def test_eom_auth_wrap(self):
with mock.patch('eom.auth._validate_client') as MockValidateClient:
# Create a LookupError or KeyError when the X-Auth-Token
# Header is not located
env_no_token = {'HTTP_X_PROJECT_ID': 'valid_projectid'}
self.auth(env_no_token, self.start_response)
self.assertEqual(self.status, '412 Precondition Failed')
# Create a LookupError or KeyError when the X-Project-ID
# Header is not located
env_no_projectid = {'HTTP_X_AUTH_TOKEN': 'valid_auth_token'}
self.auth(env_no_projectid, self.start_response)
self.assertEqual(self.status, '412 Precondition Failed')
# Valid Headers from here on out
env_valid = {}
env_valid.update(env_no_token)
env_valid.update(env_no_projectid)
# Assume the client fails validation
MockValidateClient.return_value = False
self.auth(env_valid, self.start_response)
self.assertEqual(self.status, '401 Unauthorized')
# With everything else working correctly, simulate too many
# requests sent to auth endpoint which should result in
# HTTP 503 - Service Unavailable
MockValidateClient.side_effect = exceptions.RequestEntityTooLarge(
'Mock - request entity too large')
self.auth(env_valid, self.start_response)
self.assertEqual(self.status, '503 Service Unavailable')
# Client passes validation
MockValidateClient.side_effect = [True]
self.auth(env_valid, self.start_response)
self.assertEqual(self.status, '204 No Content')
class TestIsNotFound(common.HeatTestCase):
scenarios = [
('ceilometer_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='ceilometer',
exception=lambda: ceil_exc.HTTPNotFound(details='gone'),
)),
('ceilometer_not_found_apiclient', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='ceilometer',
exception=lambda: c_a_exc.NotFound(details='gone'),
)),
('ceilometer_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='ceilometer',
exception=lambda: Exception()
)),
('ceilometer_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='ceilometer',
exception=lambda: ceil_exc.HTTPOverLimit(details='over'),
)),
('ceilometer_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='ceilometer',
exception=lambda: ceil_exc.HTTPConflict(),
)),
('cinder_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='cinder',
exception=lambda: cinder_exc.NotFound(code=404),
)),
('cinder_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='cinder',
exception=lambda: Exception()
)),
('cinder_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='cinder',
exception=lambda: cinder_exc.OverLimit(code=413),
)),
('cinder_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='cinder',
exception=lambda: cinder_exc.ClientException(code=409),
)),
('glance_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='glance',
exception=lambda: glance_exc.HTTPNotFound(details='gone'),
)),
('glance_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='glance',
exception=lambda: Exception()
)),
('glance_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='glance',
exception=lambda: glance_exc.HTTPOverLimit(details='over'),
)),
('glance_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='glance',
exception=lambda: glance_exc.HTTPConflict(),
)),
('heat_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='heat',
exception=lambda: heat_exc.HTTPNotFound(message='gone'),
)),
('heat_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='heat',
exception=lambda: Exception()
)),
('heat_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='heat',
exception=lambda: heat_exc.HTTPOverLimit(message='over'),
)),
('heat_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='heat',
exception=lambda: heat_exc.HTTPConflict(),
)),
('keystone_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='keystone',
exception=lambda: keystone_exc.NotFound(details='gone'),
)),
('keystone_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='keystone',
exception=lambda: Exception()
)),
('keystone_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='keystone',
exception=lambda: keystone_exc.RequestEntityTooLarge(
details='over'),
)),
('keystone_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='keystone',
exception=lambda: keystone_exc.Conflict(
message='Conflict'),
)),
('neutron_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='neutron',
exception=lambda: neutron_exc.NotFound,
)),
('neutron_network_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='neutron',
exception=lambda: neutron_exc.NetworkNotFoundClient(),
)),
('neutron_port_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='neutron',
exception=lambda: neutron_exc.PortNotFoundClient(),
)),
('neutron_status_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='neutron',
exception=lambda: neutron_exc.NeutronClientException(
status_code=404),
)),
('neutron_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='neutron',
exception=lambda: Exception()
)),
('neutron_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='neutron',
exception=lambda: neutron_exc.NeutronClientException(
status_code=413),
)),
('neutron_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='neutron',
exception=lambda: neutron_exc.Conflict(),
)),
('nova_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
is_unprocessable_entity=False,
plugin='nova',
exception=lambda: fakes_nova.fake_exception(),
)),
('nova_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
is_unprocessable_entity=False,
plugin='nova',
exception=lambda: Exception()
)),
('nova_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
is_unprocessable_entity=False,
plugin='nova',
exception=lambda: fakes_nova.fake_exception(413),
)),
('nova_unprocessable_entity', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
is_unprocessable_entity=True,
plugin='nova',
exception=lambda: fakes_nova.fake_exception(422),
)),
('nova_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
is_unprocessable_entity=False,
plugin='nova',
exception=lambda: fakes_nova.fake_exception(409),
)),
('swift_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='swift',
exception=lambda: swift_exc.ClientException(
msg='gone', http_status=404),
)),
('swift_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='swift',
exception=lambda: Exception()
)),
('swift_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='swift',
exception=lambda: swift_exc.ClientException(
msg='ouch', http_status=413),
)),
('swift_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='swift',
exception=lambda: swift_exc.ClientException(
msg='conflict', http_status=409),
)),
('trove_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='trove',
exception=lambda: troveclient.exceptions.NotFound(message='gone'),
)),
('trove_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='trove',
exception=lambda: Exception()
)),
('trove_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='trove',
exception=lambda: troveclient.exceptions.RequestEntityTooLarge(
message='over'),
)),
('trove_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='trove',
exception=lambda: troveclient.exceptions.Conflict(
message='Conflict'),
)),
('sahara_not_found', dict(
is_not_found=True,
is_over_limit=False,
is_client_exception=True,
is_conflict=False,
plugin='sahara',
exception=lambda: sahara_base.APIException(
error_message='gone1', error_code=404),
)),
('sahara_exception', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=False,
is_conflict=False,
plugin='sahara',
exception=lambda: Exception()
)),
('sahara_overlimit', dict(
is_not_found=False,
is_over_limit=True,
is_client_exception=True,
is_conflict=False,
plugin='sahara',
exception=lambda: sahara_base.APIException(
error_message='over1', error_code=413),
)),
('sahara_conflict', dict(
is_not_found=False,
is_over_limit=False,
is_client_exception=True,
is_conflict=True,
plugin='sahara',
exception=lambda: sahara_base.APIException(
error_message='conflict1', error_code=409),
)),
]
def test_is_not_found(self):
con = mock.Mock()
c = clients.Clients(con)
client_plugin = c.client_plugin(self.plugin)
try:
raise self.exception()
except Exception as e:
if self.is_not_found != client_plugin.is_not_found(e):
raise
def test_ignore_not_found(self):
con = mock.Mock()
c = clients.Clients(con)
client_plugin = c.client_plugin(self.plugin)
try:
exp = self.exception()
exp_class = exp.__class__
raise exp
except Exception as e:
if self.is_not_found:
client_plugin.ignore_not_found(e)
else:
self.assertRaises(exp_class,
client_plugin.ignore_not_found,
e)
def test_ignore_conflict_and_not_found(self):
con = mock.Mock()
c = clients.Clients(con)
client_plugin = c.client_plugin(self.plugin)
try:
exp = self.exception()
exp_class = exp.__class__
raise exp
except Exception as e:
if self.is_conflict or self.is_not_found:
client_plugin.ignore_conflict_and_not_found(e)
else:
self.assertRaises(exp_class,
client_plugin.ignore_conflict_and_not_found,
e)
def test_is_over_limit(self):
con = mock.Mock()
c = clients.Clients(con)
client_plugin = c.client_plugin(self.plugin)
try:
raise self.exception()
except Exception as e:
if self.is_over_limit != client_plugin.is_over_limit(e):
raise
def test_is_client_exception(self):
con = mock.Mock()
c = clients.Clients(con)
client_plugin = c.client_plugin(self.plugin)
try:
raise self.exception()
except Exception as e:
ice = self.is_client_exception
actual = client_plugin.is_client_exception(e)
if ice != actual:
raise
def test_is_conflict(self):
con = mock.Mock()
c = clients.Clients(con)
client_plugin = c.client_plugin(self.plugin)
try:
raise self.exception()
except Exception as e:
if self.is_conflict != client_plugin.is_conflict(e):
raise
def test_is_unprocessable_entity(self):
con = mock.Mock()
c = clients.Clients(con)
# only 'nova' client plugin need to check this exception
if self.plugin == 'nova':
client_plugin = c.client_plugin(self.plugin)
try:
raise self.exception()
except Exception as e:
iue = self.is_unprocessable_entity
if iue != client_plugin.is_unprocessable_entity(e):
raise
def _retrieve_data_from_keystone(redis_client, url, tenant, token,
blacklist_ttl, max_cache_life):
"""Retrieve the authentication data from OpenStack Keystone
:param redis_client: redis.Redis object connected to the redis cache
:param url: Keystone Identity URL to authenticate against
:param tenant: tenant id of user data to retrieve
:param token: auth_token for the tenant_id
:param blacklist_ttl: time in milliseconds for blacklisting failed tokens
:param max_cache_life: time in seconds for the maximum time a cache entry
should remain in the cache of valid data
:returns: a keystoneclient.access.AccessInfo on success or None on error
"""
try:
# Try to authenticate the user and get the user information using
# only the data provided, no special administrative tokens required.
# When using the alternative validation method, the service catalog
# identity does not return a service catalog for valid tokens.
if get_conf().alternate_validation is True:
_url = url.rstrip('/') + '/tokens'
validation_url = _url + '/{0}'.format(token)
headers = {
'Accept': 'application/json',
'X-Auth-Token': token
}
resp = requests.get(validation_url, headers=headers)
if resp.status_code >= 400:
LOG.debug('Request returned failure status: {0}'.format(
resp.status_code))
raise exceptions.from_response(resp, 'GET', _url)
try:
resp_data = resp.json()['access']
except (KeyError, ValueError):
raise exceptions.InvalidResponse(response=resp)
access_info = access.AccessInfoV2(**resp_data)
else:
keystone = keystonev2_client.Client(tenant_id=tenant,
token=token,
auth_url=url)
access_info = keystone.get_raw_token_from_identity_service(
auth_url=url, tenant_id=tenant, token=token)
# cache the data so it is easier to access next time
_send_data_to_cache(redis_client, url, access_info, max_cache_life)
return access_info
except (exceptions.AuthorizationFailure, exceptions.Unauthorized) as ex:
# re-raise 413 here and later on respond with 503
if 'HTTP 413' in str(ex):
raise exceptions.RequestEntityTooLarge(
method='POST',
url=url,
http_status=413
)
# Provided data was invalid and authorization failed
msg = 'Failed to authenticate against {0} - {1}'.format(
url,
str(ex)
)
LOG.debug(msg)
# Blacklist the token
_blacklist_token(redis_client, token, blacklist_ttl)
return None
except exceptions.RequestEntityTooLarge:
LOG.debug('Request entity too large error from authentication server.')
raise
except Exception as ex:
# Provided data was invalid or something else went wrong
msg = 'Failed to authenticate against {0} - {1}'.format(
url,
str(ex)
)
LOG.debug(msg)
return None