def test_delete_project(self):
"""Call ``DELETE /projects/{project_id}``
As well as making sure the delete succeeds, we ensure
that any credentials that reference this projects are
also deleted, while other credentials are unaffected.
"""
credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)
self.credential_api.create_credential(credential["id"], credential)
# First check the credential for this project is present
r = self.credential_api.get_credential(credential["id"])
self.assertDictEqual(credential, r)
# Create a second credential with a different project
project2 = unit.new_project_ref(domain_id=self.domain["id"])
self.resource_api.create_project(project2["id"], project2)
credential2 = unit.new_credential_ref(user_id=self.user["id"], project_id=project2["id"])
self.credential_api.create_credential(credential2["id"], credential2)
# Now delete the project
self.delete("/projects/%(project_id)s" % {"project_id": self.project_id})
# Deleting the project should have deleted any credentials
# that reference this project
self.assertRaises(
exception.CredentialNotFound, self.credential_api.get_credential, credential_id=credential["id"]
)
# But the credential for project2 is unaffected
r = self.credential_api.get_credential(credential2["id"])
self.assertDictEqual(credential2, r)
def test_list_credentials_filtered_by_type_and_user_id(self):
"""Call ``GET /credentials?user_id={user_id}&type={type}``."""
user1_id = uuid.uuid4().hex
user2_id = uuid.uuid4().hex
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.role_id
)
token = self.get_system_scoped_token()
# Creating credentials for two different users
credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id,
type=CRED_TYPE_EC2)
credential_user1_cert = unit.new_credential_ref(user_id=user1_id)
credential_user2_cert = unit.new_credential_ref(user_id=user2_id)
PROVIDERS.credential_api.create_credential(
credential_user1_ec2['id'], credential_user1_ec2)
PROVIDERS.credential_api.create_credential(
credential_user1_cert['id'], credential_user1_cert)
PROVIDERS.credential_api.create_credential(
credential_user2_cert['id'], credential_user2_cert)
r = self.get(
'/credentials?user_id=%s&type=ec2' % user1_id, token=token
)
self.assertValidCredentialListResponse(r, ref=credential_user1_ec2)
self.assertThat(r.result['credentials'], matchers.HasLength(1))
cred = r.result['credentials'][0]
self.assertEqual(CRED_TYPE_EC2, cred['type'])
self.assertEqual(user1_id, cred['user_id'])
def test_list_credentials_filtered_by_type(self):
"""Call ``GET /credentials?type={type}``."""
# The type ec2 was chosen, instead of a random string,
# because the type must be in the list of supported types
ec2_credential = unit.new_credential_ref(user_id=uuid.uuid4().hex,
project_id=self.project_id,
type=CRED_TYPE_EC2)
ec2_resp = self.credential_api.create_credential(
ec2_credential['id'], ec2_credential)
# The type cert was chosen for the same reason as ec2
r = self.get('/credentials?type=cert')
# Testing the filter for two different types
self.assertValidCredentialListResponse(r, ref=self.credential)
for cred in r.result['credentials']:
self.assertEqual('cert', cred['type'])
r_ec2 = self.get('/credentials?type=ec2')
self.assertThat(r_ec2.result['credentials'], matchers.HasLength(1))
cred_ec2 = r_ec2.result['credentials'][0]
self.assertValidCredentialListResponse(r_ec2, ref=ec2_resp)
self.assertEqual(CRED_TYPE_EC2, cred_ec2['type'])
self.assertEqual(ec2_credential['id'], cred_ec2['id'])
def test_create_credential(self):
"""Call ``POST /credentials``."""
ref = unit.new_credential_ref(user_id=self.user['id'])
r = self.post(
'/credentials',
body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
def setUp(self):
super(CredentialTestCase, self).setUp()
self.credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)
self.credential_api.create_credential(self.credential["id"], self.credential)
def test_update_credential(self):
"""Call ``PATCH /credentials/{credential_id}``."""
ref = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)
del ref["id"]
r = self.patch(
"/credentials/%(credential_id)s" % {"credential_id": self.credential["id"]}, body={"credential": ref}
)
self.assertValidCredentialResponse(r, ref)
def test_create_credential_with_admin_token(self):
# Make sure we can create credential with the static admin token
ref = unit.new_credential_ref(user_id=self.user['id'])
r = self.post(
'/credentials',
body={'credential': ref},
token=self.get_admin_token())
self.assertValidCredentialResponse(r, ref)
def _create_credential_with_user_id(self, user_id=None):
if not user_id:
user_id = uuid.uuid4().hex
credential = unit.new_credential_ref(user_id=user_id,
extra=uuid.uuid4().hex,
type=uuid.uuid4().hex)
self.credential_api.create_credential(credential['id'], credential)
return credential
def _create_credential_with_user_id(self, user_id=uuid.uuid4().hex):
credential = unit.new_credential_ref(user_id=user_id,
extra=uuid.uuid4().hex,
type=uuid.uuid4().hex)
PROVIDERS.credential_api.create_credential(
credential['id'], credential
)
return credential
def test_list_credentials_filtered_by_user_id(self):
"""Call ``GET /credentials?user_id={user_id}``."""
credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
self.credential_api.create_credential(credential['id'], credential)
r = self.get('/credentials?user_id=%s' % self.user['id'])
self.assertValidCredentialListResponse(r, ref=self.credential)
for cred in r.result['credentials']:
self.assertEqual(self.user['id'], cred['user_id'])
def setUp(self):
super(IdentityTestCase, self).setUp()
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group["id"]
self.credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)
self.credential_api.create_credential(self.credential["id"], self.credential)
def test_update_credential(self):
"""Call ``PATCH /credentials/{credential_id}``."""
ref = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
del ref['id']
r = self.patch(
'/credentials/%(credential_id)s' % {
'credential_id': self.credential['id']},
body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
def test_ec2_cannot_get_non_ec2_credential(self):
access_key = uuid.uuid4().hex
cred_id = utils.hash_access_key(access_key)
non_ec2_cred = unit.new_credential_ref(user_id=self.user_id, project_id=self.project_id)
non_ec2_cred["id"] = cred_id
self.credential_api.create_credential(cred_id, non_ec2_cred)
uri = "/".join([self._get_ec2_cred_uri(), access_key])
# if access_key is not found, ec2 controller raises Unauthorized
# exception
self.get(uri, expected_status=http_client.UNAUTHORIZED)
def test_create_ec2_credential_with_invalid_blob(self):
"""Test creating ec2 credential with invalid blob.
Call ``POST /credentials``.
"""
ref = unit.new_credential_ref(
user_id=self.user["id"], project_id=self.project_id, blob='{"abc":"def"d}', type=CRED_TYPE_EC2
)
# Assert bad request status when request contains invalid blob
response = self.post("/credentials", body={"credential": ref}, expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(response)
def test_list_credentials_filtered_by_type_and_user_id(self):
"""Call ``GET /credentials?user_id={user_id}&type={type}``."""
user1_id = uuid.uuid4().hex
user2_id = uuid.uuid4().hex
# Creating credentials for two different users
credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id, type=CRED_TYPE_EC2)
credential_user1_cert = unit.new_credential_ref(user_id=user1_id)
credential_user2_cert = unit.new_credential_ref(user_id=user2_id)
self.credential_api.create_credential(credential_user1_ec2["id"], credential_user1_ec2)
self.credential_api.create_credential(credential_user1_cert["id"], credential_user1_cert)
self.credential_api.create_credential(credential_user2_cert["id"], credential_user2_cert)
r = self.get("/credentials?user_id=%s&type=ec2" % user1_id)
self.assertValidCredentialListResponse(r, ref=credential_user1_ec2)
self.assertThat(r.result["credentials"], matchers.HasLength(1))
cred = r.result["credentials"][0]
self.assertEqual(CRED_TYPE_EC2, cred["type"])
self.assertEqual(user1_id, cred["user_id"])
def test_credential_duplicate_conflict_gives_name(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
credential = unit.new_credential_ref(user_id=user['id'])
self.credential_api.create_credential(credential['id'], credential)
try:
self.credential_api.create_credential(credential['id'], credential)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% credential['id'], repr(e))
else:
self.fail("Create duplicate credential did not raise a conflict")
def test_create_ec2_credential_with_invalid_blob(self):
"""Call ``POST /credentials`` for creating ec2 credential with invalid
blob.
"""
ref = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id,
blob='{"abc":"def"d}',
type='ec2')
# Assert bad request status when request contains invalid blob
response = self.post(
'/credentials',
body={'credential': ref}, expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(response)
def test_delete_user(self):
"""Call ``DELETE /users/{user_id}``.
As well as making sure the delete succeeds, we ensure
that any credentials that reference this user are
also deleted, while other credentials are unaffected.
In addition, no tokens should remain valid for this user.
"""
# First check the credential for this user is present
r = self.credential_api.get_credential(self.credential['id'])
self.assertDictEqual(self.credential, r)
# Create a second credential with a different user
user2 = unit.new_user_ref(domain_id=self.domain['id'],
project_id=self.project['id'])
user2 = self.identity_api.create_user(user2)
credential2 = unit.new_credential_ref(user_id=user2['id'],
project_id=self.project['id'])
self.credential_api.create_credential(credential2['id'], credential2)
# Create a token for this user which we can check later
# gets deleted
auth_data = self.build_authentication_request(
user_id=self.user['id'],
password=self.user['password'],
project_id=self.project['id'])
token = self.get_requested_token(auth_data)
# Confirm token is valid for now
self.head('/auth/tokens',
headers={'X-Subject-Token': token},
expected_status=http_client.OK)
# Now delete the user
self.delete('/users/%(user_id)s' % {
'user_id': self.user['id']})
# Deleting the user should have deleted any credentials
# that reference this project
self.assertRaises(exception.CredentialNotFound,
self.credential_api.get_credential,
self.credential['id'])
# And the no tokens we remain valid
tokens = self.token_provider_api._persistence._list_tokens(
self.user['id'])
self.assertEqual(0, len(tokens))
# But the credential for user2 is unaffected
r = self.credential_api.get_credential(credential2['id'])
self.assertDictEqual(credential2, r)
def test_list_credentials_filtered_by_type_and_user_id(self):
"""Call ``GET /credentials?user_id={user_id}&type={type}``."""
user1_id = uuid.uuid4().hex
user2_id = uuid.uuid4().hex
# Creating credentials for two different users
credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id,
type='ec2')
credential_user1_cert = unit.new_credential_ref(user_id=user1_id)
credential_user2_cert = unit.new_credential_ref(user_id=user2_id)
self.credential_api.create_credential(
credential_user1_ec2['id'], credential_user1_ec2)
self.credential_api.create_credential(
credential_user1_cert['id'], credential_user1_cert)
self.credential_api.create_credential(
credential_user2_cert['id'], credential_user2_cert)
r = self.get('/credentials?user_id=%s&type=ec2' % user1_id)
self.assertValidCredentialListResponse(r, ref=credential_user1_ec2)
self.assertThat(r.result['credentials'], matchers.HasLength(1))
cred = r.result['credentials'][0]
self.assertEqual('ec2', cred['type'])
self.assertEqual(user1_id, cred['user_id'])
def test_ec2_cannot_get_non_ec2_credential(self):
access_key = uuid.uuid4().hex
cred_id = utils.hash_access_key(access_key)
non_ec2_cred = unit.new_credential_ref(
user_id=self.user_id,
project_id=self.project_id)
non_ec2_cred['id'] = cred_id
self.credential_api.create_credential(cred_id, non_ec2_cred)
# if access_key is not found, ec2 controller raises Unauthorized
# exception
path = '/'.join([self._get_ec2_cred_uri(), access_key])
self.public_request(method='GET', token=self.get_scoped_token(),
path=path,
expected_status=http_client.UNAUTHORIZED)
def test_update_credential_to_ec2_type(self):
"""Call ``PATCH /credentials/{credential_id}``."""
# Create a credential without providing a project_id
ref = unit.new_credential_ref(user_id=self.user['id'])
r = self.post(
'/credentials',
body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
credential_id = r.result.get('credential')['id']
# Updating the credential to ec2 requires a project_id
update_ref = {'type': 'ec2', 'project_id': self.project_id}
self.patch(
'/credentials/%(credential_id)s' % {
'credential_id': credential_id},
body={'credential': update_ref})
def test_update_credential_to_ec2_with_previously_set_project_id(self):
"""Call ``PATCH /credentials/{credential_id}``."""
# Create a credential providing a project_id
ref = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
r = self.post(
'/credentials',
body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
credential_id = r.result.get('credential')['id']
# Since the created credential above already has a project_id, the
# update request will not fail
update_ref = {'type': 'ec2'}
self.patch(
'/credentials/%(credential_id)s' % {
'credential_id': credential_id},
body={'credential': update_ref})
def test_update_credential_to_ec2_missing_project_id(self):
"""Call ``PATCH /credentials/{credential_id}``."""
# Create a credential without providing a project_id
ref = unit.new_credential_ref(user_id=self.user['id'])
r = self.post(
'/credentials',
body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
credential_id = r.result.get('credential')['id']
# Updating such credential to ec2 type without providing a project_id
# will fail
update_ref = {'type': 'ec2'}
self.patch(
'/credentials/%(credential_id)s' % {
'credential_id': credential_id},
body={'credential': update_ref},
expected_status=http_client.BAD_REQUEST)
def test_ec2_list_credentials(self):
"""Test ec2 credential listing."""
self._get_ec2_cred()
uri = self._get_ec2_cred_uri()
r = self.get(uri)
cred_list = r.result["credentials"]
self.assertEqual(1, len(cred_list))
self.assertThat(r.result["links"]["self"], matchers.EndsWith(uri))
# non-EC2 credentials won't be fetched
non_ec2_cred = unit.new_credential_ref(user_id=self.user_id, project_id=self.project_id)
non_ec2_cred["type"] = uuid.uuid4().hex
self.credential_api.create_credential(non_ec2_cred["id"], non_ec2_cred)
r = self.get(uri)
cred_list_2 = r.result["credentials"]
# still one element because non-EC2 credentials are not returned.
self.assertEqual(1, len(cred_list_2))
self.assertEqual(cred_list[0], cred_list_2[0])
def setUp(self):
super(IdentityTestCase, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'credential',
credential_fernet.MAX_ACTIVE_KEYS
)
)
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group['id']
self.credential = unit.new_credential_ref(
user_id=self.user['id'],
project_id=self.project_id)
self.credential_api.create_credential(self.credential['id'],
self.credential)
def test_ec2_list_credentials(self):
self._get_ec2_cred()
uri = self._get_ec2_cred_uri()
r = self.public_request(method='GET', token=self.get_scoped_token(),
path=uri)
cred_list = r.result['credentials']
self.assertEqual(1, len(cred_list))
# non-EC2 credentials won't be fetched
non_ec2_cred = unit.new_credential_ref(
user_id=self.user_id,
project_id=self.project_id)
non_ec2_cred['type'] = uuid.uuid4().hex
self.credential_api.create_credential(non_ec2_cred['id'],
non_ec2_cred)
r = self.public_request(method='GET', token=self.get_scoped_token(),
path=uri)
cred_list_2 = r.result['credentials']
# still one element because non-EC2 credentials are not returned.
self.assertEqual(1, len(cred_list_2))
self.assertEqual(cred_list[0], cred_list_2[0])
def test_list_credentials_is_decrypted(self):
credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
credential_id = credential['id']
created_credential = self.credential_api.create_credential(
credential_id,
credential
)
# Pull the credential directly from the backend, the `blob` should be
# encrypted.
credential_from_backend = self.credential_api.driver.get_credential(
credential_id
)
self.assertNotEqual(
credential_from_backend['encrypted_blob'],
credential['blob']
)
# Make sure the `blob` values listed from the API are not encrypted.
listed_credentials = self.credential_api.list_credentials()
self.assertIn(created_credential, listed_credentials)
def test_create_credential_is_encrypted_when_stored(self):
credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
credential_id = credential['id']
returned_credential = self.credential_api.create_credential(
credential_id,
credential
)
# Make sure the `blob` is *not* encrypted when returned from the
# credential API.
self.assertEqual(returned_credential['blob'], credential['blob'])
credential_from_backend = self.credential_api.driver.get_credential(
credential_id
)
# Pull the credential directly from the backend, the `blob` should be
# encrypted.
self.assertNotEqual(
credential_from_backend['encrypted_blob'],
credential['blob']
)
def _create_credential_with_user_id(self, user_id=uuid.uuid4().hex):
credential = unit.new_credential_ref(user_id=user_id,
extra=uuid.uuid4().hex,
type=uuid.uuid4().hex)
self.credential_api.create_credential(credential['id'], credential)
return credential
def test_create_credential(self):
"""Call ``POST /credentials``."""
ref = unit.new_credential_ref(user_id=self.user["id"])
r = self.post("/credentials", body={"credential": ref})
self.assertValidCredentialResponse(r, ref)
def new_credential_ref(self, user_id, project_id=None, cred_type=None):
return unit.new_credential_ref(user_id, project_id=project_id,
cred_type=cred_type)
def test_create_credential(self):
"""Call ``POST /credentials``."""
ref = unit.new_credential_ref(user_id=self.user['id'])
r = self.post('/credentials', body={'credential': ref})
self.assertValidCredentialResponse(r, ref)