF.fernet_tokens.key_repository, CONF.fernet_tokens.max_active_keys, 'fernet_tokens' ) # Simulate the disk full situation mock_open = mock.mock_open() file_handle = mock_open() file_handle.flush.side_effect = IOError('disk full') with mock.patch('keystone.common.token_utils.open', mock_open): self.assertRaises(IOError, key_utils.rotate_keys) # Assert that the key repository is unchanged self.assertEqual(self.key_repository_size, 2) with mock.patch('keystone.common.token_utils.open', mock_open): self.assertRaises(IOError, key_utils.rotate_keys) # Assert that the key repository is still unchanged, even after # repeated rotation attempts. self.assertEqual(self.key_repository_size, 2) # Rotate the keys normally, without any mocking, to show that the # system can recover. key_utils.rotate_keys() # Assert that the key repository is now expanded. self.assertEqual(self.key_repository_size, 3)
def config_overrides(self): super(FernetAuthTokenTests, self).config_overrides() self.config_fixture.config(group='token', provider='fernet') self.useFixture(ksfixtures.KeyRepository(self.config_fixture))