def test_authenticate_without_proper_secret_returns_unauthorized(self): cred_blob, credential = unit.new_ec2_credential( self.user_foo['id'], self.tenant_bar['id']) PROVIDERS.credential_api.create_credential(credential['id'], credential) signer = ec2_utils.Ec2Signer('totally not the secret') credentials = { 'access': cred_blob['access'], 'secret': 'totally not the secret', 'host': 'localhost', 'verb': 'GET', 'path': '/', 'params': { 'SignatureVersion': '2', 'Action': 'Test', 'Timestamp': '2007-01-31T23:59:59Z' }, } credentials['signature'] = signer.generate(credentials) self.public_request(method='POST', path='/v2.0/ec2tokens', body={'credentials': credentials}, expected_status=http_client.UNAUTHORIZED)
def test_valid_authentication_response_with_proper_secret(self): cred_blob, credential = unit.new_ec2_credential( self.user_foo['id'], self.tenant_bar['id']) self.credential_api.create_credential(credential['id'], credential) signer = ec2_utils.Ec2Signer(cred_blob['secret']) credentials = { 'access': cred_blob['access'], 'secret': cred_blob['secret'], 'host': 'localhost', 'verb': 'GET', 'path': '/', 'params': { 'SignatureVersion': '2', 'Action': 'Test', 'Timestamp': '2007-01-31T23:59:59Z' }, } credentials['signature'] = signer.generate(credentials) resp = self.public_request(method='POST', path='/v2.0/ec2tokens', body={'credentials': credentials}, expected_status=http_client.OK) self.assertValidAuthenticationResponse(resp)
def setUp(self): super(EC2ContribCoreV3, self).setUp() self.cred_blob, self.credential = unit.new_ec2_credential( self.user['id'], self.project_id) PROVIDERS.credential_api.create_credential( self.credential['id'], self.credential)
def setUp(self): super(EC2ContribCoreV3, self).setUp() self.cred_blob, self.credential = unit.new_ec2_credential( self.user['id'], self.project_id) PROVIDERS.credential_api.create_credential(self.credential['id'], self.credential)
def test_update_ec2_credential_change_access_token_id(self): """Call ``PATCH /credentials/{credential_id}``.""" blob, ref = unit.new_ec2_credential(user_id=self.user['id'], project_id=self.project_id) blob['access_token_id'] = uuid.uuid4().hex ref['blob'] = json.dumps(blob) r = self.post( '/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref) credential_id = r.result.get('credential')['id'] # Try changing to a different access token blob['access_token_id'] = uuid.uuid4().hex update_ref = {'blob': json.dumps(blob)} self.patch( '/credentials/%(credential_id)s' % { 'credential_id': credential_id}, body={'credential': update_ref}, expected_status=http.client.BAD_REQUEST) # Try removing the access token del blob['access_token_id'] update_ref = {'blob': json.dumps(blob)} self.patch( '/credentials/%(credential_id)s' % { 'credential_id': credential_id}, body={'credential': update_ref}, expected_status=http.client.BAD_REQUEST)
def test_app_cred_ec2_credential(self): """Test creating ec2 credential from an application credential. Call ``POST /credentials``. """ # Create the app cred ref = unit.new_application_credential_ref(roles=[{'id': self.role_id}]) del ref['id'] r = self.post('/users/%s/application_credentials' % self.user_id, body={'application_credential': ref}) app_cred = r.result['application_credential'] # Get an application credential token auth_data = self.build_authentication_request( app_cred_id=app_cred['id'], secret=app_cred['secret']) r = self.v3_create_token(auth_data) token_id = r.headers.get('X-Subject-Token') # Create the credential with the app cred token blob, ref = unit.new_ec2_credential(user_id=self.user_id, project_id=self.project_id) r = self.post('/credentials', body={'credential': ref}, token=token_id) # We expect the response blob to contain the app_cred_id ret_ref = ref.copy() ret_blob = blob.copy() ret_blob['app_cred_id'] = app_cred['id'] ret_ref['blob'] = json.dumps(ret_blob) self.assertValidCredentialResponse(r, ref=ret_ref) # Assert credential id is same as hash of access key id for # ec2 credentials access = blob['access'].encode('utf-8') self.assertEqual(hashlib.sha256(access).hexdigest(), r.result['credential']['id']) # Create a role assignment to ensure that it is ignored and only the # roles in the app cred are used role = unit.new_role_ref(name='reader') role_id = role['id'] PROVIDERS.role_api.create_role(role_id, role) PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_id, self.project_id, role_id) ret_blob = json.loads(r.result['credential']['blob']) ec2token = self._test_get_token( access=ret_blob['access'], secret=ret_blob['secret']) ec2_roles = [role['id'] for role in ec2token['roles']] self.assertIn(self.role_id, ec2_roles) self.assertNotIn(role_id, ec2_roles) # Create second ec2 credential with the same access key id and check # for conflict. self.post( '/credentials', body={'credential': ref}, token=token_id, expected_status=http.client.CONFLICT)
def test_create_ec2_credential_with_missing_project_id(self): """Test Creating ec2 credential with missing project_id. Call ``POST /credentials``. """ _, ref = unit.new_ec2_credential(user_id=self.user["id"], project_id=None) # Assert bad request status when missing project_id self.post("/credentials", body={"credential": ref}, expected_status=http_client.BAD_REQUEST)
def setUp(self): super(EC2ContribCoreV3, self).setUp() self.cred_blob, self.credential = unit.new_ec2_credential( self.user['id'], self.project_id) self.credential_api.create_credential(self.credential['id'], self.credential) self.controller = controllers.Ec2ControllerV3
def test_create_ec2_credential_with_missing_project_id(self): """Call ``POST /credentials`` for creating ec2 credential with missing project_id. """ _, ref = unit.new_ec2_credential(user_id=self.user['id'], project_id=None) # Assert bad request status when missing project_id self.post( '/credentials', body={'credential': ref}, expected_status=http_client.BAD_REQUEST)
def test_create_ec2_credential_with_missing_project_id(self): """Call ``POST /credentials`` for creating ec2 credential with missing project_id. """ _, ref = unit.new_ec2_credential(user_id=self.user['id'], project_id=None) # Assert bad request status when missing project_id self.post('/credentials', body={'credential': ref}, expected_status=http_client.BAD_REQUEST)
def setUp(self): super(S3ContribCore, self).setUp() self.load_backends() self.cred_blob, self.credential = unit.new_ec2_credential( self.user['id'], self.project_id) PROVIDERS.credential_api.create_credential( self.credential['id'], self.credential) self.controller = s3.S3Controller()
def setUp(self): super(S3ContribCore, self).setUp() self.load_backends() self.cred_blob, self.credential = unit.new_ec2_credential( self.user['id'], self.project_id) PROVIDERS.credential_api.create_credential(self.credential['id'], self.credential) self.controller = s3.S3Controller()
def test_create_ec2_credential(self): """Call ``POST /credentials`` for creating ec2 credential.""" blob, ref = unit.new_ec2_credential(user_id=self.user["id"], project_id=self.project_id) r = self.post("/credentials", body={"credential": ref}) self.assertValidCredentialResponse(r, ref) # Assert credential id is same as hash of access key id for # ec2 credentials access = blob["access"].encode("utf-8") self.assertEqual(hashlib.sha256(access).hexdigest(), r.result["credential"]["id"]) # Create second ec2 credential with the same access key id and check # for conflict. self.post("/credentials", body={"credential": ref}, expected_status=http_client.CONFLICT)
def test_ec2_credential_signature_validate(self): """Test signature validation with a v3 ec2 credential.""" blob, ref = unit.new_ec2_credential(user_id=self.user["id"], project_id=self.project_id) r = self.post("/credentials", body={"credential": ref}) self.assertValidCredentialResponse(r, ref) # Assert credential id is same as hash of access key id access = blob["access"].encode("utf-8") self.assertEqual(hashlib.sha256(access).hexdigest(), r.result["credential"]["id"]) cred_blob = json.loads(r.result["credential"]["blob"]) self.assertEqual(blob, cred_blob) self._validate_signature(access=cred_blob["access"], secret=cred_blob["secret"])
def test_trust_scoped_ec2_credential(self): """Test creating trust scoped ec2 credential. Call ``POST /credentials``. """ # Create the trust ref = unit.new_trust_ref( trustor_user_id=self.user_id, trustee_user_id=self.trustee_user_id, project_id=self.project_id, impersonation=True, expires=dict(minutes=1), role_ids=[self.role_id]) del ref['id'] r = self.post('/OS-TRUST/trusts', body={'trust': ref}) trust = self.assertValidTrustResponse(r) # Get a trust scoped token auth_data = self.build_authentication_request( user_id=self.trustee_user['id'], password=self.trustee_user['password'], trust_id=trust['id']) r = self.v3_create_token(auth_data) self.assertValidProjectScopedTokenResponse(r, self.user) trust_id = r.result['token']['OS-TRUST:trust']['id'] token_id = r.headers.get('X-Subject-Token') # Create the credential with the trust scoped token blob, ref = unit.new_ec2_credential(user_id=self.user['id'], project_id=self.project_id) r = self.post('/credentials', body={'credential': ref}, token=token_id) # We expect the response blob to contain the trust_id ret_ref = ref.copy() ret_blob = blob.copy() ret_blob['trust_id'] = trust_id ret_ref['blob'] = json.dumps(ret_blob) self.assertValidCredentialResponse(r, ref=ret_ref) # Assert credential id is same as hash of access key id for # ec2 credentials access = blob['access'].encode('utf-8') self.assertEqual(hashlib.sha256(access).hexdigest(), r.result['credential']['id']) # Create second ec2 credential with the same access key id and check # for conflict. self.post( '/credentials', body={'credential': ref}, token=token_id, expected_status=http_client.CONFLICT)
def _create_dict_blob_credential(self): blob, credential = unit.new_ec2_credential(user_id=self.user["id"], project_id=self.project_id) # Store the blob as a dict *not* JSON ref bug #1259584 # This means we can test the dict->json workaround, added # as part of the bugfix for backwards compatibility works. credential["blob"] = blob credential_id = credential["id"] # Create direct via the DB API to avoid validation failure self.credential_api.create_credential(credential_id, credential) return json.dumps(blob), credential_id
def setUp(self): super(V2CredentialEc2Controller, self).setUp() self.useFixture(database.Database()) self.load_backends() self.load_fixtures(default_fixtures) self.user_id = self.user_foo['id'] self.project_id = self.tenant_bar['id'] self.controller = controllers.Ec2Controller() self.blob, tmp_ref = unit.new_ec2_credential( user_id=self.user_id, project_id=self.project_id) self.creds_ref = ( controllers.Ec2Controller._convert_v3_to_ec2_credential(tmp_ref))
def _create_dict_blob_credential(self): blob, credential = unit.new_ec2_credential(user_id=self.user['id'], project_id=self.project_id) # Store the blob as a dict *not* JSON ref bug #1259584 # This means we can test the dict->json workaround, added # as part of the bugfix for backwards compatibility works. credential['blob'] = blob credential_id = credential['id'] # Create direct via the DB API to avoid validation failure self.credential_api.create_credential(credential_id, credential) return json.dumps(blob), credential_id
def setUp(self): super(V2CredentialEc2Controller, self).setUp() self.useFixture(database.Database()) self.load_backends() self.load_fixtures(default_fixtures) self.user_id = self.user_foo['id'] self.project_id = self.tenant_bar['id'] self.controller = controllers.Ec2Controller() self.blob, tmp_ref = unit.new_ec2_credential( user_id=self.user_id, project_id=self.project_id) self.creds_ref = (controllers.Ec2Controller ._convert_v3_to_ec2_credential(tmp_ref))
def test_ec2_credential_signature_validate(self): """Test signature validation with a v3 ec2 credential.""" blob, ref = unit.new_ec2_credential(user_id=self.user['id'], project_id=self.project_id) r = self.post('/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref) # Assert credential id is same as hash of access key id access = blob['access'].encode('utf-8') self.assertEqual( hashlib.sha256(access).hexdigest(), r.result['credential']['id']) cred_blob = json.loads(r.result['credential']['blob']) self.assertEqual(blob, cred_blob) self._validate_signature(access=cred_blob['access'], secret=cred_blob['secret'])
def test_ec2_credential_signature_validate(self): """Test signature validation with a v3 ec2 credential.""" blob, ref = unit.new_ec2_credential(user_id=self.user['id'], project_id=self.project_id) r = self.post('/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref) # Assert credential id is same as hash of access key id access = blob['access'].encode('utf-8') self.assertEqual(hashlib.sha256(access).hexdigest(), r.result['credential']['id']) cred_blob = json.loads(r.result['credential']['blob']) self.assertEqual(blob, cred_blob) self._validate_signature(access=cred_blob['access'], secret=cred_blob['secret'])
def test_create_ec2_credential(self): """Call ``POST /credentials`` for creating ec2 credential.""" blob, ref = unit.new_ec2_credential(user_id=self.user['id'], project_id=self.project_id) r = self.post('/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref) # Assert credential id is same as hash of access key id for # ec2 credentials access = blob['access'].encode('utf-8') self.assertEqual( hashlib.sha256(access).hexdigest(), r.result['credential']['id']) # Create second ec2 credential with the same access key id and check # for conflict. self.post('/credentials', body={'credential': ref}, expected_status=http_client.CONFLICT)
def setUp(self): super(V2CredentialEc2Controller, self).setUp() self.useFixture(database.Database()) self.useFixture( ksfixtures.KeyRepository(self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS)) self.load_backends() self.load_fixtures(default_fixtures) self.user_id = self.user_foo['id'] self.project_id = self.tenant_bar['id'] self.controller = controllers.Ec2Controller() self.blob, tmp_ref = unit.new_ec2_credential( user_id=self.user_id, project_id=self.project_id) self.creds_ref = ( controllers.Ec2Controller._convert_v3_to_ec2_credential(tmp_ref))
def setUp(self): super(V2CredentialEc2Controller, self).setUp() self.useFixture(database.Database()) self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS ) ) self.load_backends() self.load_fixtures(default_fixtures) self.user_id = self.user_foo['id'] self.project_id = self.tenant_bar['id'] self.controller = controllers.Ec2Controller() self.blob, tmp_ref = unit.new_ec2_credential( user_id=self.user_id, project_id=self.project_id) self.creds_ref = (controllers.Ec2Controller ._convert_v3_to_ec2_credential(tmp_ref))
def test_access_token_ec2_credential(self): """Test creating ec2 credential from an oauth access token. Call ``POST /credentials``. """ access_key, token_id = self._get_access_token() # Create the credential with the access token blob, ref = unit.new_ec2_credential(user_id=self.user_id, project_id=self.project_id) r = self.post('/credentials', body={'credential': ref}, token=token_id) # We expect the response blob to contain the access_token_id ret_ref = ref.copy() ret_blob = blob.copy() ret_blob['access_token_id'] = access_key.decode('utf-8') ret_ref['blob'] = json.dumps(ret_blob) self.assertValidCredentialResponse(r, ref=ret_ref) # Assert credential id is same as hash of access key id for # ec2 credentials access = blob['access'].encode('utf-8') self.assertEqual( hashlib.sha256(access).hexdigest(), r.result['credential']['id']) # Create a role assignment to ensure that it is ignored and only the # roles in the access token are used role = unit.new_role_ref(name='reader') role_id = role['id'] PROVIDERS.role_api.create_role(role_id, role) PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_id, self.project_id, role_id) ret_blob = json.loads(r.result['credential']['blob']) ec2token = self._test_get_token(access=ret_blob['access'], secret=ret_blob['secret']) ec2_roles = [role['id'] for role in ec2token['roles']] self.assertIn(self.role_id, ec2_roles) self.assertNotIn(role_id, ec2_roles)
def test_trust_scoped_ec2_credential(self): """Test creating trust scoped ec2 credential. Call ``POST /credentials``. """ # Create the trust ref = unit.new_trust_ref(trustor_user_id=self.user_id, trustee_user_id=self.trustee_user_id, project_id=self.project_id, impersonation=True, expires=dict(minutes=1), role_ids=[self.role_id]) del ref['id'] r = self.post('/OS-TRUST/trusts', body={'trust': ref}) trust = self.assertValidTrustResponse(r) # Get a trust scoped token auth_data = self.build_authentication_request( user_id=self.trustee_user['id'], password=self.trustee_user['password'], trust_id=trust['id']) r = self.v3_create_token(auth_data) self.assertValidProjectScopedTokenResponse(r, self.user) trust_id = r.result['token']['OS-TRUST:trust']['id'] token_id = r.headers.get('X-Subject-Token') # Create the credential with the trust scoped token blob, ref = unit.new_ec2_credential(user_id=self.user_id, project_id=self.project_id) r = self.post('/credentials', body={'credential': ref}, token=token_id) # We expect the response blob to contain the trust_id ret_ref = ref.copy() ret_blob = blob.copy() ret_blob['trust_id'] = trust_id ret_ref['blob'] = json.dumps(ret_blob) self.assertValidCredentialResponse(r, ref=ret_ref) # Assert credential id is same as hash of access key id for # ec2 credentials access = blob['access'].encode('utf-8') self.assertEqual( hashlib.sha256(access).hexdigest(), r.result['credential']['id']) # Create a role assignment to ensure that it is ignored and only the # trust-delegated roles are used role = unit.new_role_ref(name='reader') role_id = role['id'] PROVIDERS.role_api.create_role(role_id, role) PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_id, self.project_id, role_id) ret_blob = json.loads(r.result['credential']['blob']) ec2token = self._test_get_token(access=ret_blob['access'], secret=ret_blob['secret']) ec2_roles = [role['id'] for role in ec2token['roles']] self.assertIn(self.role_id, ec2_roles) self.assertNotIn(role_id, ec2_roles) # Create second ec2 credential with the same access key id and check # for conflict. self.post('/credentials', body={'credential': ref}, token=token_id, expected_status=http.client.CONFLICT)