def test_authenticate_without_proper_secret_returns_unauthorized(self):
cred_blob, credential = unit.new_ec2_credential(
self.user_foo['id'], self.tenant_bar['id'])
PROVIDERS.credential_api.create_credential(credential['id'],
credential)
signer = ec2_utils.Ec2Signer('totally not the secret')
credentials = {
'access': cred_blob['access'],
'secret': 'totally not the secret',
'host': 'localhost',
'verb': 'GET',
'path': '/',
'params': {
'SignatureVersion': '2',
'Action': 'Test',
'Timestamp': '2007-01-31T23:59:59Z'
},
}
credentials['signature'] = signer.generate(credentials)
self.public_request(method='POST',
path='/v2.0/ec2tokens',
body={'credentials': credentials},
expected_status=http_client.UNAUTHORIZED)
def test_valid_authentication_response_with_proper_secret(self):
cred_blob, credential = unit.new_ec2_credential(
self.user_foo['id'], self.tenant_bar['id'])
self.credential_api.create_credential(credential['id'], credential)
signer = ec2_utils.Ec2Signer(cred_blob['secret'])
credentials = {
'access': cred_blob['access'],
'secret': cred_blob['secret'],
'host': 'localhost',
'verb': 'GET',
'path': '/',
'params': {
'SignatureVersion': '2',
'Action': 'Test',
'Timestamp': '2007-01-31T23:59:59Z'
},
}
credentials['signature'] = signer.generate(credentials)
resp = self.public_request(method='POST',
path='/v2.0/ec2tokens',
body={'credentials': credentials},
expected_status=http_client.OK)
self.assertValidAuthenticationResponse(resp)
def setUp(self):
super(EC2ContribCoreV3, self).setUp()
self.cred_blob, self.credential = unit.new_ec2_credential(
self.user['id'], self.project_id)
PROVIDERS.credential_api.create_credential(
self.credential['id'], self.credential)
def setUp(self):
super(EC2ContribCoreV3, self).setUp()
self.cred_blob, self.credential = unit.new_ec2_credential(
self.user['id'], self.project_id)
PROVIDERS.credential_api.create_credential(self.credential['id'],
self.credential)
def test_update_ec2_credential_change_access_token_id(self):
"""Call ``PATCH /credentials/{credential_id}``."""
blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=self.project_id)
blob['access_token_id'] = uuid.uuid4().hex
ref['blob'] = json.dumps(blob)
r = self.post(
'/credentials',
body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
credential_id = r.result.get('credential')['id']
# Try changing to a different access token
blob['access_token_id'] = uuid.uuid4().hex
update_ref = {'blob': json.dumps(blob)}
self.patch(
'/credentials/%(credential_id)s' % {
'credential_id': credential_id},
body={'credential': update_ref},
expected_status=http.client.BAD_REQUEST)
# Try removing the access token
del blob['access_token_id']
update_ref = {'blob': json.dumps(blob)}
self.patch(
'/credentials/%(credential_id)s' % {
'credential_id': credential_id},
body={'credential': update_ref},
expected_status=http.client.BAD_REQUEST)
def test_app_cred_ec2_credential(self):
"""Test creating ec2 credential from an application credential.
Call ``POST /credentials``.
"""
# Create the app cred
ref = unit.new_application_credential_ref(roles=[{'id': self.role_id}])
del ref['id']
r = self.post('/users/%s/application_credentials' % self.user_id,
body={'application_credential': ref})
app_cred = r.result['application_credential']
# Get an application credential token
auth_data = self.build_authentication_request(
app_cred_id=app_cred['id'],
secret=app_cred['secret'])
r = self.v3_create_token(auth_data)
token_id = r.headers.get('X-Subject-Token')
# Create the credential with the app cred token
blob, ref = unit.new_ec2_credential(user_id=self.user_id,
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref}, token=token_id)
# We expect the response blob to contain the app_cred_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['app_cred_id'] = app_cred['id']
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(hashlib.sha256(access).hexdigest(),
r.result['credential']['id'])
# Create a role assignment to ensure that it is ignored and only the
# roles in the app cred are used
role = unit.new_role_ref(name='reader')
role_id = role['id']
PROVIDERS.role_api.create_role(role_id, role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, role_id)
ret_blob = json.loads(r.result['credential']['blob'])
ec2token = self._test_get_token(
access=ret_blob['access'], secret=ret_blob['secret'])
ec2_roles = [role['id'] for role in ec2token['roles']]
self.assertIn(self.role_id, ec2_roles)
self.assertNotIn(role_id, ec2_roles)
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post(
'/credentials',
body={'credential': ref},
token=token_id,
expected_status=http.client.CONFLICT)
def test_create_ec2_credential_with_missing_project_id(self):
"""Test Creating ec2 credential with missing project_id.
Call ``POST /credentials``.
"""
_, ref = unit.new_ec2_credential(user_id=self.user["id"], project_id=None)
# Assert bad request status when missing project_id
self.post("/credentials", body={"credential": ref}, expected_status=http_client.BAD_REQUEST)
def setUp(self):
super(EC2ContribCoreV3, self).setUp()
self.cred_blob, self.credential = unit.new_ec2_credential(
self.user['id'], self.project_id)
self.credential_api.create_credential(self.credential['id'],
self.credential)
self.controller = controllers.Ec2ControllerV3
def test_create_ec2_credential_with_missing_project_id(self):
"""Call ``POST /credentials`` for creating ec2 credential with missing
project_id.
"""
_, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=None)
# Assert bad request status when missing project_id
self.post(
'/credentials',
body={'credential': ref}, expected_status=http_client.BAD_REQUEST)
def test_create_ec2_credential_with_missing_project_id(self):
"""Call ``POST /credentials`` for creating ec2 credential with missing
project_id.
"""
_, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=None)
# Assert bad request status when missing project_id
self.post('/credentials',
body={'credential': ref},
expected_status=http_client.BAD_REQUEST)
def setUp(self):
super(S3ContribCore, self).setUp()
self.load_backends()
self.cred_blob, self.credential = unit.new_ec2_credential(
self.user['id'], self.project_id)
PROVIDERS.credential_api.create_credential(
self.credential['id'], self.credential)
self.controller = s3.S3Controller()
def setUp(self):
super(S3ContribCore, self).setUp()
self.load_backends()
self.cred_blob, self.credential = unit.new_ec2_credential(
self.user['id'], self.project_id)
PROVIDERS.credential_api.create_credential(self.credential['id'],
self.credential)
self.controller = s3.S3Controller()
def test_create_ec2_credential(self):
"""Call ``POST /credentials`` for creating ec2 credential."""
blob, ref = unit.new_ec2_credential(user_id=self.user["id"], project_id=self.project_id)
r = self.post("/credentials", body={"credential": ref})
self.assertValidCredentialResponse(r, ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob["access"].encode("utf-8")
self.assertEqual(hashlib.sha256(access).hexdigest(), r.result["credential"]["id"])
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post("/credentials", body={"credential": ref}, expected_status=http_client.CONFLICT)
def test_ec2_credential_signature_validate(self):
"""Test signature validation with a v3 ec2 credential."""
blob, ref = unit.new_ec2_credential(user_id=self.user["id"], project_id=self.project_id)
r = self.post("/credentials", body={"credential": ref})
self.assertValidCredentialResponse(r, ref)
# Assert credential id is same as hash of access key id
access = blob["access"].encode("utf-8")
self.assertEqual(hashlib.sha256(access).hexdigest(), r.result["credential"]["id"])
cred_blob = json.loads(r.result["credential"]["blob"])
self.assertEqual(blob, cred_blob)
self._validate_signature(access=cred_blob["access"], secret=cred_blob["secret"])
def test_trust_scoped_ec2_credential(self):
"""Test creating trust scoped ec2 credential.
Call ``POST /credentials``.
"""
# Create the trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
# Get a trust scoped token
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, self.user)
trust_id = r.result['token']['OS-TRUST:trust']['id']
token_id = r.headers.get('X-Subject-Token')
# Create the credential with the trust scoped token
blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref}, token=token_id)
# We expect the response blob to contain the trust_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['trust_id'] = trust_id
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(hashlib.sha256(access).hexdigest(),
r.result['credential']['id'])
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post(
'/credentials',
body={'credential': ref},
token=token_id,
expected_status=http_client.CONFLICT)
def test_trust_scoped_ec2_credential(self):
"""Test creating trust scoped ec2 credential.
Call ``POST /credentials``.
"""
# Create the trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
# Get a trust scoped token
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, self.user)
trust_id = r.result['token']['OS-TRUST:trust']['id']
token_id = r.headers.get('X-Subject-Token')
# Create the credential with the trust scoped token
blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref}, token=token_id)
# We expect the response blob to contain the trust_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['trust_id'] = trust_id
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(hashlib.sha256(access).hexdigest(),
r.result['credential']['id'])
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post(
'/credentials',
body={'credential': ref},
token=token_id,
expected_status=http_client.CONFLICT)
def _create_dict_blob_credential(self):
blob, credential = unit.new_ec2_credential(user_id=self.user["id"], project_id=self.project_id)
# Store the blob as a dict *not* JSON ref bug #1259584
# This means we can test the dict->json workaround, added
# as part of the bugfix for backwards compatibility works.
credential["blob"] = blob
credential_id = credential["id"]
# Create direct via the DB API to avoid validation failure
self.credential_api.create_credential(credential_id, credential)
return json.dumps(blob), credential_id
def setUp(self):
super(V2CredentialEc2Controller, self).setUp()
self.useFixture(database.Database())
self.load_backends()
self.load_fixtures(default_fixtures)
self.user_id = self.user_foo['id']
self.project_id = self.tenant_bar['id']
self.controller = controllers.Ec2Controller()
self.blob, tmp_ref = unit.new_ec2_credential(
user_id=self.user_id, project_id=self.project_id)
self.creds_ref = (
controllers.Ec2Controller._convert_v3_to_ec2_credential(tmp_ref))
def _create_dict_blob_credential(self):
blob, credential = unit.new_ec2_credential(user_id=self.user['id'],
project_id=self.project_id)
# Store the blob as a dict *not* JSON ref bug #1259584
# This means we can test the dict->json workaround, added
# as part of the bugfix for backwards compatibility works.
credential['blob'] = blob
credential_id = credential['id']
# Create direct via the DB API to avoid validation failure
self.credential_api.create_credential(credential_id, credential)
return json.dumps(blob), credential_id
def setUp(self):
super(V2CredentialEc2Controller, self).setUp()
self.useFixture(database.Database())
self.load_backends()
self.load_fixtures(default_fixtures)
self.user_id = self.user_foo['id']
self.project_id = self.tenant_bar['id']
self.controller = controllers.Ec2Controller()
self.blob, tmp_ref = unit.new_ec2_credential(
user_id=self.user_id,
project_id=self.project_id)
self.creds_ref = (controllers.Ec2Controller
._convert_v3_to_ec2_credential(tmp_ref))
def test_ec2_credential_signature_validate(self):
"""Test signature validation with a v3 ec2 credential."""
blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
# Assert credential id is same as hash of access key id
access = blob['access'].encode('utf-8')
self.assertEqual(
hashlib.sha256(access).hexdigest(), r.result['credential']['id'])
cred_blob = json.loads(r.result['credential']['blob'])
self.assertEqual(blob, cred_blob)
self._validate_signature(access=cred_blob['access'],
secret=cred_blob['secret'])
def test_ec2_credential_signature_validate(self):
"""Test signature validation with a v3 ec2 credential."""
blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
# Assert credential id is same as hash of access key id
access = blob['access'].encode('utf-8')
self.assertEqual(hashlib.sha256(access).hexdigest(),
r.result['credential']['id'])
cred_blob = json.loads(r.result['credential']['blob'])
self.assertEqual(blob, cred_blob)
self._validate_signature(access=cred_blob['access'],
secret=cred_blob['secret'])
def test_create_ec2_credential(self):
"""Call ``POST /credentials`` for creating ec2 credential."""
blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(
hashlib.sha256(access).hexdigest(), r.result['credential']['id'])
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post('/credentials',
body={'credential': ref},
expected_status=http_client.CONFLICT)
def setUp(self):
super(V2CredentialEc2Controller, self).setUp()
self.useFixture(database.Database())
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_fernet.MAX_ACTIVE_KEYS))
self.load_backends()
self.load_fixtures(default_fixtures)
self.user_id = self.user_foo['id']
self.project_id = self.tenant_bar['id']
self.controller = controllers.Ec2Controller()
self.blob, tmp_ref = unit.new_ec2_credential(
user_id=self.user_id, project_id=self.project_id)
self.creds_ref = (
controllers.Ec2Controller._convert_v3_to_ec2_credential(tmp_ref))
def setUp(self):
super(V2CredentialEc2Controller, self).setUp()
self.useFixture(database.Database())
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'credential',
credential_fernet.MAX_ACTIVE_KEYS
)
)
self.load_backends()
self.load_fixtures(default_fixtures)
self.user_id = self.user_foo['id']
self.project_id = self.tenant_bar['id']
self.controller = controllers.Ec2Controller()
self.blob, tmp_ref = unit.new_ec2_credential(
user_id=self.user_id,
project_id=self.project_id)
self.creds_ref = (controllers.Ec2Controller
._convert_v3_to_ec2_credential(tmp_ref))
def test_access_token_ec2_credential(self):
"""Test creating ec2 credential from an oauth access token.
Call ``POST /credentials``.
"""
access_key, token_id = self._get_access_token()
# Create the credential with the access token
blob, ref = unit.new_ec2_credential(user_id=self.user_id,
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref}, token=token_id)
# We expect the response blob to contain the access_token_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['access_token_id'] = access_key.decode('utf-8')
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(
hashlib.sha256(access).hexdigest(), r.result['credential']['id'])
# Create a role assignment to ensure that it is ignored and only the
# roles in the access token are used
role = unit.new_role_ref(name='reader')
role_id = role['id']
PROVIDERS.role_api.create_role(role_id, role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, role_id)
ret_blob = json.loads(r.result['credential']['blob'])
ec2token = self._test_get_token(access=ret_blob['access'],
secret=ret_blob['secret'])
ec2_roles = [role['id'] for role in ec2token['roles']]
self.assertIn(self.role_id, ec2_roles)
self.assertNotIn(role_id, ec2_roles)
def test_trust_scoped_ec2_credential(self):
"""Test creating trust scoped ec2 credential.
Call ``POST /credentials``.
"""
# Create the trust
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
# Get a trust scoped token
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, self.user)
trust_id = r.result['token']['OS-TRUST:trust']['id']
token_id = r.headers.get('X-Subject-Token')
# Create the credential with the trust scoped token
blob, ref = unit.new_ec2_credential(user_id=self.user_id,
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref}, token=token_id)
# We expect the response blob to contain the trust_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['trust_id'] = trust_id
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(
hashlib.sha256(access).hexdigest(), r.result['credential']['id'])
# Create a role assignment to ensure that it is ignored and only the
# trust-delegated roles are used
role = unit.new_role_ref(name='reader')
role_id = role['id']
PROVIDERS.role_api.create_role(role_id, role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, role_id)
ret_blob = json.loads(r.result['credential']['blob'])
ec2token = self._test_get_token(access=ret_blob['access'],
secret=ret_blob['secret'])
ec2_roles = [role['id'] for role in ec2token['roles']]
self.assertIn(self.role_id, ec2_roles)
self.assertNotIn(role_id, ec2_roles)
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post('/credentials',
body={'credential': ref},
token=token_id,
expected_status=http.client.CONFLICT)
