def test_modify_settings_append_password(self):
"""
Test override reset, by changing the reset password blacklisted roles
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
user2 = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
project = fake_clients.FakeProject(name="test_project")
test_role = fake_clients.FakeRole("test_role")
assignments = [
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="test_role",
user={'id': user.id}),
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="admin",
user={'id': user2.id}),
]
setup_identity_cache(projects=[project],
users=[user, user2],
role_assignments=assignments,
extra_roles=[test_role])
url = "/v1/actions/ResetPassword"
data = {'email': "*****@*****.**"}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(0, Token.objects.count())
admin_data = {'email': '*****@*****.**'}
response2 = self.client.post(url, admin_data, format='json')
self.assertEqual(response2.status_code, status.HTTP_200_OK)
self.assertEqual(0, Token.objects.count())
def test_new_user_only_member(self):
"""
Existing user, valid project, no edit permissions.
Action should be invalid.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(
keystone_user={
"roles": ["member"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"email": "*****@*****.**",
"project_id": project.id,
"roles": ["member"],
"inherited_roles": [],
"domain_id": "default",
}
action = NewUserAction(data, task=task, order=1)
action.prepare()
self.assertFalse(action.valid)
def test_new_user_wrong_project(self):
"""
Existing user, valid project, project does not match keystone user.
Action should be invalid.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": "test_project_id",
"project_domain_id": "default",
}
)
data = {
"email": "*****@*****.**",
"project_id": "test_project_id_1",
"roles": ["member"],
"inherited_roles": [],
"domain_id": "default",
}
action = NewUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, False)
def test_set_quota_invalid_region(self):
""" Attempts to set a quota on a non-existent region """
project = fake_clients.FakeProject(name="test_project", id="test_project_id")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "user_id",
"authenticated": True,
}
url = "/v1/openstack/quotas/"
data = {"size": "small", "regions": ["RegionThree"]}
response = self.client.post(url, data, headers=headers, format="json")
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def setUp(self) -> None:
super().setUp()
self.projects = [
fake_clients.FakeProject(name=uuid.uuid4().hex),
fake_clients.FakeProject(name=uuid.uuid4().hex),
fake_clients.FakeProject(name=uuid.uuid4().hex)
]
self.users = [
fake_clients.FakeUser(name='*****@*****.**'),
fake_clients.FakeUser(name='*****@*****.**'),
fake_clients.FakeUser(name='*****@*****.**')
]
fake_clients.setup_identity_cache(projects=self.projects,
users=self.users)
def test_calculate_custom_quota_size(self):
"""
Calculates the best 'fit' quota size from a custom quota.
"""
project = fake_clients.FakeProject(name="test_project", id="test_project_id")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
admin_headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": user.id,
"authenticated": True,
}
cinderquota = cinder_cache["RegionOne"]["test_project_id"]["quota"]
cinderquota["gigabytes"] = 6000
novaquota = nova_cache["RegionOne"]["test_project_id"]["quota"]
novaquota["ram"] = 70000
neutronquota = neutron_cache["RegionOne"]["test_project_id"]["quota"]
neutronquota["network"] = 4
url = "/v1/openstack/quotas/?regions=RegionOne"
response = self.client.get(url, headers=admin_headers)
# First check we can actually access the page correctly
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data["regions"][0]["current_quota_size"], "small")
def test_remove_user_role(self):
""" Remove all roles on a user from our project """
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
admin_headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "test_user_id",
"authenticated": True,
}
# admins removes role from the test user
url = "/v1/openstack/users/%s/roles" % user.id
data = {"roles": ["member"]}
response = self.client.delete(url, data, format="json", headers=admin_headers)
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
self.assertEqual(response.json(), {"notes": ["task created"]})
def test_set_multi_region_quota(self):
""" Sets a quota to all to all regions in a project """
project = fake_clients.FakeProject(name="test_project", id="test_project_id")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "user_id",
"authenticated": True,
}
url = "/v1/openstack/quotas/"
data = {"size": "medium", "regions": ["RegionOne", "RegionTwo"]}
response = self.client.post(url, data, headers=headers, format="json")
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
self.check_quota_cache("RegionOne", "test_project_id", "medium")
self.check_quota_cache("RegionTwo", "test_project_id", "medium")
def test_new_user_only_member(self):
"""
Existing user, valid project, no edit permissions.
Action should be invalid.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['_member_'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'email': '*****@*****.**',
'project_id': project.id,
'roles': ['_member_'],
'inherited_roles': [],
'domain_id': 'default',
}
action = NewUserAction(data, task=task, order=1)
action.pre_approve()
self.assertFalse(action.valid)
def setUp(self) -> None:
super().setUp()
self.users = [
fake_clients.FakeUser(name='*****@*****.**')
]
fake_clients.setup_identity_cache(users=self.users)
def test_update_quota_no_history(self):
""" Update the quota size of a project with no history """
project = fake_clients.FakeProject(name="test_project", id="test_project_id")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
admin_headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "user_id",
"authenticated": True,
}
url = "/v1/openstack/quotas/"
data = {"size": "medium", "regions": ["RegionOne"]}
response = self.client.post(url, data, headers=admin_headers, format="json")
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
# Then check to see the quotas have changed
self.check_quota_cache("RegionOne", project.id, "medium")
def test_edit_user_roles_modified_config_add(self):
"""
Tests that the role mappings do come from config and a new role
added there will be allowed.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_mod",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
new_role = fake_clients.FakeRole("new_role")
fake_clients.identity_cache["roles"][new_role.id] = new_role
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["new_role"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["project_mod", "new_role"])
def test_edit_user_roles_modified_settings_add(self):
"""
Tests that the role mappings do come from settings and a new role
added there will be allowed.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_mod",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
new_role = fake_clients.FakeRole("new_role")
fake_clients.identity_cache['roles'][new_role.id] = new_role
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['new_role'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['project_mod', 'new_role'])
def test_new_user_existing_role(self):
"""
Existing user, valid tenant, has role.
Should complete the action as if no role,
but actually do nothing.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"email": "*****@*****.**",
"project_id": project.id,
"roles": ["member"],
"inherited_roles": [],
"domain_id": "default",
}
action = NewUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_new_user_existing_role(self):
"""
Existing user, valid tenant, has role.
Should complete the action as if no role,
but actually do nothing.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'email': '*****@*****.**',
'project_id': project.id,
'roles': ['_member_'],
'inherited_roles': [],
'domain_id': 'default',
}
action = NewUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, 'complete')
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_new_project_existing_user(self):
"""
Create a project for a user that already exists.
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(keystone_user={})
data = {
"domain_id": "default",
"parent_id": None,
"email": "*****@*****.**",
"project_name": "test_project",
}
action = NewProjectWithUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache["new_projects"][0]
self.assertEqual(new_project.name, "test_project")
self.assertEqual(len(fake_clients.identity_cache["new_users"]), 0)
self.assertEqual(
task.cache,
{
"project_id": new_project.id,
"user_id": user.id,
"user_state": "existing",
},
)
# submit does nothing for existing
action.submit({})
self.assertEqual(action.valid, True)
self.assertEqual(user.password, "123")
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted(
["member", "project_admin", "project_mod",
"heat_stack_owner"]),
)
def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignments = [
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id}),
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_admin",
user={'id': user.id}),
]
setup_identity_cache(projects=[project],
users=[user],
role_assignments=assignments)
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, False)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_', 'project_admin'])
def test_edit_user_roles_remove_complete(self):
"""
Remove roles from user that does not have them.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],
'remove': True
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_update_quota_outside_range(self):
"""
Attempts to update the quota size to a value outside of the
project's pre-approved range.
"""
project = fake_clients.FakeProject(name="test_project", id="test_project_id")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
admin_headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "user_id",
"authenticated": True,
}
url = "/v1/openstack/quotas/"
data = {"size": "large", "regions": ["RegionOne"]}
response = self.client.post(url, data, headers=admin_headers, format="json")
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
# Then check to see the quotas have not changed (stayed small)
self.check_quota_cache("RegionOne", project.id, "small")
# Approve and test for change
# Approve the quota change as admin
headers = {
"project_name": "admin_project",
"project_id": "test_project_id",
"roles": "admin,member",
"username": "******",
"user_id": "admin_id",
"authenticated": True,
}
# Grab the details for the task and approve it
new_task = Task.objects.all()[0]
url = "/v1/tasks/" + new_task.uuid
response = self.client.post(
url, {"approved": True}, format="json", headers=headers
)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, {"notes": ["Task completed successfully."]})
self.check_quota_cache("RegionOne", project.id, "large")
def test_new_user_disabled(self):
"""
Disabled user, valid existing tenant, no role.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**",
password="******",
email="*****@*****.**",
enabled=False,
)
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"email": "*****@*****.**",
"project_id": project.id,
"roles": ["member"],
"inherited_roles": [],
"domain_id": "default",
}
action = NewUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {"password": "******"}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(len(fake_clients.identity_cache["users"]), 2)
fake_client = fake_clients.FakeManager()
user = fake_client.find_user(name="*****@*****.**", domain="default")
self.assertEqual(user.email, "*****@*****.**")
self.assertEqual(user.password, "123456")
self.assertTrue(user.enabled)
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_edit_user_roles_remove_complete(self):
"""
Remove roles from user that does not have them.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["project_mod"],
"inherited_roles": [],
"remove": True,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_calculate_quota_size_zero(self):
"""
Ensures that a zero quota enabled picks up
"""
project = fake_clients.FakeProject(name="test_project", id="test_project_id")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
admin_headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "user_id",
"authenticated": True,
}
setup_quota_cache("RegionOne", project.id, "small")
url = "/v1/openstack/quotas/?regions=RegionOne"
response = self.client.get(url, headers=admin_headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data["regions"][0]["current_quota_size"], "small")
cinderquota = cinder_cache["RegionOne"][project.id]["quota"]
cinderquota["gigabytes"] = 0
# Check that the zero value doesn't interfer with being small
response = self.client.get(url, headers=admin_headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data["regions"][0]["current_quota_size"], "small")
setup_quota_cache("RegionOne", project.id, "zero")
url = "/v1/openstack/quotas/?regions=RegionOne"
response = self.client.get(url, headers=admin_headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data["regions"][0]["current_quota_size"], "zero")
# Check that the zero quota will still be counted even if
# one value is not zero
cinderquota = cinder_cache["RegionOne"][project.id]["quota"]
cinderquota["gigabytes"] = 600
response = self.client.get(url, headers=admin_headers)
# First check we can actually access the page correctly
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data["regions"][0]["current_quota_size"], "zero")
def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignments = [
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_admin",
user={"id": user.id},
),
]
setup_identity_cache(
projects=[project], users=[user], role_assignments=assignments
)
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["project_mod"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, False)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member", "project_admin"])
def test_new_project_existing_user(self):
"""
Create a project for a user that already exists.
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(ip_address="0.0.0.0", keystone_user={})
data = {
'domain_id': 'default',
'parent_id': None,
'email': '*****@*****.**',
'project_name': 'test_project',
}
action = NewProjectWithUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
self.assertEqual(new_project.name, 'test_project')
self.assertEqual(len(fake_clients.identity_cache['new_users']), 0)
self.assertEqual(
task.cache, {
'project_id': new_project.id,
'user_id': user.id,
'user_state': 'existing'
})
# submit does nothing for existing
action.submit({})
self.assertEqual(action.valid, True)
self.assertEqual(user.password, '123')
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
def test_new_user_disabled(self):
"""
Disabled user, valid existing tenant, no role.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**",
enabled=False)
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'email': '*****@*****.**',
'project_id': project.id,
'roles': ['_member_'],
'inherited_roles': [],
'domain_id': 'default',
}
action = NewUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {'password': '******'}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(len(fake_clients.identity_cache['users']), 2)
fake_client = fake_clients.FakeManager()
user = fake_client.find_user(name="*****@*****.**", domain="default")
self.assertEqual(user.email, '*****@*****.**')
self.assertEqual(user.password, '123456')
self.assertTrue(user.enabled)
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_update_quota_other_project_history(self):
"""
Tests that a quota update to another project does not interfer
with the 30 days per project limit.
"""
project = fake_clients.FakeProject(name="test_project", id="test_project_id")
project2 = fake_clients.FakeProject(name="second_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project, project2], users=[user])
headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "user_id",
"authenticated": True,
}
setup_mock_caches("RegionOne", project2.id)
url = "/v1/openstack/quotas/"
data = {"size": "medium", "regions": ["RegionOne"]}
response = self.client.post(url, data, headers=headers, format="json")
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
# Then check to see the quotas have changed
self.check_quota_cache("RegionOne", project.id, "medium")
headers = {
"project_name": "second_project",
"project_id": project2.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": user.id,
"authenticated": True,
}
data = {"regions": ["RegionOne"], "size": "medium", "project_id": project2.id}
response = self.client.post(url, data, headers=headers, format="json")
# First check we can actually access the page correctly
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
# Then check to see the quotas have changed
self.check_quota_cache("RegionOne", project2.id, "medium")
def test_new_project_action(self):
"""
Tests the new project action for an existing user.
"""
project = fake_clients.FakeProject(name="parent_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(
keystone_user={
"user_id": user.id,
"project_id": project.id,
"project_domain_id": "default",
})
data = {
"domain_id": "default",
"parent_id": project.id,
"project_name": "test_project",
"description": "",
}
action = NewProjectAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache["new_projects"][0]
self.assertEqual(new_project.name, "test_project")
self.assertEqual(new_project.parent_id, project.id)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted(
["member", "project_admin", "project_mod",
"heat_stack_owner"]),
)
action.submit({})
self.assertEqual(action.valid, True)
def test_add_mfa_existing(self):
"""
Attempts to add mfa to a user account with an existing task
"""
user = fake_clients.FakeUser(
name="*****@*****.**", password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
headers = {
'project_name': "test_project",
'project_id': "test_project_id",
'roles': "_member_",
'username': "******",
'user_id': user.id,
'authenticated': True
}
url = "/v1/openstack/edit-mfa"
response = self.client.post(url, {}, format='json', headers=headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
provisoning_uri = response.data.get('otpauth')
token = response.data.get('token_id')
self.assertNotEqual(provisoning_uri, None)
self.assertEqual(Task.objects.count(), 1)
response = self.client.post(url, {}, format='json', headers=headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
provisoning_uri2 = response.data.get('otpauth')
token2 = response.data.get('token_id')
self.assertEqual(token, token2)
self.assertEqual(provisoning_uri, provisoning_uri2)
self.assertEqual(Task.objects.count(), 1)
secret = urlparse.parse_qs(
urlparse.urlsplit(provisoning_uri).query).get('secret')[0]
manager = FakeManager()
creds = manager.list_credentials(user.id, 'totp-draft')
server_secret = json.loads(creds[0].blob)['secret']
self.assertEqual(secret, server_secret)
self.assertNotEqual(token, None)
code = generate_totp_passcode(secret)
url = "/v1/tokens/" + token
data = {'passcode': code}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_new_project_action(self):
"""
Tests the new project action for an existing user.
"""
project = fake_clients.FakeProject(name="parent_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
"user_id": user.id,
"project_id": project.id,
"project_domain_id": 'default'
})
data = {
'domain_id': 'default',
'parent_id': project.id,
'project_name': 'test_project',
'description': '',
}
action = NewProjectAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
self.assertEqual(new_project.name, 'test_project')
self.assertEqual(new_project.parent_id, project.id)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
action.submit({})
self.assertEqual(action.valid, True)
def test_add_mfa_draft_removed(self):
"""
Existing user, valid tenant, correct passcode, however the draft-totp
code is removed between post_approve and token
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
'id': user.id
})
data = {'user_id': user.id, 'delete': False}
action = EditMFAAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
manager = FakeManager()
user_draft = manager.list_credentials(user_id=user.id,
cred_type='totp-draft')
self.assertEqual(len(user_draft), 1)
secret = json.loads(user_draft[0].blob)['secret']
manager.clear_credential_type(user_id=user.id, cred_type='totp-draft')
passcode = generate_totp_passcode(secret)
token_data = {'passcode': passcode}
return_data = action.submit(token_data)
self.assertEqual(action.valid, False)
self.assertEqual(return_data.get('errors'), 'TOTP Secret Removed')
user_draft = manager.list_credentials(user_id=user.id,
cred_type='totp-draft')
self.assertEqual(len(user_draft), 0)
