def test_by_project_and_user_and_role(self): revocation_backend = sql.Revoke() first_token = _sample_blank_token() first_token['user_id'] = uuid.uuid4().hex first_token['project_id'] = uuid.uuid4().hex second_token = _sample_blank_token() second_token['user_id'] = uuid.uuid4().hex second_token['project_id'] = first_token['project_id'] # Check that both tokens have not been revoked. self._assertTokenNotRevoked(first_token) self._assertTokenNotRevoked(second_token) self.assertEqual( 0, len(revocation_backend.list_events(token=first_token))) self.assertEqual( 0, len(revocation_backend.list_events(token=second_token))) # Revoke first_token using user_id and project_id PROVIDERS.revoke_api.revoke_by_user_and_project( first_token['user_id'], first_token['project_id']) # Check that only first_token has been revoked. self._assertTokenRevoked(first_token) self._assertTokenNotRevoked(second_token) self.assertEqual( 1, len(revocation_backend.list_events(token=first_token))) self.assertEqual( 0, len(revocation_backend.list_events(token=second_token)))
def test_list_revoked_project(self): revocation_backend = sql.Revoke() token = _sample_blank_token() # Create a token for a project, revoke token, check the token we # created has been revoked, and check the list returned a match for # the token when passed in. first_token = _sample_blank_token() first_token['project_id'] = uuid.uuid4().hex revocation_backend.revoke( revoke_model.RevokeEvent(project_id=first_token['project_id'])) self._assertTokenRevoked(first_token) self.assertEqual( 1, len(revocation_backend.list_events(token=first_token))) # Create a second token, revoke it, check the token has been revoked, # and check the list to make sure that even though we now have 2 # revoked events in the revocation list, it will only return 1 because # only one match for our second_token should exist second_token = _sample_blank_token() second_token['project_id'] = uuid.uuid4().hex revocation_backend.revoke( revoke_model.RevokeEvent(project_id=second_token['project_id'])) self._assertTokenRevoked(second_token) self.assertEqual( 1, len(revocation_backend.list_events(token=second_token))) # This gets a token but overrides project_id of the token to be None. # We expect that since there are two events which both have populated # project_ids, this should not match this third_token with any other # event in the list so we should receive 0. third_token = _sample_blank_token() third_token['project_id'] = None self._assertTokenNotRevoked(token) self.assertEqual(0, len(revocation_backend.list_events(token=token)))
def test_list_revoked_audit(self): revocation_backend = sql.Revoke() # Create a token with audit_id set, revoke it, check it is revoked, # check to make sure that list_events matches the token to the event we # just revoked. first_token = _sample_blank_token() first_token['audit_id'] = common.random_urlsafe_str() PROVIDERS.revoke_api.revoke_by_audit_id( audit_id=first_token['audit_id']) self._assertTokenRevoked(first_token) self.assertEqual( 1, len(revocation_backend.list_events(token=first_token))) # Create a second token, revoke it, check it is revoked, check to make # sure that list events only finds 1 match since there are 2 and they # dont both have different populated audit_id fields second_token = _sample_blank_token() second_token['audit_id'] = common.random_urlsafe_str() PROVIDERS.revoke_api.revoke_by_audit_id( audit_id=second_token['audit_id']) self._assertTokenRevoked(second_token) self.assertEqual( 1, len(revocation_backend.list_events(token=second_token))) # Create a third token with audit_id set to None to make sure that # since there are no events currently revoked with audit_id None this # finds no matches third_token = _sample_blank_token() third_token['audit_id'] = None self._assertTokenNotRevoked(third_token) self.assertEqual( 0, len(revocation_backend.list_events(token=third_token)))
def _assertTokenNotRevoked(self, events, token_data): backend = sql.Revoke() if events: self.assertTrue(revoke_model.is_revoked(events, token_data), 'Token should be revoked') return self.assertFalse( revoke_model.is_revoked(backend.list_events(token=token_data), token_data), 'Token should not be revoked')
def test_list_revoked_since(self): revocation_backend = sql.Revoke() token = _sample_blank_token() self.revoke_api.revoke_by_user(user_id=None) self.revoke_api.revoke_by_user(user_id=None) self.assertEqual(2, len(revocation_backend.list_events(token=token))) future = timeutils.utcnow() + datetime.timedelta(seconds=1000) token['issued_at'] = future self.assertEqual(0, len(revocation_backend.list_events(token=token)))
def test_list_revoked_user(self): revocation_backend = sql.Revoke() events = [] # This simulates creating a token for a specific user. When we revoke # the token we should have a single revocation event in the list. We # are going to assert that the token values match the only revocation # event in the backend. first_token = _sample_blank_token() first_token['user_id'] = uuid.uuid4().hex add_event( events, revoke_model.RevokeEvent(user_id=first_token['user_id']) ) self.revoke_api.revoke_by_user(user_id=first_token['user_id']) self._assertTokenRevoked(events, first_token) self.assertEqual( 1, len(revocation_backend.list_events(token=first_token)) ) # This simulates creating a separate token for a separate user. We are # going to revoke the token just like we did for the previous token. # We should have two revocation events stored in the backend but only # one should match the values of the second token. second_token = _sample_blank_token() second_token['user_id'] = uuid.uuid4().hex add_event( events, revoke_model.RevokeEvent(user_id=second_token['user_id']) ) self.revoke_api.revoke_by_user(user_id=second_token['user_id']) self._assertTokenRevoked(events, second_token) self.assertEqual( 1, len(revocation_backend.list_events(token=second_token)) ) # This simulates creating another separate token for a separate user, # but we're not going to issue a revocation event. Even though we have # two revocation events persisted in the backend, neither of them # should match the values of the third token. If they did - our # revocation event matching would be too heavy handed, which would # result in over-generalized revocation patterns. third_token = _sample_blank_token() third_token['user_id'] = uuid.uuid4().hex self._assertTokenNotRevoked(events, third_token) self.assertEqual( 0, len(revocation_backend.list_events(token=third_token)) ) # This gets a token but overrides the user_id of the token to be None. # Technically this should never happen because tokens must belong to # a user. What we're testing here is that the two revocation events # we've created won't match None values for the user_id. fourth_token = _sample_blank_token() fourth_token['user_id'] = None self._assertTokenNotRevoked(events, fourth_token) self.assertEqual( 0, len(revocation_backend.list_events(token=fourth_token)) )
def test_delete_group_without_role_does_not_revoke_users(self): revocation_backend = sql.Revoke() domain = unit.new_domain_ref() PROVIDERS.resource_api.create_domain(domain['id'], domain) # Create two groups. Group1 will be used to test deleting a group, # without role assignments and users in the group, doesn't create # revoked events. Group2 will show that deleting a group with role # assignment and users in the group does create revoked events group1 = unit.new_group_ref(domain_id=domain['id']) group1 = PROVIDERS.identity_api.create_group(group1) group2 = unit.new_group_ref(domain_id=domain['id']) group2 = PROVIDERS.identity_api.create_group(group2) role = unit.new_role_ref() PROVIDERS.role_api.create_role(role['id'], role) user1 = unit.new_user_ref(domain_id=domain['id']) user1 = PROVIDERS.identity_api.create_user(user1) user2 = unit.new_user_ref(domain_id=domain['id']) user2 = PROVIDERS.identity_api.create_user(user2) # Add two users to the group, verify they are added, delete group, and # check that the revocaiton events have not been created PROVIDERS.identity_api.add_user_to_group( user_id=user1['id'], group_id=group1['id'] ) PROVIDERS.identity_api.add_user_to_group( user_id=user2['id'], group_id=group1['id'] ) self.assertEqual( 2, len(PROVIDERS.identity_api.list_users_in_group(group1['id']))) PROVIDERS.identity_api.delete_group(group1['id']) self.assertEqual(0, len(revocation_backend.list_events())) # Assign a role to the group, add two users to the group, verify that # the role has been assigned to the group, verify the users have been # added to the group, delete the group, check that the revocation # events have been created PROVIDERS.assignment_api.create_grant( group_id=group2['id'], domain_id=domain['id'], role_id=role['id'] ) grants = PROVIDERS.assignment_api.list_role_assignments( role_id=role['id'] ) self.assertThat(grants, matchers.HasLength(1)) PROVIDERS.identity_api.add_user_to_group( user_id=user1['id'], group_id=group2['id'] ) PROVIDERS.identity_api.add_user_to_group( user_id=user2['id'], group_id=group2['id'] ) self.assertEqual( 2, len(PROVIDERS.identity_api.list_users_in_group(group2['id']))) PROVIDERS.identity_api.delete_group(group2['id']) self.assertEqual(2, len(revocation_backend.list_events()))
def test_list_revoked_multiple_filters(self): revocation_backend = sql.Revoke() events = [] # create token that sets key/value filters in list_revoked first_token = _sample_blank_token() first_token['user_id'] = uuid.uuid4().hex first_token['project_id'] = uuid.uuid4().hex first_token['audit_id'] = common.random_urlsafe_str() # revoke event and then verify that there is only one revocation # and verify the only revoked event is the token add_event( events, revoke_model.RevokeEvent(user_id=first_token['user_id'], project_id=first_token['project_id'], audit_id=first_token['audit_id'])) self.revoke_api.revoke( revoke_model.RevokeEvent(user_id=first_token['user_id'], project_id=first_token['project_id'], audit_id=first_token['audit_id'])) self._assertTokenRevoked(events, first_token) self.assertEqual( 1, len(revocation_backend.list_events(token=first_token))) # If a token has None values which the event contains it shouldn't # match and not be revoked second_token = _sample_blank_token() self._assertTokenNotRevoked(events, second_token) self.assertEqual( 0, len(revocation_backend.list_events(token=second_token))) # If an event column and corresponding dict value don't match, Then # it should not add the event in the list. Demonstrate for project third_token = _sample_blank_token() third_token['project_id'] = uuid.uuid4().hex self._assertTokenNotRevoked(events, third_token) self.assertEqual( 0, len(revocation_backend.list_events(token=third_token))) # A revoked event with user_id as null and token user_id non null # should still be return an event and be revoked if other non null # event fields match non null token fields fourth_token = _sample_blank_token() fourth_token['user_id'] = uuid.uuid4().hex fourth_token['project_id'] = uuid.uuid4().hex fourth_token['audit_id'] = common.random_urlsafe_str() add_event( events, revoke_model.RevokeEvent(project_id=fourth_token['project_id'], audit_id=fourth_token['audit_id'])) self.revoke_api.revoke( revoke_model.RevokeEvent(project_id=fourth_token['project_id'], audit_id=fourth_token['audit_id'])) self._assertTokenRevoked(events, fourth_token) self.assertEqual( 1, len(revocation_backend.list_events(token=fourth_token)))
def test_revoke_by_audit_chain_id(self): revocation_backend = sql.Revoke() # Create our first token with audit_id audit_id = common.build_audit_info(parent_audit_id=None)[0] token = _sample_blank_token() # Audit ID and Audit Chain ID are populated with the same value # if the token is an original token token['audit_id'] = audit_id token['audit_chain_id'] = audit_id # Check that the token is not revoked self._assertTokenNotRevoked(token) self.assertEqual(0, len(revocation_backend.list_events(token=token))) # Revoked token by audit chain id using the audit_id PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_id) # Check that the token is now revoked self._assertTokenRevoked(token) self.assertEqual(1, len(revocation_backend.list_events(token=token)))
def test_by_domain_domain(self): revocation_backend = sql.Revoke() token_data = _sample_blank_token() token_data['user_id'] = uuid.uuid4().hex token_data['identity_domain_id'] = uuid.uuid4().hex token_data['assignment_domain_id'] = uuid.uuid4().hex self._assertTokenNotRevoked(token_data) self.assertEqual( 0, len(revocation_backend.list_events(token=token_data))) # If revoke a domain, then a token scoped to the domain is revoked. PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent( domain_id=token_data['assignment_domain_id'])) self._assertTokenRevoked(token_data) self.assertEqual( 1, len(revocation_backend.list_events(token=token_data)))
def test_by_domain_user(self): revocation_backend = sql.Revoke() # If revoke a domain, then a token for a user in the domain is revoked user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex token_data = _sample_blank_token() token_data['user_id'] = user_id token_data['identity_domain_id'] = domain_id self._assertTokenNotRevoked(token_data) self.assertEqual(0, len(revocation_backend.list_events(token=token_data))) self.revoke_api.revoke(revoke_model.RevokeEvent(domain_id=domain_id)) self._assertTokenRevoked(token_data) self.assertEqual(1, len(revocation_backend.list_events(token=token_data)))