def test_no_keyring_key(self):
"""Test case when no keyring set.
Ensure that if we don't have use_keyring set in the client that
the keyring is never accessed.
"""
# Creating a HTTPClient not using session is deprecated.
with self.deprecations.expect_deprecations_here():
cl = httpclient.HTTPClient(username=USERNAME,
password=PASSWORD,
project_id=TENANT_ID,
auth_url=AUTH_URL)
# stub and check that a new token is received
method = 'get_raw_token_from_identity_service'
with mock.patch.object(cl, method) as meth:
meth.return_value = (True, PROJECT_SCOPED_TOKEN)
self.assertTrue(cl.authenticate())
self.assertEqual(1, meth.call_count)
# make sure that we never touched the keyring
self.assertFalse(self.memory_keyring.get_password_called)
self.assertFalse(self.memory_keyring.set_password_called)
def test_set_keyring(self):
# Creating a HTTPClient not using session is deprecated.
with self.deprecations.expect_deprecations_here():
cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD,
project_id=TENANT_ID, auth_url=AUTH_URL,
use_keyring=True)
# stub and check that a new token is received
method = 'get_raw_token_from_identity_service'
with mock.patch.object(cl, method) as meth:
meth.return_value = (True, PROJECT_SCOPED_TOKEN)
self.assertTrue(cl.authenticate())
self.assertEqual(1, meth.call_count)
# we checked the keyring, but we didn't find anything
self.assertTrue(self.memory_keyring.get_password_called)
self.assertFalse(self.memory_keyring.fetched)
# check that the new token has been loaded into the keyring
self.assertTrue(self.memory_keyring.set_password_called)
new_auth_ref = pickle.loads(self.memory_keyring.password)
self.assertEqual(new_auth_ref.auth_token, TOKEN)
self.assertEqual(new_auth_ref['token'],
PROJECT_SCOPED_TOKEN['access']['token'])
self.assertEqual(new_auth_ref.username, USERNAME)
def test_set_and_get_keyring_expired(self):
cl = httpclient.HTTPClient(username=USERNAME,
password=PASSWORD,
tenant_id=TENANT_ID,
auth_url=AUTH_URL,
use_keyring=True)
# set an expired token into the keyring
auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN)
expired = timeutils.utcnow() - datetime.timedelta(minutes=30)
auth_ref['token']['expires'] = timeutils.isotime(expired)
self.memory_keyring.password = pickle.dumps(auth_ref)
# stub and check that a new token is received, so not using expired
with mock.patch.object(cl, 'get_raw_token_from_identity_service') \
as meth:
meth.return_value = (True, PROJECT_SCOPED_TOKEN)
self.assertTrue(cl.authenticate())
meth.assert_called_once()
# check that a value was returned from the keyring
self.assertTrue(self.memory_keyring.fetched)
# check that the new token has been loaded into the keyring
new_auth_ref = pickle.loads(self.memory_keyring.password)
self.assertEqual(new_auth_ref['token']['expires'],
PROJECT_SCOPED_TOKEN['access']['token']['expires'])
def test_set_keyring(self):
cl = httpclient.HTTPClient(username=USERNAME,
password=PASSWORD,
tenant_id=TENANT_ID,
auth_url=AUTH_URL,
use_keyring=True)
# stub and check that a new token is received
with mock.patch.object(cl, 'get_raw_token_from_identity_service') \
as meth:
meth.return_value = (True, PROJECT_SCOPED_TOKEN)
self.assertTrue(cl.authenticate())
meth.assert_called_once()
# we checked the keyring, but we didn't find anything
self.assertTrue(self.memory_keyring.get_password_called)
self.assertFalse(self.memory_keyring.fetched)
# check that the new token has been loaded into the keyring
self.assertTrue(self.memory_keyring.set_password_called)
new_auth_ref = pickle.loads(self.memory_keyring.password)
self.assertEqual(new_auth_ref.auth_token, TOKEN)
self.assertEqual(new_auth_ref['token'],
PROJECT_SCOPED_TOKEN['access']['token'])
self.assertEqual(new_auth_ref.username, USERNAME)
def get_client():
cl = httpclient.HTTPClient(username="******",
password="******",
project_id="tenant",
auth_url="auth_test",
cacert="ca.pem",
cert=('cert.pem', "key.pem"))
return cl
def test_forwarded_for(self):
ORIGINAL_IP = "10.100.100.1"
cl = httpclient.HTTPClient(username="******", password="******",
tenant_id="tenant", auth_url="auth_test",
original_ip=ORIGINAL_IP)
self.stub_url(httpretty.GET)
cl.request(self.TEST_URL, 'GET')
self.assertEqual(httpretty.last_request().headers['Forwarded'],
"for=%s;by=%s" % (ORIGINAL_IP, httpclient.USER_AGENT))
def test_build_keyring_key(self):
cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD,
tenant_id=TENANT_ID, auth_url=AUTH_URL)
keyring_key = cl._build_keyring_key(auth_url=AUTH_URL,
username=USERNAME,
tenant_name=TENANT,
tenant_id=TENANT_ID,
token=TOKEN)
self.assertEqual(keyring_key,
'%s/%s/%s/%s/%s' %
(AUTH_URL, TENANT_ID, TENANT, TOKEN, USERNAME))
def test_forwarded_for(self):
ORIGINAL_IP = "10.100.100.1"
cl = httpclient.HTTPClient(username="******",
password="******",
tenant_id="tenant",
auth_url="auth_test",
original_ip=ORIGINAL_IP)
self.stub_url('GET')
cl.request(self.TEST_URL, 'GET')
forwarded = "for=%s;by=%s" % (ORIGINAL_IP, httpclient.USER_AGENT)
self.assertRequestHeaderEqual('Forwarded', forwarded)
def _check_keystone_versions(self, url):
"""Calls Keystone URL and detects the available API versions."""
try:
client = httpclient.HTTPClient()
resp, body = client.request(url,
"GET",
headers={'Accept': 'application/json'})
# Multiple Choices status code is returned by the root
# identity endpoint, with references to one or more
# Identity API versions -- v3 spec
# some cases we get No Content
if resp.status_code in (200, 204, 300):
try:
results = {}
if 'version' in body:
results['message'] = "Keystone found at %s" % url
version = body['version']
# Stable/diablo incorrect format
id, status, version_url = \
self._get_version_info(version, url)
results[str(id)] = {
"id": id,
"status": status,
"url": version_url
}
return results
elif 'versions' in body:
# Correct format
results['message'] = "Keystone found at %s" % url
for version in body['versions']['values']:
id, status, version_url = \
self._get_version_info(version, url)
results[str(id)] = {
"id": id,
"status": status,
"url": version_url
}
return results
else:
results['message'] = ("Unrecognized response from %s" %
url)
return results
except KeyError:
raise exceptions.AuthorizationFailure()
elif resp.status_code == 305:
return self._check_keystone_versions(resp['location'])
else:
raise exceptions.from_response(resp, "GET", url)
except Exception as e:
_logger.exception(e)
def test_build_keyring_key(self):
# Creating a HTTPClient not using session is deprecated.
with self.deprecations.expect_deprecations_here():
cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD,
project_id=TENANT_ID, auth_url=AUTH_URL)
keyring_key = cl._build_keyring_key(auth_url=AUTH_URL,
username=USERNAME,
tenant_name=TENANT,
tenant_id=TENANT_ID,
token=TOKEN)
self.assertEqual(keyring_key,
'%s/%s/%s/%s/%s' %
(AUTH_URL, TENANT_ID, TENANT, TOKEN, USERNAME))
def test_forwarded_for(self):
ORIGINAL_IP = "10.100.100.1"
cl = httpclient.HTTPClient(username="******",
password="******",
tenant_id="tenant",
auth_url="auth_test",
original_ip=ORIGINAL_IP)
with mock.patch.object(requests, "request", MOCK_REQUEST):
res = cl.request('/', 'GET')
args, kwargs = MOCK_REQUEST.call_args
self.assertIn(('Forwarded', "for=%s;by=%s" %
(ORIGINAL_IP, httpclient.USER_AGENT)),
kwargs['headers'].items())
def test_get_keyring(self):
cl = httpclient.HTTPClient(username=USERNAME, password=PASSWORD,
tenant_id=TENANT_ID, auth_url=AUTH_URL,
use_keyring=True)
# set an token into the keyring
auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN)
future = timeutils.utcnow() + datetime.timedelta(minutes=30)
auth_ref['token']['expires'] = timeutils.isotime(future)
self.memory_keyring.password = pickle.dumps(auth_ref)
# don't stub get_raw_token so will fail if authenticate happens
self.assertTrue(cl.authenticate())
self.assertTrue(self.memory_keyring.fetched)
def test_forwarded_for(self):
ORIGINAL_IP = "10.100.100.1"
# Creating a HTTPClient not using session is deprecated.
with self.deprecations.expect_deprecations_here():
cl = httpclient.HTTPClient(username="******",
password="******",
project_id="tenant",
auth_url="auth_test",
original_ip=ORIGINAL_IP)
self.stub_url('GET')
with self.deprecations.expect_deprecations_here():
cl.request(self.TEST_URL, 'GET')
forwarded = "for=%s;by=%s" % (ORIGINAL_IP, httpclient.USER_AGENT)
self.assertRequestHeaderEqual('Forwarded', forwarded)
def test_no_keyring_key(self):
"""Ensure that we get no value back if we don't have use_keyring
set in the client.
"""
cl = httpclient.HTTPClient(username=USERNAME,
password=PASSWORD,
tenant_id=TENANT_ID,
auth_url=AUTH_URL)
(keyring_key,
auth_ref) = cl.get_auth_ref_from_keyring(auth_url=AUTH_URL,
username=USERNAME,
tenant_name=TENANT,
tenant_id=TENANT_ID,
token=TOKEN)
self.assertIsNone(keyring_key)
self.assertIsNone(auth_ref)
def test_post_auth(self, MOCK_REQUEST):
MOCK_REQUEST.return_value = FAKE_RESPONSE
cl = httpclient.HTTPClient(
username="******", password="******", tenant_id="tenant",
auth_url="auth_test", cacert="ca.pem", key="key.pem",
cert="cert.pem")
cl.management_url = "https://127.0.0.1:5000"
cl.auth_token = "token"
cl.post("/hi", body=[1, 2, 3])
# this may become too tightly couple later
mock_args, mock_kwargs = MOCK_REQUEST.call_args
self.assertEqual(mock_args[0], 'POST')
self.assertEqual(mock_args[1], REQUEST_URL)
self.assertEqual(mock_kwargs['data'], '[1, 2, 3]')
self.assertEqual(mock_kwargs['headers']['X-Auth-Token'], 'token')
self.assertEqual(mock_kwargs['cert'], ('cert.pem', 'key.pem'))
self.assertEqual(mock_kwargs['verify'], 'ca.pem')
def _check_keystone_extensions(self, url):
"""Calls Keystone URL and detects the available extensions."""
try:
client = httpclient.HTTPClient()
if not url.endswith("/"):
url += '/'
resp, body = client.request("%sextensions" % url,
"GET",
headers={'Accept': 'application/json'})
if resp.status_code in (200, 204): # some cases we get No Content
try:
results = {}
if 'extensions' in body:
if 'values' in body['extensions']:
# Parse correct format (per contract)
for extension in body['extensions']['values']:
alias, name = \
self._get_extension_info(
extension['extension']
)
results[alias] = name
return results
else:
# Support incorrect, but prevalent format
for extension in body['extensions']:
alias, name = \
self._get_extension_info(extension)
results[alias] = name
return results
else:
results['message'] = ("Unrecognized extensions "
"response from %s" % url)
return results
except KeyError:
raise exceptions.AuthorizationFailure()
elif resp.status_code == 305:
return self._check_keystone_extensions(resp['location'])
else:
raise exceptions.from_response(resp, "GET",
"%sextensions" % url)
except Exception as e:
_logger.exception(e)
def test_no_keyring_key(self):
"""Ensure that if we don't have use_keyring set in the client that
the keyring is never accessed.
"""
cl = httpclient.HTTPClient(username=USERNAME,
password=PASSWORD,
tenant_id=TENANT_ID,
auth_url=AUTH_URL)
# stub and check that a new token is received
with mock.patch.object(cl, 'get_raw_token_from_identity_service') \
as meth:
meth.return_value = (True, PROJECT_SCOPED_TOKEN)
self.assertTrue(cl.authenticate())
meth.assert_called_once()
# make sure that we never touched the keyring
self.assertFalse(self.memory_keyring.get_password_called)
self.assertFalse(self.memory_keyring.set_password_called)
def test_post_auth(self):
with mock.patch.object(requests, "request", MOCK_REQUEST):
cl = httpclient.HTTPClient(
username="******", password="******", tenant_id="tenant",
auth_url="auth_test", cacert="ca.pem", key="key.pem",
cert="cert.pem")
cl.management_url = "https://127.0.0.1:5000"
cl.auth_token = "token"
cl.post("/hi", body=[1, 2, 3])
headers = {
"X-Auth-Token": "token",
"Content-Type": "application/json",
"User-Agent": httpclient.USER_AGENT
}
kwargs = copy.copy(self.TEST_REQUEST_BASE)
kwargs['cert'] = ('cert.pem', 'key.pem')
kwargs['verify'] = 'ca.pem'
MOCK_REQUEST.assert_called_with(
"POST",
"https://127.0.0.1:5000/hi",
headers=headers,
data='[1, 2, 3]',
**kwargs)
def test_set_and_get_keyring_expired(self):
cl = httpclient.HTTPClient(username=USERNAME,
password=PASSWORD,
tenant_id=TENANT_ID,
auth_url=AUTH_URL,
use_keyring=True)
keyring_key = cl._build_keyring_key(auth_url=AUTH_URL,
username=USERNAME,
tenant_name=TENANT,
tenant_id=TENANT_ID,
token=TOKEN)
cl.auth_ref = access.AccessInfo.factory(body=PROJECT_SCOPED_TOKEN)
expired = timeutils.utcnow() - datetime.timedelta(minutes=30)
cl.auth_ref['token']['expires'] = timeutils.isotime(expired)
cl.store_auth_ref_into_keyring(keyring_key)
(keyring_key,
auth_ref) = cl.get_auth_ref_from_keyring(auth_url=AUTH_URL,
username=USERNAME,
tenant_name=TENANT,
tenant_id=TENANT_ID,
token=TOKEN)
self.assertIsNone(auth_ref)
def get_client():
cl = httpclient.HTTPClient(username="******", password="******",
tenant_id="tenant", auth_url="auth_test")
return cl
